Hi all.

Some infos:
All of a sudden my PC (windows XP pro) seems to be quite seriously infected. I am using ESET Nod32 Smart Security and Spybot: Search & Destroy.
First I get a program called "Total Security" or something like that, which I didnt download neither installed, and started scanning my system, and spamming me with warning windows etc.
Moments later my desktop image changes automatically to a blue picture with big red writtings: "YOUR SYSTEM IS INFECTED" etc.

Anyways, I started checking my StartUp list, and saw this amvo.exe. Right now, I disabled it from the startup list, but I suppose I should do more to completely clean my computer, and also check if this is the only infection I got.

I read some of the 'pinned' threads, so here is my HijackThis (which I use for the 1st time) log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:11 µµ, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = S??d?se??
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ?????? e?s?d?? t?? Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Connection Wizard Setup Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster 2009\launcher.exe" delay 20000
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: ???s???? st? ?st?????? - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &???s???? st? ?st?????? st? Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ??e??a - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201099043291
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A441B2AC-04FA-4B19-97B5-723A2C56C9CA}: NameServer = 193.92.150.3,194.219.227.2
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 9280 bytes


Any help I can get will be much appreciated, and I am thankful in advance.

Marcos

Hi Marcos, welcome to SAF

Please uninstall Spybot S&D from your control panel, add-remove programs, as it will interfere with the fix.

Once done, close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = S??d?se??

O4 - HKLM\..\Run: [Internet Connection Wizard Setup Tool] C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe

Click on Fix Checked when finished and exit HijackThis.

- Download and run CrapCleaner from http://www.ccleaner.com/
Note: in CCleaner: go to <options/advanced> Uncheck "Only delete files in Windows Temp folders older than 48 hours".

- Download Malwarebytes Anti-Malware from http://www.majorgeeks.com/Malwarebyte'...ware_d5756.html to the desktop.

- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both these checked:
- Update Malwarebytes Anti-Malware
- Launch Malwarebytes Anti-Malware
- Then click Finish.

- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
- On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
- The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.

- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply along with a fresh HijackThis log and exit MBAM.

NB - If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

Post the mbam report along with a fresh HJT log.

Chris

Hi Chris,
and thanks a lot for the fast reply!

-Uninstalled Spybot S&D

-Fixed those 2 you said in HijackThis

Downloaded both CrapCleaner and Malwarebytes Anti-Malware, but can't install them.

-CrapCleaner gets me a window called "NSIS Error" saying 'Error launching installer' when I try to run the installer.

-Malwarebytes Anti-Malware gets me this when I try to run the installer:



(I am living in Greece, so this might cause this...letters. But 'Σφάλμα' means 'Error').

And here is the fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:31 µµ, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ?????? e?s?d?? t?? Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: ???s???? st? ?st?????? - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &???s???? st? ?st?????? st? Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ??e??a - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201099043291
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A441B2AC-04FA-4B19-97B5-723A2C56C9CA}: NameServer = 193.92.150.3,194.219.227.2
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 8231 bytes


Marcos

Ccleaner must install and run smoothly, unless your system (or Windows Installer) is badly compromised...

Download ATF cleaner from here: http://www.atribune.org/public-beta/ATF-Cleaner.exe
Checkmark "Select All" and run it.

Rename mbam.exe to 123.com. If it does not run, download the mbam installer again, but save it to a pendrive with another name, and install it on the pendrive. remember to rename mbam.exe to 123.com.

Once done, Download RSIT from http://images.malwareremoval.com/random/RSIT.exe to your desktop and run it there.

Post the log it generates along with the mbam report.

Chris

Ok, after trying some things I managed to:

1) Download installer of Ccleaner on a pendrive, run the installer from the pendrive, and then install and run Ccleaner normally on my system.

2) Download installer of Malwarebytes Anti-Malware on the pendrive as well, run the installer from the pendrive, and install and run Malwarebytes Anti-Malware normally on my system. (mbam report later on the post)

3) Run ATF Cleaner... No problems at all.

4) Download and run RSIT. (log file later on the post)


So, mbam report:



Malwarebytes' Anti-Malware 1.40
Database version: 2759
Windows 5.1.2600 Service Pack 3

8/9/2009 11:49:13 µµ
mbam-log-2009-09-08 (23-49-13).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 246437
Time elapsed: 1 hour(s), 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgMgr (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\10645624 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Uninstall Ask Toolbar.dll (Adware.AskSBAR) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80A0EB9C-73FA-424D-87C4-48FA718293EB}\RP544\A0151428.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{80A0EB9C-73FA-424D-87C4-48FA718293EB}\RP544\A0151577.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10645624\10645624 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10645624\pc10645624ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.



And RSIT generated a log.txt and an info.txt, here is the log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by User at 2009-09-08 23:55:49
Microsoft Windows XP Professional Service Pack 3
System drive C: has 52 GB (22%) free of 238 GB
Total RAM: 1023 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:59 µµ, on 8/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\?p?f??e?a e??as?a?\RSIT.exe
C:\Program Files\Trend Micro\HijackCheck\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ?????? e?s?d?? t?? Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: ???s???? st? ?st?????? - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &???s???? st? ?st?????? st? Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ??e??a - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201099043291
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A441B2AC-04FA-4B19-97B5-723A2C56C9CA}: NameServer = 193.92.150.3,194.219.227.2
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 8233 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-2025429265-725345543-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-2025429265-725345543-1003UA.job
C:\WINDOWS\tasks\OGALogon.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
?????? e?s?d?? t?? Windows Live - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-27 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NWEReboot"= []
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"Babylon Client"=C:\Program Files\Babylon\Babylon-Pro\Babylon.exe [2008-09-01 3563232]
"UpdatePDRShortCut"=C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [2008-01-04 222504]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-02-06 2021400]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-02-25 61440]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-14 173056]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"Google Update"=C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe [2009-06-12 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-02-26 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 267304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Vsk3\Vsk3.exe"="C:\Program Files\Vsk3\Vsk3.exe:*:Enabled:Vsk3"
"C:\Program Files\Vsk5Online\Vsk5Online.exe"="C:\Program Files\Vsk5Online\Vsk5Online.exe:*:Enabled:Vsk5Online"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe:*:Enabled:Garena"
"C:\Program Files\VALVe\Counter-Strike Source\hl2.exe"="C:\Program Files\VALVe\Counter-Strike Source\hl2.exe:*:Disabled:hl2"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Documents and Settings\User\Local Settings\Temp\Blizzard Launcher Temporary - f1010b00\Launcher.exe"="C:\Documents and Settings\User\Local Settings\Temp\Blizzard Launcher Temporary - f1010b00\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Spotify\spotify.exe"="C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"
"C:\Program Files\Sierra\FEAR\FEAR.exe"="C:\Program Files\Sierra\FEAR\FEAR.exe:*:Enabled:FEAR"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 3 months======

