Random app consuming 100% of cpu

Dell INSPIRON 6000
December 1, 2009 at 05:32:36
Specs: Windows XP, 1,66 1gb
Ok, so I think I got a virus on my computer, after receiving some files from my teachers flashpen. The problem now, is that a random application that I've been using for two months now, is consuming 95+% of my cpu everytime I turn the app on.
After running several virus scans and other malvare and spyware scans, it still keeps happening.
I need to use this application, so the "don't use" is not an option :).

Does anyone recognize this problem? or does anyone have any info on this?

All help appreciated.


See More: Random app consuming 100% of cpu

Report •


#1
December 1, 2009 at 05:54:34
It sound like a variant of an autorun virus but there is no way to be sure other than to run some scans to look for bad files.

Please save this file to your desktop.

Win32kDiag.exe

Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply.


Report •

#2
December 1, 2009 at 10:47:49
Ok, I will do that, but should I keep the the 95%+ consuming application running whilst I run the scan programs?

And btw, am I not leaking any private info from my pc when posting the logs here?


Report •

#3
December 1, 2009 at 11:54:28
Yes let all the apps running and not private info is revealed. You can see all the info before you post.

Report •

Related Solutions

#4
December 1, 2009 at 12:25:46
Ok, so the first time I ran Win32diag.exe, the file was showing up and all went well. The second time (after turning on the application that was guilthy of consuming 95%+ of cpu) it did not show any log file. The only thing I could find was the this.
"Running from: C:\Documents and Settings\Administrator\My Documents\Downloads\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!"

How do I get the log file to show once more? so I can post it here`.

Anyways, I will post the RSIT log and info files until further direction is received.


Report •

#5
December 1, 2009 at 12:26:44
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-12-01 20:31:25
Microsoft Windows XP Professional Service Pack 3
System drive C: has 19 GB (35%) free of 54 GB
Total RAM: 1023 MB (24% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:44 PM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TEXTware\HotKey\TWALINK.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\tableninja\TableNinja.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.fo/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.10.1:8080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [yeazem] C:\Documents and Settings\Administrator\yeazem.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12" -"http://skillgames.nordicbet.com/t/v/client/info?action=gameClient&tournamentSessionId=26817932&pwd=EOPMESCSIMXJ"
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1757981266-1614895754-839522115-1008\..\RunOnce: [] (User 'holdemmanager')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = ?
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Smart Buddy.lnk = C:\Program Files\Poker Pro Labs\Smart Buddy\Backup(1.0.96.0)\SmartBuddy.exe
O4 - Startup: Warkeys Update.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Global Startup: HotKey.lnk = C:\Program Files\TEXTware\HotKey\TWALINK.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NordicBet - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\NordicBetMPP\MPPoker.exe (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10901 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{2580DBE6-057E-4864-B4A6-AC2166190203}.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-11-07 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Hjælp til tilmelding til Windows Live - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-26 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2007-02-21 819200]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2007-02-21 970752]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"Apoint"=C:\Program Files\Apoint\Apoint.exe [2005-10-07 176128]
"POEngine"= []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-09-29 2054360]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
""=1 []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"yeazem"=C:\Documents and Settings\Administrator\yeazem.exe []
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-11-23 2001648]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"=C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE [2008-12-05 460216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HotKey.lnk - C:\Program Files\TEXTware\HotKey\TWALINK.EXE
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
LimeWire On Startup.lnk - G:\Áron´sa\Forrit\LimeWire\LimeWire.exe
My_AutoWarkey_Script.lnk - C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
Smart Buddy.lnk - C:\Program Files\Poker Pro Labs\Smart Buddy\Backup(1.0.96.0)\SmartBuddy.exe
Warkeys Update.lnk - C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-08-03 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableStatusMessages"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\Áron´sa\Forrit\LimeWire\LimeWire.exe"="F:\Áron´sa\Forrit\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe:*:Enabled:Garena"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"G:\Áron´sa\Forrit\LimeWire\LimeWire.exe"="G:\Áron´sa\Forrit\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Documents and Settings\Administrator\Local Settings\Temp\WZSE0.TMP\SymNRT.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\WZSE0.TMP\SymNRT.exe:*:Enabled:Norton Removal Tool"
"J:\Áron´sa\Forrit\LimeWire\LimeWire.exe"="J:\Áron´sa\Forrit\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Tournament Indicator\Indicator.exe"="C:\Program Files\Tournament Indicator\Indicator.exe:*:Enabled:Tournament Indicator"
"C:\Program Files\Holdem Indicator\HoldemIndicator.exe"="C:\Program Files\Holdem Indicator\HoldemIndicator.exe:*:Enabled:Holdem Indicator"
"C:\Program Files\Valve\hl.exe"="C:\Program Files\Valve\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\WINDOWS\system32\sysservice.exe"="C:\WINDOWS\system32\sysservice.exe:*:Enabled:DNS client"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{432b6998-c94a-11de-829f-0013ceef8e2e}]
shell\AutoRun\command - F:\srgo.exe
shell\open\command - F:\srgo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c685ff98-d812-11de-82ae-0013ceef8e2e}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deb3ea13-a826-11de-8289-0013ceef8e2e}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe


======List of files/folders created in the last 1 months======

2009-12-01 18:44:12 ----D---- C:\Program Files\trend micro
2009-12-01 18:44:09 ----D---- C:\rsit
2009-12-01 14:09:47 ----D---- C:\document and settings
2009-12-01 13:08:57 ----D---- C:\WINDOWS\LastGood
2009-12-01 13:08:35 ----D---- C:\Program Files\Panda Security
2009-12-01 02:37:28 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-01 02:36:50 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-01 02:36:50 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-01 02:36:00 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-01 02:29:12 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-12-01 02:29:03 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-12-01 02:29:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-30 22:43:55 ----D---- C:\Program Files\ESET
2009-11-30 22:43:55 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2009-11-30 20:55:50 ----D---- C:\WINDOWS\pss
2009-11-29 18:30:28 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-29 18:23:40 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-11-29 18:21:49 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-26 10:42:39 ----D---- C:\Program Files\Common Files\PACE Anti-Piracy
2009-11-26 10:42:39 ----D---- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
2009-11-26 10:42:39 ----D---- C:\Documents and Settings\Administrator\Application Data\PACE Anti-Piracy
2009-11-26 04:59:37 ----D---- C:\Program Files\Microsoft.NET
2009-11-25 22:56:59 ----D---- C:\Documents and Settings\Administrator\Application Data\Antares
2009-11-25 22:56:37 ----D---- C:\Program Files\Antares Audio Technologies
2009-11-15 18:52:58 ----D---- C:\Documents and Settings\All Users\Application Data\Mathematica
2009-11-15 18:52:58 ----D---- C:\Documents and Settings\Administrator\Application Data\Mathematica
2009-11-15 18:50:19 ----A---- C:\WINDOWS\system32\mlmodule32.dll
2009-11-15 18:50:19 ----A---- C:\WINDOWS\system32\ml32i3.dll
2009-11-15 18:50:19 ----A---- C:\WINDOWS\system32\ml32i2.dll
2009-11-15 18:50:19 ----A---- C:\WINDOWS\system32\ml32i1.dll
2009-11-15 18:44:10 ----D---- C:\Program Files\Wolfram Research
2009-11-10 01:38:17 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-11-10 01:37:02 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-11-07 23:39:20 ----D---- C:\WINDOWS\system32\XPSViewer
2009-11-07 23:39:03 ----D---- C:\Program Files\Reference Assemblies
2009-11-07 23:36:31 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-11-07 23:36:30 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-11-07 23:36:30 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-11-07 23:36:28 ----D---- C:\e82b504fca412224e2
2009-11-07 23:30:39 ----D---- C:\Program Files\GIMP-2.0
2009-11-07 23:19:05 ----RHD---- C:\AHCache
2009-11-07 22:51:54 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-11-07 22:51:01 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-11-07 22:47:42 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-11-07 22:47:25 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2009-11-07 22:47:17 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2009-11-07 22:47:08 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-11-07 22:46:57 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-11-07 22:46:43 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-11-07 22:46:36 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-11-07 22:46:27 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-11-07 22:46:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-11-07 22:46:10 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-11-07 22:46:02 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-11-07 22:45:52 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-11-07 22:45:39 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-11-07 22:30:10 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-11-07 22:29:24 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-11-07 22:24:24 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-11-07 22:24:12 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-11-07 22:23:46 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-11-07 22:22:39 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-11-07 22:22:19 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-11-06 11:47:49 ----D---- C:\Program Files\OnTrade
2009-11-06 11:42:03 ----D---- C:\Program Files\Microsoft Windows Script
2009-11-06 11:29:56 ----D---- C:\Program Files\rapidsp

======List of files/folders modified in the last 1 months======

2009-12-01 20:30:02 ----D---- C:\WINDOWS\Temp
2009-12-01 18:44:12 ----D---- C:\Program Files
2009-12-01 14:14:35 ----SHD---- C:\WINDOWS\Installer
2009-12-01 14:09:47 ----D---- C:\Program Files\TableNinja
2009-12-01 13:51:37 ----HD---- C:\WINDOWS\inf
2009-12-01 13:28:15 ----SD---- C:\WINDOWS\Tasks
2009-12-01 13:15:26 ----D---- C:\WINDOWS\system32\drivers
2009-12-01 13:08:58 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-01 13:08:57 ----D---- C:\WINDOWS
2009-12-01 13:00:37 ----D---- C:\Program Files\PokerTracker 3
2009-12-01 12:55:32 ----D---- C:\Program Files\Mozilla Firefox
2009-12-01 12:54:09 ----D---- C:\WINDOWS\Prefetch
2009-12-01 12:50:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-01 12:50:08 ----A---- C:\WINDOWS\TEXTWARE.INI
2009-12-01 12:35:46 ----D---- C:\WINDOWS\system32
2009-12-01 02:36:00 ----D---- C:\Program Files\Common Files
2009-12-01 00:30:46 ----D---- C:\WINDOWS\Registration
2009-12-01 00:22:28 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-12-01 00:19:07 ----SH---- C:\boot.ini
2009-12-01 00:19:07 ----A---- C:\WINDOWS\win.ini
2009-12-01 00:19:07 ----A---- C:\WINDOWS\system.ini
2009-12-01 00:06:40 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-30 22:39:32 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-11-30 22:37:32 ----D---- C:\Documents and Settings\Administrator\Application Data\uTorrent
2009-11-30 22:35:59 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-11-30 22:30:52 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-30 21:29:36 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-11-30 01:04:04 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2009-11-30 00:57:54 ----D---- C:\Program Files\PokerStars
2009-11-30 00:00:20 ----D---- C:\Documents and Settings\Administrator\Application Data\skypePM
2009-11-29 18:32:01 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-11-29 18:23:57 ----A---- C:\WINDOWS\imsins.BAK
2009-11-29 18:23:37 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-26 10:47:00 ----ASD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-11-26 10:42:41 ----HD---- C:\Program Files\WindowsUpdate
2009-11-26 10:42:41 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-11-26 05:00:02 ----RSD---- C:\WINDOWS\assembly
2009-11-25 22:57:03 ----D---- C:\Program Files\VstPlugins
2009-11-25 03:31:52 ----A---- C:\WINDOWS\SKJATTAN.INI
2009-11-23 00:30:40 ----D---- C:\Documents and Settings\Administrator\Application Data\CasinoOnNet
2009-11-23 00:29:51 ----D---- C:\Program Files\CasinoOnNet
2009-11-22 23:59:14 ----D---- C:\Program Files\Full Tilt Poker
2009-11-22 16:49:16 ----D---- C:\Program Files\Tournament Indicator
2009-11-16 14:09:46 ----D---- C:\Documents and Settings\Administrator\Application Data\Microgaming
2009-11-15 18:52:02 ----D---- C:\WINDOWS\Downloaded Installations
2009-11-15 18:48:45 ----RSD---- C:\WINDOWS\Fonts
2009-11-12 23:01:26 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-12 23:00:27 ----D---- C:\Program Files\Common Files\Adobe
2009-11-10 10:32:17 ----D---- C:\WINDOWS\Microsoft.NET
2009-11-10 01:45:25 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-10 01:44:34 ----D---- C:\WINDOWS\WinSxS
2009-11-10 01:37:25 ----D---- C:\WINDOWS\ie8updates
2009-11-08 14:22:25 ----D---- C:\Program Files\Outlook Express
2009-11-08 14:22:25 ----D---- C:\Program Files\Microsoft Silverlight
2009-11-07 23:39:17 ----D---- C:\WINDOWS\system32\en-US
2009-11-07 23:39:15 ----D---- C:\Program Files\MSBuild
2009-11-07 23:37:43 ----D---- C:\WINDOWS\system32\spool
2009-11-07 23:29:42 ----D---- C:\Program Files\Internet Explorer
2009-11-07 22:38:14 ----D---- C:\Program Files\Microsoft Works
2009-11-05 17:36:21 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-09-29 108792]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-09-29 96408]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.6.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-11-29 21425]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-09-29 116008]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2007-02-21 12416]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2005-09-28 113847]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-03 1273344]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2005-03-10 273168]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2007-02-08 2209408]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2004-05-26 44928]
S3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2004-10-15 15295]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver; C:\WINDOWS\System32\Drivers\BrSerIf.sys [2006-01-18 53248]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver; C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2006-01-18 11904]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-03 380928]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-29 735960]
R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-02-21 643072]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 pgsql-8.3;PostgreSQL Database Server 8.3; C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [2009-03-13 65536]
R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-02-21 327680]
R2 S24EventMonitor;Intel(R) PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-02-21 983040]
R2 WLANKEEPER;Intel(R) PROSet/Wireless SSO Service; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2007-02-21 294912]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 183280]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-09-29 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Report •