2009-09-08 23:55:49 ----D---- C:\rsit
2009-09-08 22:16:04 ----D---- C:\Program Files\CCleaner
2009-09-08 22:11:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-08 22:07:02 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2009-09-08 22:06:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-09-08 20:21:22 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2009-09-08 20:21:16 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2009-09-08 20:19:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-09-08 20:18:10 ----D---- C:\WINDOWS\system32\zh-TW
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\zh-HK
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\tr-TR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\sv-SE
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\pt-BR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\nl-NL
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\nb-NO
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\ko-KR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\it-IT
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\he-IL
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\fr-FR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\fi-FI
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\es-ES
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\de-DE
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\da-DK
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\ar-SA
2009-09-08 17:29:36 ----D---- C:\Program Files\Trend Micro
2009-09-08 15:42:21 ----D---- C:\Documents and Settings\User\Application Data\Uniblue
2009-09-02 17:47:28 ----D---- C:\Program Files\Eidos
2009-08-30 12:15:09 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
2009-08-27 03:33:01 ----D---- C:\Documents and Settings\User\Application Data\skypePM
2009-08-27 03:31:25 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-08-26 22:25:46 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-26 22:23:41 ----D---- C:\Program Files\Bonjour
2009-08-26 22:22:31 ----D---- C:\Program Files\QuickTime
2009-08-26 22:22:02 ----D---- C:\Program Files\Apple Software Update
2009-08-26 22:21:47 ----A---- C:\WINDOWS\system32\usbaaplrc.dll
2009-08-26 22:21:33 ----D---- C:\Program Files\Common Files\Apple
2009-08-26 16:10:31 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-25 20:03:55 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-08-25 20:03:54 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-08-19 18:36:08 ----D---- C:\Program Files\Eidos Interactive
2009-08-12 03:18:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 03:18:05 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-12 03:17:58 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 03:17:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 03:17:43 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 03:17:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 03:17:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 03:17:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 03:17:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 03:16:53 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-07 15:00:03 ----A---- C:\WINDOWS\Eudcedit.ini
2009-08-06 19:14:17 ----D---- C:\Program Files\Wizards of the Coast
2009-08-05 21:28:32 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-05 21:28:32 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-05 21:28:32 ----A---- C:\WINDOWS\system32\java.exe
2009-08-03 15:07:42 ----A---- C:\WINDOWS\system32\OGAEXEC.exe
2009-08-03 15:07:42 ----A---- C:\WINDOWS\system32\OGACheckControl.dll
2009-08-03 15:07:42 ----A---- C:\WINDOWS\system32\OGAAddin.dll
2009-07-27 20:02:56 ----D---- C:\Program Files\directx
2009-07-27 20:02:56 ----A---- C:\WINDOWS\DXT1276.tmp
2009-07-27 19:59:30 ----D---- C:\DeusEx
2009-07-22 19:11:03 ----D---- C:\Program Files\GameSpy Arcade
2009-07-22 19:05:46 ----D---- C:\Program Files\Sierra
2009-07-22 15:35:00 ----D---- C:\Documents and Settings\User\Application Data\vlc
2009-07-17 04:52:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-17 04:09:51 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-17 04:09:02 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-06-10 09:30:01 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-10 09:29:55 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-06-10 09:29:48 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-10 09:29:21 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$