#6
December 1, 2009 at 12:34:36
info.txt logfile of random's system information tool 1.06 2009-12-01 18:44:43

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
ALPS Touch Pad Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Antares Auto-Tune Evo VST-->MsiExec.exe /X{FFF74EC9-1FF4-4456-99E3-4F05129F4FAB}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoHotkey 1.0.48.03-->C:\Program Files\AutoHotkey\uninst.exe
Broadcom 440x 10/100 Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Canon iP1600-->C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Casino-On-Net-->C:\PROGRA~1\CASINO~1\UNWISE.EXE C:\PROGRA~1\CASINO~1\INSTALL.LOG
C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Counter-Strike 1.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9ABFB92D-93DA-49EE-8ABF-F8195DE45CA9}\Setup.exe" -l0x9
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
FirstClass® Client-->C:\Program Files\InstallShield Installation Information\{5B35C417-2649-11D6-83D1-0050FC01225C}\setup.exe -runfromtemp -l0x0006 -uninst -removeonly
Free YouTube Download 2.2-->"C:\Program Files\DVDVideoSoft\Free YouTube Download\unins000.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
Full Tilt Poker-->"C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
Garena-->C:\Program Files\InstallShield Installation Information\{89C89156-A70F-4C6D-9CAE-2EA71F1396FE}\setup.exe -runfromtemp -l0x0009 -removeonly
GIMP 2.6.7-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Guitar Pro 5.2-->"C:\Program Files\Guitar Pro 5\unins000.exe"
Heroes of Newerth-->C:\Program Files\Heroes of Newerth\uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Holdem Indicator 1.6.7-->"C:\Program Files\Holdem Indicator\unins000.exe"
Holdem Manager-->MsiExec.exe /I{42DE940E-8037-4266-9FBF-5A3AEDA39E96}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
HotKey-->C:\WINDOWS\IsUn0406.exe -f"C:\Program Files\TEXTware\HotKey\Uninst.isu"
Icy Tower v1.3.1-->"c:\games\icytower1.3\unins000.exe"
IL Download Manager-->C:\Program Files\Image-Line\Downloader\uninstall.exe
Intel(R) PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Magic ISO Maker v5.4 (build 0239)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi-->MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell-->MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0406-0000-0000000FF1CE} /uninstall {50865937-2EBB-4BBF-8861-BF5972C95D4B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0100-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0101-0406-0000-0000000FF1CE} /uninstall {652017DD-E99F-4420-9CC8-AC25CE8375A5}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office Access MUI (Danish) 2007-->MsiExec.exe /X{90120000-0015-0406-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Danish) 2007-->MsiExec.exe /X{90120000-0016-0406-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (Danish) 2007-->MsiExec.exe /X{90120000-00BA-0406-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Danish) 2007-->MsiExec.exe /X{90120000-0044-0406-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Language Pack 2007 - Danish/dansk-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall OMUI.DA-DK /dll OSETUP.DLL
Microsoft Office O MUI (Danish) 2007-->MsiExec.exe /X{90120000-0100-0406-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Danish) 2007-->MsiExec.exe /X{90120000-00A1-0406-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Danish) 2007-->MsiExec.exe /X{90120000-001A-0406-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Danish) 2007-->MsiExec.exe /X{90120000-0018-0406-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (Danish) 2007-->MsiExec.exe /X{90120000-001F-0406-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (Danish) 2007-->MsiExec.exe /X{90120000-002C-0406-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0406-0000-0000000FF1CE} /uninstall {25E093C2-374E-44A9-9BCE-3881BD442F3F}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0407-0000-0000000FF1CE} /uninstall {A0516415-ED61-419A-981D-93596DA74165}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (Danish) 2007-->MsiExec.exe /X{90120000-0019-0406-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (Danish) 2007-->MsiExec.exe /X{90120000-006E-0406-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0017-0406-0000-0000000FF1CE} /uninstall {4C6BA43D-D896-4599-9D57-25771CCC8091}
Microsoft Office SharePoint Designer MUI (Danish) 2007-->MsiExec.exe /X{90120000-0017-0406-0000-0000000FF1CE}
Microsoft Office Word MUI (Danish) 2007-->MsiExec.exe /X{90120000-001B-0406-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office X MUI (Danish) 2007-->MsiExec.exe /X{90120000-0101-0406-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MindMapper 2008-->C:\Program Files\InstallShield Installation Information\{232E984E-F02D-4DAE-80F4-97884EC52F16}\setup.exe -runfromtemp -l0x0009 -removeonly
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg-->MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO-->MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI-->MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NordicBet-->C:\MicroGaming\Poker\NordicBetMPP\install.exe -uninstall
Overførselsværktøj til Windows Live-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PartyPoker-->"C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PokerStove version 1.23-->"C:\Program Files\PokerStove\unins000.exe"
Politikens Engelsk-Dansk Dansk-Engelsk Ordbog-->MsiExec.exe /I{B1A820F9-9F85-4513-B601-A998FC1AFDA0}
PostgreSQL 8.3-->MsiExec.exe /I{B823632F-3B72-4514-8861-B961CE263224}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB973704)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E626DC89-A787-4553-9BB3-DC2EC7E1593F}
Security Update for Microsoft Office Excel 2007 (KB973593)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7D6255E3-3423-4D8B-A328-F6F8D28DD5FE}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SnG Power Tools v1.22-->"C:\Program Files\Advantage Analysis\SnG Power Tools\unins000.exe"
Stavarin-->MsiExec.exe /I{F8B02E06-6AD6-443A-825A-6C089E61F1E3}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TableNinja-->MsiExec.exe /I{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}
The Online Trader-->C:\DOCUME~1\ADMINI~1\MYDOCU~1\OnTrade\UNWISE.EXE C:\DOCUME~1\ADMINI~1\MYDOCU~1\OnTrade\Install.log
Theorica Divx ;-) Codecs (remove only)-->C:\Program Files\Theorica Divx ;-) Codecs\Uninstall.exe
Tilmeldingsassistent til Windows Live-->MsiExec.exe /I{E80F9ABB-618D-4B9E-9EA0-5BF6A7C2FE9D}
Tournament Indicator 1.4.3-->"C:\Program Files\Tournament Indicator\unins000.exe"
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Outlook 2007 Junk Email Filter (kb975960)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1AB1BED-7477-4D5A-BD0C-04C2109459A5}
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VLC media player 0.9.6-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Warkeys 1.14.1.0b-->C:\Program Files\Warkeys\uninst.exe
Website Ripper Copier-->"C:\Program Files\Tensons\Website Ripper Copier\uninstall.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{2F3082BF-4A3B-45CA-805F-52DBBFD3C645}
Windows Live Messenger-->MsiExec.exe /X{94B8F069-F223-4F48-BC88-7104CBA77F30}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinHTTrack Website Copier 3.43-2-->"C:\Program Files\WinHTTrack\unins000.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wolfram Mathematica 7 for Students (M-WIN-G 7.0.0 1148361)-->"C:\Program Files\Wolfram Research\Mathematica\7.0\SystemFiles\UninstallFiles\Windows\unins000.exe"
Wolfram Notebook Indexer 2.0-->MsiExec.exe /I{C260343B-6282-42A2-939F-1FF7E503F608}

======Security center information======

AV: ESET NOD32 Antivirus 4.0

======System event log======

Computer Name: PRIMAZ
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CEEF8E2E. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 571
Source Name: Dhcp
Time Written: 20091110101347.000000+000
Event Type: warning
User:

Computer Name: PRIMAZ
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CEEF8E2E. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 569
Source Name: Dhcp
Time Written: 20091110101341.000000+000
Event Type: warning
User:

Computer Name: PRIMAZ
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CEEF8E2E. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 567
Source Name: Dhcp
Time Written: 20091110101336.000000+000
Event Type: warning
User:

Computer Name: PRIMAZ
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CEEF8E2E. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 564
Source Name: Dhcp
Time Written: 20091110101331.000000+000
Event Type: warning
User:

Computer Name: PRIMAZ
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CEEF8E2E. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 563
Source Name: Dhcp
Time Written: 20091110101326.000000+000
Event Type: warning
User:

=====Application event log=====

Computer Name: PRIMAZ
Event Code: 1000
Message: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x000003e3.

Record Number: 621
Source Name: Application Error
Time Written: 20091123133628.000000+000
Event Type: error
User:

Computer Name: PRIMAZ
Event Code: 1000
Message:
Record Number: 620
Source Name: Windows Live Messenger
Time Written: 20091123133536.000000+000
Event Type: error
User:

Computer Name: PRIMAZ
Event Code: 1000
Message: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x000003e3.

Record Number: 618
Source Name: Application Error
Time Written: 20091123133438.000000+000
Event Type: error
User:

Computer Name: PRIMAZ
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\RECENT\2HHA (2).LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


Record Number: 570
Source Name: Windows Search Service
Time Written: 20091123082335.000000+000
Event Type: error
User:

Computer Name: PRIMAZ
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\RECENT\EVNI TIL RITGERÐINA.DOCX.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


Record Number: 569
Source Name: Windows Search Service
Time Written: 20091123082335.000000+000
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


Report •

#7
December 1, 2009 at 12:44:24

Remember...your antivirus and any anti-spware programs must be turned off or disabled before you run combifix and turned back on when you get through running combofix. In you case your NOD32 anyivirus is all that needs to be turned off.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#8
December 1, 2009 at 13:57:39
Here's the combofix log report.