======List of files/folders modified in the last 3 months======

2009-09-08 23:55:59 ----D---- C:\WINDOWS\Prefetch
2009-09-08 23:54:50 ----D---- C:\WINDOWS\Temp
2009-09-08 23:54:31 ----D---- C:\Program Files\Mozilla Firefox
2009-09-08 23:52:08 ----D---- C:\WINDOWS
2009-09-08 23:51:42 ----SD---- C:\WINDOWS\Tasks
2009-09-08 23:50:52 ----D---- C:\WINDOWS\system32\drivers
2009-09-08 23:50:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-08 23:49:13 ----RD---- C:\Program Files
2009-09-08 22:19:33 ----D---- C:\WINDOWS\Debug
2009-09-08 22:19:29 ----D---- C:\WINDOWS\Minidump
2009-09-08 21:52:13 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-09-08 20:33:56 ----A---- C:\WINDOWS\NeroDigital.ini
2009-09-08 20:22:41 ----D---- C:\WINDOWS\system32
2009-09-08 20:22:41 ----D---- C:\Program Files\Microsoft Silverlight
2009-09-08 20:21:25 ----HD---- C:\WINDOWS\inf
2009-09-08 20:21:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-08 20:21:15 ----HD---- C:\WINDOWS\$hf_mig$
2009-09-08 20:18:54 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-08 20:18:45 ----SHD---- C:\WINDOWS\Installer
2009-09-08 20:05:14 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-09-08 20:03:55 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-08 16:16:42 ----RSH---- C:\boot.ini
2009-09-08 16:16:42 ----A---- C:\WINDOWS\win.ini
2009-09-08 16:16:42 ----A---- C:\WINDOWS\system.ini
2009-09-08 16:07:06 ----D---- C:\Program Files\Steam
2009-09-08 15:21:39 ----A---- C:\WINDOWS\Lexicon.ini
2009-09-02 17:47:27 ----HD---- C:\Program Files\InstallShield Installation Information
2009-09-01 11:57:54 ----D---- C:\Program Files\World of Warcraft
2009-08-31 03:06:27 ----D---- C:\Documents and Settings\User\Application Data\FrostWire
2009-08-30 18:58:15 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-30 18:56:28 ----D---- C:\Program Files\Common Files
2009-08-29 00:38:20 ----A---- C:\WINDOWS\system32\MRT.exe
2009-08-28 17:43:12 ----D---- C:\Documents and Settings\User\Application Data\dvdcss
2009-08-28 03:34:40 ----A---- C:\WINDOWS\avisplitter.INI
2009-08-27 19:59:31 ----D---- C:\Documents and Settings\User\Application Data\Apple Computer
2009-08-27 17:34:08 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2009-08-27 15:23:56 ----D---- C:\Documents and Settings\User\Application Data\BSW
2009-08-27 14:09:18 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-27 03:38:18 ----D---- C:\Documents and Settings\User\Application Data\Spotify
2009-08-26 22:21:55 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-08-24 23:20:49 ----D---- C:\Program Files\Garena
2009-08-23 14:00:05 ----D---- C:\Documents and Settings\User\Application Data\uTorrent
2009-08-13 18:20:37 ----A---- C:\WINDOWS\system32\jscript.dll
2009-08-12 03:19:10 ----RSD---- C:\WINDOWS\assembly
2009-08-12 03:17:44 ----D---- C:\Program Files\Outlook Express
2009-08-07 14:59:09 ----RSD---- C:\WINDOWS\Fonts
2009-08-07 14:42:27 ----D---- C:\WINDOWS\Help
2009-08-05 21:28:30 ----D---- C:\Program Files\Java
2009-08-05 11:59:07 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-31 17:03:17 ----D---- C:\Documents and Settings\User\Application Data\Adobe
2009-07-31 17:01:31 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-07-28 21:02:45 ----D---- C:\WINDOWS\system32\el-gr
2009-07-28 21:02:45 ----D---- C:\Program Files\Internet Explorer
2009-07-28 21:02:36 ----D---- C:\WINDOWS\ie7updates
2009-07-28 21:02:17 ----D---- C:\WINDOWS\WinSxS
2009-07-25 05:23:00 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-23 18:55:56 ----D---- C:\Documents and Settings\User\Application Data\Winamp
2009-07-22 19:10:52 ----D---- C:\WINDOWS\system32\DirectX
2009-07-19 16:28:51 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 16:28:49 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-17 22:02:39 ----A---- C:\WINDOWS\system32\atl.dll
2009-07-17 17:48:30 ----D---- C:\Program Files\Winamp
2009-07-17 16:12:22 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-17 03:46:22 ----D---- C:\Program Files\Messenger Plus! Live
2009-07-14 14:03:14 ----N---- C:\WINDOWS\system32\tzchange.exe
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmpdxm.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmp.dll
2009-06-29 18:58:52 ----A---- C:\WINDOWS\system32\wininet.dll
2009-06-29 18:58:52 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\url.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\occache.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\mstime.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\msrating.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-06-29 18:58:50 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-06-29 18:58:50 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-06-29 18:58:50 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-06-29 18:58:48 ----N---- C:\WINDOWS\system32\extmgr.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\icardie.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\corpol.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\advpack.dll
2009-06-29 14:07:12 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-06-29 14:07:11 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-06-29 11:33:39 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-06-28 12:08:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\wdigest.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\secur32.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\schannel.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\msv1_0.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\kerberos.dll
2009-06-22 15:26:49 ----D---- C:\Program Files\Vsk3
2009-06-22 15:23:46 ----D---- C:\NeverwinterNights
2009-06-21 23:31:10 ----D---- C:\Warhammer Online - Age of Reckoning
2009-06-20 14:39:07 ----D---- C:\Program Files\Diablo II
2009-06-16 17:36:17 ----A---- C:\WINDOWS\system32\t2embed.dll
2009-06-16 17:36:16 ----A---- C:\WINDOWS\system32\fontsub.dll
2009-06-15 13:44:05 ----A---- C:\WINDOWS\system32\telnet.exe
2009-06-15 13:44:03 ----A---- C:\WINDOWS\system32\tlntsess.exe
2009-06-10 17:14:25 ----A---- C:\WINDOWS\system32\avifil32.dll
2009-06-10 09:19:40 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-06-10 09:15:51 ----A---- C:\WINDOWS\system32\wkssvc.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 38912]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-02-06 56280]
R1 lusbaudio;?????f??? USB t?? Logitech; C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 25216]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2003-10-10 52128]
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-02-06 130952]
R3 Arp1394;???t?????? pe??t? ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-02-26 3565568]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-02-06 33096]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;?????aµµa ?d???s?? d?a???? Microsoft UAA ??a High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]
R3 NIC1394;?????aµµa ?d???s?? d??t??? 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 QCEmerald;Logitech QuickCam Web; C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 31872]
R3 USB_RNDIS;USB Remote NDIS Network Device Driver; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
R3 usbccgp;Ge???? ?????? p????aµµa ?d???s?? USB t?? Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;?????aµµa ?d???s?? USB 2.0-p????µ???? ?e?t????? e?e??t? Miniport t?? Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;??a??µ?a? µe d??at?t?ta USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;?????aµµa ?d???s?? µa????? ap????e?s?? USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys); C:\WINDOWS\System32\Drivers\e4ldr.sys []
S3 av1ah02a;av1ah02a; C:\WINDOWS\system32\drivers\av1ah02a.sys []
S3 BthEnum;?p??es?a apa???µ?s?? Bluetooth; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;?????aµµa ?d???s?? ???a? Bluetooth; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-14 273152]
S3 BTHUSB;?????aµµa ?d???s?? ???a? USB as??µat?? Bluetooth; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 CCDECODE;?p???d???p???t?? ??d???p???µ???? ?p?t?t???; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cpuz130;cpuz130; \??\C:\DOCUME~1\User\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []
S3 e4usbaw;USB ADSL2 WAN Adapter; C:\WINDOWS\system32\DRIVERS\e4usbaw.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\User\LOCALS~1\Temp\FJC3F9.tmp []
S3 MSTEE;?etat??p?a? Tee/Sink-to-Sink ???? t?? Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;S??des? t??e??as??/ß??te? t?? Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 se59bus;Sony Ericsson Device 089 driver (WDM); C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 9360]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 97088]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-07-09 39424]
S3 usbscan;?????aµµa ?d???s?? sa??t? USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-02-26 602112]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-02-06 727720]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-04-11 66872]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2008-04-07 241734]
R2 Ventrilo;Ventrilo; C:\Program Files\VentSrv\ventrilo_svc.exe [2005-07-13 65536]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-02-25 593920]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-27 183280]
S3 aspnet_state;?p??es?a ?at?stas?? ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-02-06 20680]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-12-21 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-06-22 208896]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Let me know if you also need the info.txt generated by RSIT.