ComboFix 09-12-01.01 - Administrator 12/01/2009 21:31.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.636 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\combo-fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-12-01 18:44 . 2009-12-01 20:31 -------- d-----w- c:\program files\trend micro
2009-12-01 18:44 . 2009-12-01 18:44 -------- d-----w- C:\rsit
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_6536443F4CA0C6BEA2EFA6.exe
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_16533CB10CC63DBBD73CD8.exe
2009-12-01 14:09 . 2009-12-01 14:09 -------- d-----w- C:\document and settings
2009-12-01 13:09 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-01 13:08 . 2009-12-01 13:08 -------- d-----w- c:\program files\Panda Security
2009-12-01 02:39 . 2009-12-01 02:39 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 02:37 . 2009-12-01 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-01 02:36 . 2009-12-01 02:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 02:36 . 2009-12-01 02:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-01 02:36 . 2009-12-01 02:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 22:52 . 2009-11-30 22:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2009-11-30 22:47 . 2009-11-30 22:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\program files\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-29 21:06 . 2009-11-29 21:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PACE Anti-Piracy
2009-11-26 04:59 . 2009-11-26 04:59 -------- d-----w- c:\program files\Microsoft.NET
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Antares
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\program files\Antares Audio Technologies
2009-11-15 18:53 . 2009-12-01 11:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Mathematica
2009-11-15 18:50 . 2008-11-10 21:53 185640 ----a-w- c:\windows\system32\mlmodule32.dll
2009-11-15 18:50 . 2008-11-10 21:53 378152 ----a-w- c:\windows\system32\ml32i3.dll
2009-11-15 18:50 . 2008-11-10 21:53 267560 ----a-w- c:\windows\system32\ml32i2.dll
2009-11-15 18:50 . 2008-11-10 21:53 255272 ----a-w- c:\windows\system32\ml32i1.dll
2009-11-15 18:44 . 2009-11-15 18:52 -------- d-----w- c:\program files\Wolfram Research
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\program files\Reference Assemblies
2009-11-07 23:37 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2009-11-07 23:38 -------- d-----w- C:\e82b504fca412224e2
2009-11-07 23:35 . 2009-11-07 23:35 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2009-11-07 23:33 . 2009-11-15 21:18 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2009-11-07 23:30 . 2009-11-07 23:30 -------- d-----w- c:\program files\GIMP-2.0
2009-11-07 23:19 . 2009-11-07 23:19 -------- d-----r- C:\AHCache
2009-11-06 11:47 . 2009-11-06 11:47 -------- d-----w- c:\program files\OnTrade
2009-11-06 11:42 . 2009-11-06 11:42 -------- d-----w- c:\program files\Microsoft Windows Script
2009-11-06 11:29 . 2009-11-06 12:41 -------- d-----w- c:\program files\rapidsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 21:27 . 2004-08-04 12:00 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-01 14:09 . 2009-09-21 17:49 -------- d-----w- c:\program files\TableNinja
2009-12-01 13:00 . 2009-04-10 17:07 -------- d-----w- c:\program files\PokerTracker 3
2009-12-01 00:24 . 2008-11-29 22:19 78624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-01 00:22 . 2009-01-08 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-30 22:39 . 2008-11-29 22:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-30 22:37 . 2008-11-29 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-11-30 22:35 . 2008-11-29 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-30 01:04 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-11-30 00:57 . 2009-03-11 19:08 -------- d-----w- c:\program files\PokerStars
2009-11-30 00:00 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-11-29 18:32 . 1998-12-01 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-25 22:57 . 2009-01-23 19:37 -------- d-----w- c:\program files\VstPlugins
2009-11-23 00:30 . 2009-05-20 23:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\CasinoOnNet
2009-11-23 00:29 . 2009-05-20 23:21 -------- d-----w- c:\program files\CasinoOnNet
2009-11-22 23:59 . 2009-04-17 09:15 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-22 16:49 . 2009-04-18 00:13 -------- d-----w- c:\program files\Tournament Indicator
2009-11-16 14:09 . 2009-04-05 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microgaming
2009-11-12 23:00 . 2008-12-01 23:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-08 14:22 . 2009-03-21 15:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-07 23:39 . 1998-12-01 03:34 -------- d-----w- c:\program files\MSBuild
2009-11-07 22:38 . 1998-12-01 03:34 -------- d-----w- c:\program files\Microsoft Works
2009-10-30 18:19 . 2009-10-30 18:07 -------- d-----w- c:\program files\Heroes of Newerth
2009-10-24 02:30 . 2009-06-09 19:05 -------- d-----w- c:\program files\SharkScope
2009-10-24 02:19 . 2009-01-23 19:34 -------- d-----w- c:\program files\Image-Line
2009-10-24 01:36 . 2009-09-21 22:44 -------- d-----w- c:\program files\PostgreSQL
2009-09-29 13:05 . 2009-09-29 13:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-09-29 13:02 . 2009-09-29 13:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-09-29 12:56 . 2009-09-29 12:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-04-24 04:38 . 2009-06-02 22:27 307704 ----a-w- c:\program files\iexplore.exe
2009-03-25 12:24 . 2009-04-10 19:13 5292032 ----a-w- c:\program files\PokerTracker.exe
1998-12-01 01:30 . 2007-11-29 23:09 8606 --sha-w- c:\windows\system32\Windowsupdates\updatefiles.dat
.

------- Sigcheck -------

[-] 2009-12-01 . 4614B3E633F4A1F715D952294669090F . 148768 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotKey.lnk - c:\program files\TEXTware\HotKey\TWALINK.EXE [2009-5-18 19968]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Tournament Indicator\\Indicator.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/1/2009 1:09 PM 28552]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [3/13/2009 4:50 AM 65536]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C51550E6-BEE1-DC64-9DC1-1168E64FFA74}]
c:\windows\system32\Windowsupdates\Windupdate.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-12-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-08 18:51]

2009-12-01 c:\windows\Tasks\User_Feed_Synchronization-{2580DBE6-057E-4864-B4A6-AC2166190203}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2009-12-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-17 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.portal.fo/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.16.10.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.fo/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-yeazem - c:\documents and settings\Administrator\yeazem.exe
HKLM-Run-POEngine - (no file)
AddRemove-IL Download Manager - c:\program files\Image-Line\Downloader\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 21:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8670A618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763ff28
\Driver\ACPI -> ACPI.sys @ 0xf74b2cb8
\Driver\atapi -> atapi.sys @ 0xf7426852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf731fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf732ca21
SendHandler -> NDIS.sys @ 0xf730a87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-12-01 21:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-01 21:57

Pre-Run: 20,047,110,144 bytes free
Post-Run: 21,759,561,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DA929B10A342DE57996E86EB43788B31


Report •

#9
December 1, 2009 at 14:12:11
Oh, and the application that is using the 95%+ of cpu is named "tableninja.exe"

You can probably see it in the log files.

It's a program that I bought and have used for two months, so I assume that it is legitimate.