Marcos (really thankful)

Fix this one using HijackThis:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Click on Fix Checked when finished and exit HijackThis.

Did you intentionally install Garena on this system ?
If yes, remove the last line below from files to delete.

- Download and unzip The Avenger from http://swandog46.geekstogo.com/avenger2/download.php to your desktop
- Start up Avenger.
- In the box that opens, copy, then paste the text in the code box below.

- Click "Execute".
- Press OK at the prompts to reboot your PC.

After your system restarts, a log file should open with the results of Avenger’s actions. Please save this log, I'll need it afterwards.

Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Rename it to C-Fix.exe
Double click C-Fix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Disconnect from the internet (unplug the cable), close all windows and any program on your system tray, including your antivirus. Do not mouseclick or type anything while combofix is running. That may cause it to stall.

You can safely ignore warnings about not having the recovery console installed. Run it only once !

Post the Avenger report, the Combofix report and a fresh RSIT log.

You may need more than one post for this, please do so.

Chris

Got a problem with ComboFix.

As soon as I run it and click ok on the warranty disclaimer I get this:




Note: I did rename it to C-Fix.exe as you said.

Looks like you are trying to run CFScript.exe instead of Combofix... If properly instaled, you should have, on your desktop, two icons:

Click to view attachment

Right-clic the red round one and rename it to c-fix.exe. Do NOT try to rename or run the other one!

If it seems to be correct, just click OK to run Combofix.

Chris

Hmm.. the link you gave on the previous post to download combofix automatically downloads only the red icon ComboFix.exe, which I renamed to C-Fix.exe.
But still gives me the same error I posted just above.



Marcos

Well, Download it again, don't rename it and click OK if the message appears again to see what happens (this may be a new version I'm unaware of)...

Chris

Still doesn't work, same message.. Pressing ok on that window jsut closes the program.

:S

Marcos

And what happens if you close the error window by clicking the red x ?

Try this...
<Start/Run> type in combofix /u (Enter)
(Note the space before the /u)
This will uninstall combofix.

Try to download worksnow to your desktop from here: http://www.nutnworks.com/worksnow.exe
(worksnow is combofix previously renamed)

Make sure all other windows are closed and that your antivirus is not active before running it.

Chris

Hello again Chris.
(needed some sleep)

Ok so, I downloaded worksnow.exe, since I couldnt make Combofix.exe work.
However, when starting worksnow.exe I got this message:

Current date is ~. ComboFix has expired.

Click Yes to run in REDUCED FUNCTIONALITY
Click No to exit.

I clicked yes. So here are the Avenger report, the Worksnow/combofix report and the fresh RSIT log.


Avenger report:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\ALCMTR.EXE" deleted successfully.

Error: file "C:\WINDOWS\system32\amvo.exe" not found!
Deletion of file "C:\WINDOWS\system32\amvo.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Program Files\Garena\Garena.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


worksnow/combofix report

ComboFix 09-08-07.09 - User 09/09/2009 14:31.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1032.18.1023.537 [GMT 3:00]
Running from: c:\documents and settings\User\?p?f??e?a e??as?a?\worksnow.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-09 11:06 . 2009-09-09 11:07 -------- d-s---w- C:\C-Fix
2009-09-08 23:55 . 2009-09-09 11:06 -------- d-s---w- C:\ComboFix
2009-09-08 20:55 . 2009-09-08 20:56 -------- d-----w- C:\rsit
2009-09-08 19:16 . 2009-09-08 19:16 -------- d-----w- c:\program files\CCleaner
2009-09-08 19:11 . 2009-09-08 19:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 19:07 . 2009-09-08 19:07 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-09-08 19:06 . 2009-08-03 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 19:06 . 2009-09-08 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 19:06 . 2009-08-03 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:17 . 2009-06-21 21:47 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 14:29 . 2009-09-08 14:29 -------- d-----w- c:\program files\Trend Micro
2009-09-08 12:42 . 2009-09-08 12:42 -------- d-----w- c:\documents and settings\User\Application Data\Uniblue
2009-09-02 14:47 . 2009-09-02 14:47 -------- d-----w- c:\program files\Eidos
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-27 00:33 . 2009-08-27 00:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-27 00:33 . 2009-08-30 13:08 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2009-08-27 00:31 . 2009-08-30 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-26 19:25 . 2009-08-26 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-26 19:23 . 2009-08-26 19:23 -------- d-----w- c:\program files\Bonjour
2009-08-26 19:22 . 2009-08-26 19:22 -------- d-----w- c:\program files\QuickTime
2009-08-26 19:22 . 2009-08-26 19:22 -------- d-----w- c:\program files\Apple Software Update
2009-08-26 19:21 . 2009-07-09 09:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 19:21 . 2009-07-09 09:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 19:21 . 2009-08-30 15:58 -------- d-----w- c:\program files\Common Files\Apple
2009-08-25 17:03 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-25 17:03 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-08-25 17:03 . 2001-11-26 20:29 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-08-25 17:03 . 2008-04-14 16:29 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-08-19 15:36 . 2009-08-19 15:36 -------- d-----w- c:\program files\Eidos Interactive
2009-08-12 00:13 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 22:22 . 2008-11-29 11:18 -------- d-----w- c:\program files\Garena
2009-09-08 18:52 . 2008-10-05 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-08 17:22 . 2008-01-30 08:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 17:05 . 2008-01-23 21:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-08 17:03 . 2008-01-23 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-08 13:07 . 2009-03-19 21:00 -------- d-----w- c:\program files\Steam
2009-09-08 12:51 . 2008-01-11 13:40 35464 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 02:56 . 2009-07-22 12:35 -------- d-----w- c:\documents and settings\User\Application Data\vlc
2009-09-02 14:47 . 2008-01-11 14:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-01 08:57 . 2008-01-11 20:16 -------- d-----w- c:\program files\World of Warcraft
2009-08-31 00:06 . 2008-09-06 09:58 -------- d-----w- c:\documents and settings\User\Application Data\FrostWire
2009-08-28 14:43 . 2009-03-31 19:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2009-08-27 16:59 . 2008-03-14 01:04 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-08-27 14:34 . 2008-03-14 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-27 12:23 . 2009-01-11 15:27 -------- d-----w- c:\documents and settings\User\Application Data\BSW
2009-08-27 00:38 . 2009-05-28 10:20 -------- d-----w- c:\documents and settings\User\Application Data\Spotify
2009-08-23 11:00 . 2008-11-19 11:37 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2009-08-10 15:01 . 2009-08-06 17:51 255200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-07 11:59 . 2009-08-07 11:59 39554 ----a-w- c:\windows\Fonts\elle.EUF
2009-08-07 11:59 . 2009-08-07 11:59 101700 ----a-w- c:\windows\Fonts\elle.TTE
2009-08-07 11:53 . 2009-08-07 11:48 40074 ----a-w- c:\windows\Fonts\EUDC.EUF
2009-08-07 11:53 . 2009-08-07 11:48 101772 ----a-w- c:\windows\Fonts\EUDC.TTE
2009-08-06 16:14 . 2009-08-06 16:14 -------- d-----w- c:\program files\Wizards of the Coast
2009-08-05 18:28 . 2008-01-23 18:31 -------- d-----w- c:\program files\Java
2009-08-05 18:27 . 2009-08-05 18:27 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 08:59 . 2004-09-07 12:00 206336 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 12:07 . 2009-08-03 12:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 12:07 . 2009-08-03 12:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 12:07 . 2009-08-03 12:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-31 14:01 . 2008-12-18 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-27 17:02 . 2009-07-27 17:02 -------- d-----w- c:\program files\directx
2009-07-27 17:02 . 2009-07-27 17:02 0 ----a-w- c:\windows\DXT1276.tmp
2009-07-25 02:23 . 2008-09-16 15:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-23 15:55 . 2009-03-11 19:45 -------- d-----w- c:\documents and settings\User\Application Data\Winamp
2009-07-22 16:11 . 2009-07-22 16:11 -------- d-----w- c:\program files\GameSpy Arcade
2009-07-22 16:05 . 2009-07-22 16:05 -------- d-----w- c:\program files\Sierra
2009-07-17 19:02 . 2004-09-07 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 14:48 . 2009-03-11 19:45 -------- d-----w- c:\program files\Winamp
2009-07-17 00:46 . 2008-04-30 12:31 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-13 20:43 . 2004-09-07 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 15:58 . 2004-09-07 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:58 . 2009-01-30 11:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:58 . 2004-09-07 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-28 09:08 . 2004-09-07 12:00 95158 ----a-w- c:\windows\system32\perfc008.dat
2009-06-28 09:08 . 2004-09-07 12:00 550926 ----a-w- c:\windows\system32\perfh008.dat
2009-06-25 08:25 . 2004-09-07 12:00 738304 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-09-07 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-09-07 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-09-07 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-09-07 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-09-07 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-09-07 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-09-07 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-09-07 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 10:44 . 2004-09-07 12:00 80384 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 10:44 . 2004-09-07 12:00 83456 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-14 15:25 . 2009-06-14 15:25 1915520 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-09-01 3563232]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 173056]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6/2/2009 3:23 µµ 106208]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/9/2008 1:03 µµ 169312]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [6/2/2009 3:23 µµ 727720]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [9/3/2008 6:20 µµ 31872]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\Drivers\e4ldr.sys --> c:\windows\system32\Drivers\e4ldr.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\User\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\User\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\DRIVERS\e4usbaw.sys --> c:\windows\system32\DRIVERS\e4usbaw.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\User\LOCALS~1\Temp\FJC3F9.tmp --> c:\docume~1\User\LOCALS~1\Temp\FJC3F9.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2009-09-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-05 22:31]

2009-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-2025429265-725345543-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 10:33]

2009-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-2025429265-725345543-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 10:33]

2009-09-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 12:07]

2009-09-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 19:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
IE: ?&?a???? st? Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A441B2AC-04FA-4B19-97B5-723A2C56C9CA} = 193.92.150.3,194.219.227.2
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\sx2sezo5.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 14:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\User\Start Menu\ 62 bytes
c:\documents and settings\User\Start Menu\c:\documents and settings\User\Start Menu\ 698 bytes
c:\documents and settings\User\Start Menu\ 636 bytes
c:\documents and settings\User\Start Menu\

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\User\LOCALS~1\Temp\FJC3F9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1736)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-09 14:39
ComboFix-quarantined-files.txt 2009-09-09 11:39

Pre-Run: 16 ?at?????? 54.419.566.592 d?a??s?µa byte
Post-Run: 16 ?at?????? 54.496.894.976 d?a??s?µa byte