Report •

#10
December 1, 2009 at 15:50:17
Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#11
December 1, 2009 at 18:39:22
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-02 02:36:09
Windows 5.1.2600 Service Pack 3
Running: ie2pevox.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdapoc.sys


---- System - GMER 1.0.15 ----

SSDT 8604D8A0 ZwAssignProcessToJobObject
SSDT 8604CCB0 ZwOpenProcess
SSDT 8604D0D0 ZwOpenThread
SSDT 8604D6D0 ZwSuspendProcess
SSDT 8604D4F0 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB92EF0B0]
SSDT 8604D310 ZwTerminateThread

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[960] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1892] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \FileSystem\Fastfat \Fat AD975D20

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86CCF618

---- Threads - GMER 1.0.15 ----

Thread System [4:372] 8604B930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon SABWINLOLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff SABWINLOLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup SABWINLOStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown SABWINLOShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName Ati2evxx.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Lock AtiLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logoff AtiLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logon AtiLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Disconnect AtiDisConnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Reconnect AtiReConnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Safe 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Shutdown AtiShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartScreenSaver AtiStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartShell AtiStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Startup AtiStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StopScreenSaver AtiStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Unlock AtiUnLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName %SystemRoot%\System32\dimsntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup WlDimsStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown WlDimsShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon WlDimsLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff WlDimsLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell WlDimsStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock WlDimsLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock WlDimsUnlock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

#12
December 1, 2009 at 18:46:40
The link that you gave me to the kaspersky online scanner says that the online scanner is currently/temporarily unavailable.
So I cannot perform the scan from there.

And thank you for helping me with this problem.


Report •

#13
December 1, 2009 at 18:58:13
From the Gmer report your computer is still infected so lets try to resolve that first.

Download SystemLook.exe from the following link.


SystemLook.exe


1. Double-click SystemLook.exe to run it.
2. Copy the content of the following code between the X's into the main textfield:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
:filefind
atapi*
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
3. Click the Look button to start the scan.
4. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Report •

#14
December 1, 2009 at 19:13:00
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 03:13 on 02/12/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [22:59 03/08/2004] [22:59 03/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir --a--- 148768 bytes [12:00 04/08/2004] [22:44 30/11/2009] (Unable to calculate MD5)
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [23:56 29/11/2005] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 148768 bytes [12:00 04/08/2004] [00:45 02/12/2009] 4614B3E633F4A1F715D952294669090F
C:\WINDOWS\system32\drivers\atapi.sys --a--- 148768 bytes [12:00 04/08/2004] [00:45 02/12/2009] 4614B3E633F4A1F715D952294669090F

-=End Of File=-


Report •

#15
December 4, 2009 at 00:49:02
Hey Jabuck, are you leaving me out in the battlefield alone here?

Are you confirmed tired of this problem? Just so I don't have to check thread all the time.



Report •

#16
December 4, 2009 at 05:55:22
No, just missed you somehow. I'm in and out today so I will post a response soon.

Report •

#17
December 4, 2009 at 10:41:47
Go to start> run type in ComboFix /Uninstall (the space after ComboFix is needed) then click ok. Allow it time to uninstall...it will let you know.

Now download ComboFix as you did in response # 7, run it and post the log please.


Report •

#18
December 4, 2009 at 11:54:33
Ok, good to hear. I know that you probably have a ton of stuff to to do, so thanks for looking this up.

Here's the combofix log:


ComboFix 09-12-03.06 - Administrator 12/04/2009 19:25.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.635 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-04 19:10 . 2009-12-04 19:10 -------- d-----w- C:\combo-fix
2009-12-04 08:33 . 2009-12-04 08:33 -------- d-----w- C:\$WINDOWS.~BT
2009-12-03 21:29 . 2009-02-24 18:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-12-03 21:29 . 2009-12-03 21:29 -------- d-----w- c:\program files\MagicDisc
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Skype
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-02 18:34 . 2009-12-02 18:34 -------- d-----w- c:\program files\tbh
2009-12-01 18:44 . 2009-12-03 00:02 -------- d-----w- c:\program files\trend micro
2009-12-01 18:44 . 2009-12-01 18:44 -------- d-----w- C:\rsit
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_6536443F4CA0C6BEA2EFA6.exe
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_16533CB10CC63DBBD73CD8.exe
2009-12-01 14:09 . 2009-12-01 14:09 -------- d-----w- C:\document and settings
2009-12-01 13:09 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-01 13:08 . 2009-12-01 13:08 -------- d-----w- c:\program files\Panda Security
2009-12-01 02:39 . 2009-12-01 02:39 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 02:36 . 2009-12-03 00:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 02:36 . 2009-12-01 02:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 02:29 . 2009-12-03 00:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 22:52 . 2009-11-30 22:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2009-11-30 22:47 . 2009-11-30 22:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\program files\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-29 21:06 . 2009-11-29 21:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PACE Anti-Piracy
2009-11-26 04:59 . 2009-11-26 04:59 -------- d-----w- c:\program files\Microsoft.NET
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Antares
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\program files\Antares Audio Technologies
2009-11-15 18:53 . 2009-12-01 11:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Mathematica
2009-11-15 18:50 . 2008-11-10 21:53 185640 ----a-w- c:\windows\system32\mlmodule32.dll
2009-11-15 18:50 . 2008-11-10 21:53 378152 ----a-w- c:\windows\system32\ml32i3.dll
2009-11-15 18:50 . 2008-11-10 21:53 267560 ----a-w- c:\windows\system32\ml32i2.dll
2009-11-15 18:50 . 2008-11-10 21:53 255272 ----a-w- c:\windows\system32\ml32i1.dll
2009-11-15 18:44 . 2009-11-15 18:52 -------- d-----w- c:\program files\Wolfram Research
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\program files\Reference Assemblies
2009-11-07 23:37 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2009-11-07 23:38 -------- d-----w- C:\e82b504fca412224e2
2009-11-07 23:35 . 2009-11-07 23:35 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2009-11-07 23:33 . 2009-11-15 21:18 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2009-11-07 23:30 . 2009-11-07 23:30 -------- d-----w- c:\program files\GIMP-2.0
2009-11-07 23:19 . 2009-11-07 23:19 -------- d-----r- C:\AHCache
2009-11-06 11:47 . 2009-11-06 11:47 -------- d-----w- c:\program files\OnTrade
2009-11-06 11:42 . 2009-11-06 11:42 -------- d-----w- c:\program files\Microsoft Windows Script
2009-11-06 11:29 . 2009-11-06 12:41 -------- d-----w- c:\program files\rapidsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 19:20 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-12-04 19:20 . 2004-08-04 12:00 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-04 16:46 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-12-04 08:46 . 2009-01-08 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-03 21:18 . 2008-11-29 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-12-03 03:19 . 2009-03-11 19:08 -------- d-----w- c:\program files\PokerStars
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----r- c:\program files\Skype
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-03 00:03 . 2009-09-21 17:49 -------- d-----w- c:\program files\TableNinja
2009-12-03 00:03 . 2009-04-10 17:07 -------- d-----w- c:\program files\PokerTracker 3
2009-12-02 15:48 . 2009-12-02 15:48 3301 ----a-w- c:\windows\system32\drivers\stac97e.log
2009-12-02 13:33 . 2009-12-02 23:49 170986 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-01 00:24 . 2008-11-29 22:19 78624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:39 . 2008-11-29 22:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-30 22:35 . 2008-11-29 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-29 18:32 . 1998-12-01 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-25 22:57 . 2009-01-23 19:37 -------- d-----w- c:\program files\VstPlugins
2009-11-23 00:30 . 2009-05-20 23:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\CasinoOnNet
2009-11-23 00:29 . 2009-05-20 23:21 -------- d-----w- c:\program files\CasinoOnNet
2009-11-22 23:59 . 2009-04-17 09:15 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-22 16:49 . 2009-04-18 00:13 -------- d-----w- c:\program files\Tournament Indicator
2009-11-16 14:09 . 2009-04-05 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microgaming
2009-11-12 23:00 . 2008-12-01 23:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-08 14:22 . 2009-03-21 15:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-07 23:39 . 1998-12-01 03:34 -------- d-----w- c:\program files\MSBuild
2009-11-07 22:38 . 1998-12-01 03:34 -------- d-----w- c:\program files\Microsoft Works
2009-10-30 18:19 . 2009-10-30 18:07 -------- d-----w- c:\program files\Heroes of Newerth
2009-10-24 02:30 . 2009-06-09 19:05 -------- d-----w- c:\program files\SharkScope
2009-10-24 02:19 . 2009-01-23 19:34 -------- d-----w- c:\program files\Image-Line
2009-10-24 01:36 . 2009-09-21 22:44 -------- d-----w- c:\program files\PostgreSQL
2009-10-22 13:57 . 2009-10-22 13:57 217088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
2009-09-29 13:05 . 2009-09-29 13:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-09-29 13:02 . 2009-09-29 13:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-09-29 12:56 . 2009-09-29 12:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-04-24 04:38 . 2009-06-02 22:27 307704 ----a-w- c:\program files\iexplore.exe
2009-03-25 12:24 . 2009-04-10 19:13 5292032 ----a-w- c:\program files\PokerTracker.exe
1998-12-01 01:30 . 2007-11-29 23:09 8606 --sha-w- c:\windows\system32\Windowsupdates\updatefiles.dat
.