215 --- E O F --- 2009-08-26 13:10

RSIT log

Logfile of random's system information tool 1.06 (written by random/random)
Run by User at 2009-09-09 14:50:16
Microsoft Windows XP Professional Service Pack 3
System drive C: has 52 GB (22%) free of 238 GB
Total RAM: 1023 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:24 µµ, on 9/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\?p?f??e?a e??as?a?\RSIT.exe
C:\Program Files\Trend Micro\HijackCheck\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ?????? e?s?d?? t?? Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: ???s???? st? ?st?????? - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &???s???? st? ?st?????? st? Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ??e??a - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201099043291
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A441B2AC-04FA-4B19-97B5-723A2C56C9CA}: NameServer = 193.92.150.3,194.219.227.2
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 8041 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-2025429265-725345543-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-823518204-2025429265-725345543-1003UA.job
C:\WINDOWS\tasks\OGALogon.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
?????? e?s?d?? t?? Windows Live - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-27 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"Babylon Client"=C:\Program Files\Babylon\Babylon-Pro\Babylon.exe [2008-09-01 3563232]
"UpdatePDRShortCut"=C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [2008-01-04 222504]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-02-06 2021400]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-02-25 61440]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-14 173056]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"Google Update"=C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe [2009-06-12 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-02-26 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 267304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Spotify\spotify.exe"="C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"
"C:\Program Files\Sierra\FEAR\FEAR.exe"="C:\Program Files\Sierra\FEAR\FEAR.exe:*:Enabled:FEAR"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 3 months======

2009-09-09 14:39:57 ----A---- C:\ComboFix.txt
2009-09-09 14:18:08 ----A---- C:\WINDOWS\NIRCMD.exe
2009-09-09 14:06:54 ----SD---- C:\C-Fix
2009-09-09 02:55:33 ----SD---- C:\ComboFix
2009-09-09 01:36:06 ----A---- C:\WINDOWS\zip.exe
2009-09-09 01:36:06 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-09-09 01:36:06 ----A---- C:\WINDOWS\SWSC.exe
2009-09-09 01:36:06 ----A---- C:\WINDOWS\SWREG.exe
2009-09-09 01:36:06 ----A---- C:\WINDOWS\sed.exe
2009-09-09 01:36:06 ----A---- C:\WINDOWS\PEV.exe
2009-09-09 01:36:06 ----A---- C:\WINDOWS\grep.exe
2009-09-09 01:35:46 ----D---- C:\WINDOWS\ERDNT
2009-09-09 01:35:38 ----D---- C:\Qoobox
2009-09-09 01:22:08 ----D---- C:\Avenger
2009-09-09 01:22:07 ----A---- C:\avenger.txt
2009-09-08 23:55:49 ----D---- C:\rsit
2009-09-08 22:16:04 ----D---- C:\Program Files\CCleaner
2009-09-08 22:11:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-08 22:07:02 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2009-09-08 22:06:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-09-08 20:21:22 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2009-09-08 20:21:16 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2009-09-08 20:19:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-09-08 20:18:10 ----D---- C:\WINDOWS\system32\zh-TW
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\zh-HK
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\tr-TR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\sv-SE
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\pt-BR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\nl-NL
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\nb-NO
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\ko-KR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\it-IT
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\he-IL
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\fr-FR
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\fi-FI
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\es-ES
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\de-DE
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\da-DK
2009-09-08 20:18:09 ----D---- C:\WINDOWS\system32\ar-SA
2009-09-08 17:29:36 ----D---- C:\Program Files\Trend Micro
2009-09-08 15:42:21 ----D---- C:\Documents and Settings\User\Application Data\Uniblue
2009-09-02 17:47:28 ----D---- C:\Program Files\Eidos
2009-08-30 12:15:09 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
2009-08-27 03:33:01 ----D---- C:\Documents and Settings\User\Application Data\skypePM
2009-08-27 03:31:25 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-08-26 22:25:46 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-26 22:23:41 ----D---- C:\Program Files\Bonjour
2009-08-26 22:22:31 ----D---- C:\Program Files\QuickTime
2009-08-26 22:22:02 ----D---- C:\Program Files\Apple Software Update
2009-08-26 22:21:47 ----A---- C:\WINDOWS\system32\usbaaplrc.dll
2009-08-26 22:21:33 ----D---- C:\Program Files\Common Files\Apple
2009-08-26 16:10:31 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-25 20:03:55 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-08-25 20:03:54 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-08-19 18:36:08 ----D---- C:\Program Files\Eidos Interactive
2009-08-12 03:18:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 03:18:05 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-12 03:17:58 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 03:17:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 03:17:43 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 03:17:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 03:17:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 03:17:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 03:17:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 03:16:53 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-07 15:00:03 ----A---- C:\WINDOWS\Eudcedit.ini
2009-08-06 19:14:17 ----D---- C:\Program Files\Wizards of the Coast
2009-08-05 21:28:32 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-05 21:28:32 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-05 21:28:32 ----A---- C:\WINDOWS\system32\java.exe
2009-08-03 15:07:42 ----A---- C:\WINDOWS\system32\OGAEXEC.exe
2009-08-03 15:07:42 ----A---- C:\WINDOWS\system32\OGACheckControl.dll
2009-08-03 15:07:42 ----A---- C:\WINDOWS\system32\OGAAddin.dll
2009-07-27 20:02:56 ----D---- C:\Program Files\directx
2009-07-27 20:02:56 ----A---- C:\WINDOWS\DXT1276.tmp
2009-07-27 19:59:30 ----D---- C:\DeusEx
2009-07-22 19:11:03 ----D---- C:\Program Files\GameSpy Arcade
2009-07-22 19:05:46 ----D---- C:\Program Files\Sierra
2009-07-22 15:35:00 ----D---- C:\Documents and Settings\User\Application Data\vlc
2009-07-17 04:52:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-17 04:09:51 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-17 04:09:02 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-06-10 09:30:01 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-10 09:29:55 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-06-10 09:29:48 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-10 09:29:21 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$

======List of files/folders modified in the last 3 months======

2009-09-09 14:43:10 ----D---- C:\Program Files\Mozilla Firefox
2009-09-09 14:39:59 ----D---- C:\WINDOWS\system32\drivers
2009-09-09 14:39:59 ----D---- C:\WINDOWS\system32
2009-09-09 14:39:18 ----D---- C:\WINDOWS\Temp
2009-09-09 14:38:52 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-09 14:32:32 ----D---- C:\WINDOWS
2009-09-09 14:32:32 ----A---- C:\WINDOWS\system.ini
2009-09-09 14:18:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-09 14:16:10 ----D---- C:\WINDOWS\Prefetch
2009-09-09 13:24:51 ----SD---- C:\WINDOWS\Tasks
2009-09-09 01:22:08 ----D---- C:\Program Files\Garena
2009-09-08 23:49:13 ----RD---- C:\Program Files
2009-09-08 22:19:33 ----D---- C:\WINDOWS\Debug
2009-09-08 22:19:29 ----D---- C:\WINDOWS\Minidump
2009-09-08 21:52:13 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-09-08 20:33:56 ----A---- C:\WINDOWS\NeroDigital.ini
2009-09-08 20:22:41 ----D---- C:\Program Files\Microsoft Silverlight
2009-09-08 20:21:25 ----HD---- C:\WINDOWS\inf
2009-09-08 20:21:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-08 20:21:15 ----HD---- C:\WINDOWS\$hf_mig$
2009-09-08 20:18:45 ----SHD---- C:\WINDOWS\Installer
2009-09-08 20:05:14 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-09-08 20:03:55 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-08 16:16:42 ----RSH---- C:\boot.ini
2009-09-08 16:16:42 ----A---- C:\WINDOWS\win.ini
2009-09-08 16:07:06 ----D---- C:\Program Files\Steam
2009-09-08 15:21:39 ----A---- C:\WINDOWS\Lexicon.ini
2009-09-02 17:47:27 ----HD---- C:\Program Files\InstallShield Installation Information
2009-09-01 11:57:54 ----D---- C:\Program Files\World of Warcraft
2009-08-31 03:06:27 ----D---- C:\Documents and Settings\User\Application Data\FrostWire
2009-08-30 18:58:15 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-30 18:56:28 ----D---- C:\Program Files\Common Files
2009-08-29 00:38:20 ----A---- C:\WINDOWS\system32\MRT.exe
2009-08-28 17:43:12 ----D---- C:\Documents and Settings\User\Application Data\dvdcss
2009-08-28 03:34:40 ----A---- C:\WINDOWS\avisplitter.INI
2009-08-27 19:59:31 ----D---- C:\Documents and Settings\User\Application Data\Apple Computer
2009-08-27 17:34:08 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2009-08-27 15:23:56 ----D---- C:\Documents and Settings\User\Application Data\BSW
2009-08-27 14:09:18 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-27 03:38:18 ----D---- C:\Documents and Settings\User\Application Data\Spotify
2009-08-26 22:21:55 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-08-23 14:00:05 ----D---- C:\Documents and Settings\User\Application Data\uTorrent
2009-08-13 18:20:37 ----A---- C:\WINDOWS\system32\jscript.dll
2009-08-12 03:19:10 ----RSD---- C:\WINDOWS\assembly
2009-08-12 03:17:44 ----D---- C:\Program Files\Outlook Express
2009-08-07 14:59:09 ----RSD---- C:\WINDOWS\Fonts
2009-08-07 14:42:27 ----D---- C:\WINDOWS\Help
2009-08-05 21:28:30 ----D---- C:\Program Files\Java
2009-08-05 11:59:07 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-31 17:03:17 ----D---- C:\Documents and Settings\User\Application Data\Adobe
2009-07-31 17:01:31 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-07-28 21:02:45 ----D---- C:\WINDOWS\system32\el-gr
2009-07-28 21:02:45 ----D---- C:\Program Files\Internet Explorer
2009-07-28 21:02:36 ----D---- C:\WINDOWS\ie7updates
2009-07-28 21:02:17 ----D---- C:\WINDOWS\WinSxS
2009-07-25 05:23:00 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-23 18:55:56 ----D---- C:\Documents and Settings\User\Application Data\Winamp
2009-07-22 19:10:52 ----D---- C:\WINDOWS\system32\DirectX
2009-07-19 16:28:51 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 16:28:49 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-17 22:02:39 ----A---- C:\WINDOWS\system32\atl.dll
2009-07-17 17:48:30 ----D---- C:\Program Files\Winamp
2009-07-17 16:12:22 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-17 03:46:22 ----D---- C:\Program Files\Messenger Plus! Live
2009-07-14 14:03:14 ----N---- C:\WINDOWS\system32\tzchange.exe
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmpdxm.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmp.dll
2009-06-29 18:58:52 ----A---- C:\WINDOWS\system32\wininet.dll
2009-06-29 18:58:52 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\url.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\occache.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\mstime.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\msrating.dll
2009-06-29 18:58:51 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-06-29 18:58:50 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-06-29 18:58:50 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-06-29 18:58:50 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-06-29 18:58:49 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-06-29 18:58:48 ----N---- C:\WINDOWS\system32\extmgr.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\icardie.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\corpol.dll
2009-06-29 18:58:48 ----A---- C:\WINDOWS\system32\advpack.dll
2009-06-29 14:07:12 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-06-29 14:07:11 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-06-29 11:33:39 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-06-28 12:08:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\wdigest.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\secur32.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\schannel.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\msv1_0.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-06-25 11:25:54 ----A---- C:\WINDOWS\system32\kerberos.dll
2009-06-22 15:26:49 ----D---- C:\Program Files\Vsk3
2009-06-22 15:23:46 ----D---- C:\NeverwinterNights
2009-06-21 23:31:10 ----D---- C:\Warhammer Online - Age of Reckoning
2009-06-20 14:39:07 ----D---- C:\Program Files\Diablo II
2009-06-16 17:36:17 ----A---- C:\WINDOWS\system32\t2embed.dll
2009-06-16 17:36:16 ----A---- C:\WINDOWS\system32\fontsub.dll
2009-06-15 13:44:05 ----A---- C:\WINDOWS\system32\telnet.exe
2009-06-15 13:44:03 ----A---- C:\WINDOWS\system32\tlntsess.exe
2009-06-10 17:14:25 ----A---- C:\WINDOWS\system32\avifil32.dll
2009-06-10 09:19:40 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-06-10 09:15:51 ----A---- C:\WINDOWS\system32\wkssvc.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 38912]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-02-06 56280]
R1 lusbaudio;?????f??? USB t?? Logitech; C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 25216]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2003-10-10 52128]
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-02-06 130952]
R3 Arp1394;???t?????? pe??t? ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-02-26 3565568]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-02-06 33096]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;?????aµµa ?d???s?? d?a???? Microsoft UAA ??a High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]
R3 NIC1394;?????aµµa ?d???s?? d??t??? 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 QCEmerald;Logitech QuickCam Web; C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 31872]
R3 USB_RNDIS;USB Remote NDIS Network Device Driver; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
R3 usbccgp;Ge???? ?????? p????aµµa ?d???s?? USB t?? Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;?????aµµa ?d???s?? USB 2.0-p????µ???? ?e?t????? e?e??t? Miniport t?? Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;??a??µ?a? µe d??at?t?ta USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;?????aµµa ?d???s?? µa????? ap????e?s?? USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys); C:\WINDOWS\System32\Drivers\e4ldr.sys []
S3 avxnqfrv;avxnqfrv; C:\WINDOWS\system32\drivers\avxnqfrv.sys []
S3 BthEnum;?p??es?a apa???µ?s?? Bluetooth; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;?????aµµa ?d???s?? ???a? Bluetooth; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-14 273152]
S3 BTHUSB;?????aµµa ?d???s?? ???a? USB as??µat?? Bluetooth; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 catchme;catchme; \??\C:\worksnow\catchme.sys []
S3 CCDECODE;?p???d???p???t?? ??d???p???µ???? ?p?t?t???; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cpuz130;cpuz130; \??\C:\DOCUME~1\User\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []
S3 e4usbaw;USB ADSL2 WAN Adapter; C:\WINDOWS\system32\DRIVERS\e4usbaw.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\User\LOCALS~1\Temp\FJC3F9.tmp []
S3 MSTEE;?etat??p?a? Tee/Sink-to-Sink ???? t?? Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;S??des? t??e??as??/ß??te? t?? Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 se59bus;Sony Ericsson Device 089 driver (WDM); C:\WINDOWS\system32\DRIVERS\se59bus.sys [2006-09-05 61536]
S3 se59mdfl;Sony Ericsson Device 089 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\se59mdfl.sys [2006-09-05 9360]
S3 se59mdm;Sony Ericsson Device 089 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\se59mdm.sys [2006-09-05 97088]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-07-09 39424]
S3 usbscan;?????aµµa ?d???s?? sa??t? USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\W