------- Sigcheck -------

[-] 2009-12-04 . 4614B3E633F4A1F715D952294669090F . 148768 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2009-12-04 492840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotKey.lnk - c:\program files\TEXTware\HotKey\TWALINK.EXE [2009-5-18 19968]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Tournament Indicator\\Indicator.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/1/2009 1:09 PM 28552]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [3/13/2009 4:50 AM 65536]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 1:57 PM 70952]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C51550E6-BEE1-DC64-9DC1-1168E64FFA74}]
c:\windows\system32\Windowsupdates\Windupdate.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-08 18:51]

2009-12-04 c:\windows\Tasks\User_Feed_Synchronization-{2580DBE6-057E-4864-B4A6-AC2166190203}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2009-12-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-17 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.portal.fo/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.16.10.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.fo/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 19:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D15618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf767ff28
\Driver\ACPI -> ACPI.sys @ 0xf74f2cb8
\Driver\atapi -> atapi.sys @ 0xf7466852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf735fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf736ca21
SendHandler -> NDIS.sys @ 0xf734a87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2172)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\MagicDisc\MagicDisc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
.
**************************************************************************
.
Completion time: 2009-12-04 19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 19:52
ComboFix2.txt 2009-12-01 21:57

Pre-Run: 20,596,240,384 bytes free
Post-Run: 20,605,038,592 bytes free

- - End Of File - - 82F4EA567235F46469CCF5D318450E45


Report •

#19
December 4, 2009 at 12:42:32
Please run Gmer again and post its log.

Report •

#20
December 4, 2009 at 18:55:12
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-05 02:57:35
Windows 5.1.2600 Service Pack 3
Running: ie2pevox.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdapoc.sys


---- System - GMER 1.0.15 ----

SSDT 85FD58A0 ZwAssignProcessToJobObject
SSDT 85FD4CB0 ZwOpenProcess
SSDT 85FD50D0 ZwOpenThread
SSDT 85FD56D0 ZwSuspendProcess
SSDT 85FD54F0 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2ED80B0]
SSDT 85FD5310 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

? C:\Combo-fix23635C\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[228] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\SearchIndexer.exe[1676] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \FileSystem\Fastfat \Fat AFC44D20

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86D15618

---- Threads - GMER 1.0.15 ----

Thread System [4:384] 85FD3930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon SABWINLOLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff SABWINLOLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup SABWINLOStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown SABWINLOShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName Ati2evxx.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Lock AtiLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logoff AtiLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logon AtiLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Disconnect AtiDisConnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Reconnect AtiReConnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Safe 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Shutdown AtiShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartScreenSaver AtiStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartShell AtiStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Startup AtiStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StopScreenSaver AtiStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Unlock AtiUnLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName %SystemRoot%\System32\dimsntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup WlDimsStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown WlDimsShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon WlDimsLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff WlDimsLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell WlDimsStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock WlDimsLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock WlDimsUnlock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1


Report •

#21
December 4, 2009 at 19:12:45
I was not running "tableninja.exe" when performing the last two tasks/scans. So the cpu was not at 100% and therefore it may seem as the system was running correctly.