here is the rest of the RSIT log.




S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-02-26 602112]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-02-06 727720]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-04-11 66872]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2008-04-07 241734]
R2 Ventrilo;Ventrilo; C:\Program Files\VentSrv\ventrilo_svc.exe [2005-07-13 65536]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-02-25 593920]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-27 183280]
S3 aspnet_state;?p??es?a ?at?stas?? ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-02-06 20680]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-12-21 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-06-22 208896]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Almost there now...

- Start up Avenger.
- In the box that opens, copy, then paste the text in the code box below.

- Click "Execute".
- Press OK at the prompts to reboot your PC.

Please post the Avenger log and let me know how is your system running.

Chris

Avenger log

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\ezsidmv.dat" deleted successfully.
File "c:\windows\DXT1276.tmp" deleted successfully.
Folder "c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}" deleted successfully.
Folder "C:\Program Files\Garena" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Actually everything looks normal and clean.
Just noticed something probably not very important. There's a new Internet Explorer icon on my desktop, and it's not a shortcut. Is that normal ?

Whatsoever, I'm so glad for the great job you did so far, many thanks!

Marcos

Yep. Some fixtools restores IE icon to the desktop (which is hidden in XP SP3). You can safely delete the icon, as this will not delete the program itself.

You are welcome. Glad we could help.

You can now uninstall ComboFix.
<Start/Run> type in combofix /u (Enter)
This will remove quarantined files and folders, thus avoiding future antivirus alerts about them.

update java: Go to http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 16' or higher and press the 'Download' button.
Reboot when installed.
Uninstall any previous JRE versions from Control Panel, add-remove programs afterward.

Disable/re-enable system restore to avoid future reinfections from restore points: http://www.bleepingcomputer.com/tutorials/tutorial56.html

Don't forget to create a new restore point just after.

Some freebies to be more protected:
SpywareBlaster: http://www.javacoolsoftware.com/sbdownload.html (update the definition files on install and once a week after install)

RegProt (warns every time a registry key is changed and allow to deny if suspicious): http://www.diamondcs.com.au/freeutilities/regprot.php

SnoopFree anti-keylogger from http://www.snoopfree.com/ (warns you if any program tries to read your screen or your keyboard). You must allow legit programs to run and will be able to block and even kill any suspicious one.

Crazy Browser from http://www.crazybrowser.com/ instead of IE (although it needs the IE engine to run, it has built-in popup blocker and content filter). You may also consider FireFox.

With safe surfing and mailing habits (never let the mail preview pane enabled, as new baddies now comes embedded in the text or hidden scripts - delete any suspicious mail without viewing them), this will keep most baddies away.

Chris


This topic has been closed as the problem has been resolved. If there is a need to reopen this topic, please send a PM to a Moderator.