I don't if I should be running it while doing the the scans, in order to do the proper analysis of the logs?.

Should I post again with "tableninja.exe" running? Or does it not matter?


Report •

#22
December 4, 2009 at 22:07:00
It doesn't matter if the app is not running as far as the scan goes. The online bitdefender scan may find some more baddies. At least the rootkit appears to be dead.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Documents and Settings\Administrator\yeazem.exe

Driver::
yeazem

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Post a new Combofix log following the previous directions.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#23
December 5, 2009 at 07:05:52
ComboFix 09-12-04.04 - Administrator 12/05/2009 14:39.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.640 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


FILE ::
"c:\documents and settings\Administrator\yeazem.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\WLSetup
c:\documents and settings\All Users\Application Data\Microsoft\WLSetup\Logs\2009-09-17_19-36_d7c-6pyvun8x.log

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-04 19:10 . 2009-12-04 19:10 -------- d-----w- C:\combo-fix
2009-12-04 08:33 . 2009-12-04 08:33 -------- d-----w- C:\$WINDOWS.~BT
2009-12-03 21:29 . 2009-02-24 18:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-12-03 21:29 . 2009-12-03 21:29 -------- d-----w- c:\program files\MagicDisc
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Skype
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-02 18:34 . 2009-12-02 18:34 -------- d-----w- c:\program files\tbh
2009-12-01 18:44 . 2009-12-03 00:02 -------- d-----w- c:\program files\trend micro
2009-12-01 18:44 . 2009-12-01 18:44 -------- d-----w- C:\rsit
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_6536443F4CA0C6BEA2EFA6.exe
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_16533CB10CC63DBBD73CD8.exe
2009-12-01 14:09 . 2009-12-01 14:09 -------- d-----w- C:\document and settings
2009-12-01 13:09 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-01 13:08 . 2009-12-01 13:08 -------- d-----w- c:\program files\Panda Security
2009-12-01 02:39 . 2009-12-01 02:39 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 02:36 . 2009-12-03 00:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 02:36 . 2009-12-01 02:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 02:29 . 2009-12-03 00:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 22:52 . 2009-11-30 22:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2009-11-30 22:47 . 2009-11-30 22:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\program files\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-29 21:06 . 2009-11-29 21:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PACE Anti-Piracy
2009-11-26 04:59 . 2009-11-26 04:59 -------- d-----w- c:\program files\Microsoft.NET
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Antares
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\program files\Antares Audio Technologies
2009-11-15 18:53 . 2009-12-01 11:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Mathematica
2009-11-15 18:50 . 2008-11-10 21:53 185640 ----a-w- c:\windows\system32\mlmodule32.dll
2009-11-15 18:50 . 2008-11-10 21:53 378152 ----a-w- c:\windows\system32\ml32i3.dll
2009-11-15 18:50 . 2008-11-10 21:53 267560 ----a-w- c:\windows\system32\ml32i2.dll
2009-11-15 18:50 . 2008-11-10 21:53 255272 ----a-w- c:\windows\system32\ml32i1.dll
2009-11-15 18:44 . 2009-11-15 18:52 -------- d-----w- c:\program files\Wolfram Research
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\program files\Reference Assemblies
2009-11-07 23:37 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2009-11-07 23:38 -------- d-----w- C:\e82b504fca412224e2
2009-11-07 23:35 . 2009-11-07 23:35 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2009-11-07 23:33 . 2009-11-15 21:18 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2009-11-07 23:30 . 2009-11-07 23:30 -------- d-----w- c:\program files\GIMP-2.0
2009-11-07 23:19 . 2009-11-07 23:19 -------- d-----r- C:\AHCache
2009-11-06 11:47 . 2009-11-06 11:47 -------- d-----w- c:\program files\OnTrade
2009-11-06 11:42 . 2009-11-06 11:42 -------- d-----w- c:\program files\Microsoft Windows Script
2009-11-06 11:29 . 2009-11-06 12:41 -------- d-----w- c:\program files\rapidsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 14:32 . 2004-08-04 12:00 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-05 13:27 . 2009-01-08 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-05 03:54 . 2009-04-17 09:15 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-04 19:20 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-12-04 16:46 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-12-03 21:18 . 2008-11-29 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-12-03 03:19 . 2009-03-11 19:08 -------- d-----w- c:\program files\PokerStars
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----r- c:\program files\Skype
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-03 00:03 . 2009-09-21 17:49 -------- d-----w- c:\program files\TableNinja
2009-12-03 00:03 . 2009-04-10 17:07 -------- d-----w- c:\program files\PokerTracker 3
2009-12-02 15:48 . 2009-12-02 15:48 3301 ----a-w- c:\windows\system32\drivers\stac97e.log
2009-12-02 13:33 . 2009-12-02 23:49 170986 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-01 00:24 . 2008-11-29 22:19 78624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:39 . 2008-11-29 22:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-30 22:35 . 2008-11-29 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-29 18:32 . 1998-12-01 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-25 22:57 . 2009-01-23 19:37 -------- d-----w- c:\program files\VstPlugins
2009-11-23 00:30 . 2009-05-20 23:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\CasinoOnNet
2009-11-23 00:29 . 2009-05-20 23:21 -------- d-----w- c:\program files\CasinoOnNet
2009-11-22 16:49 . 2009-04-18 00:13 -------- d-----w- c:\program files\Tournament Indicator
2009-11-16 14:09 . 2009-04-05 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microgaming
2009-11-12 23:00 . 2008-12-01 23:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-08 14:22 . 2009-03-21 15:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-07 23:39 . 1998-12-01 03:34 -------- d-----w- c:\program files\MSBuild
2009-11-07 22:38 . 1998-12-01 03:34 -------- d-----w- c:\program files\Microsoft Works
2009-10-30 18:19 . 2009-10-30 18:07 -------- d-----w- c:\program files\Heroes of Newerth
2009-10-24 02:30 . 2009-06-09 19:05 -------- d-----w- c:\program files\SharkScope
2009-10-24 02:19 . 2009-01-23 19:34 -------- d-----w- c:\program files\Image-Line
2009-10-24 01:36 . 2009-09-21 22:44 -------- d-----w- c:\program files\PostgreSQL
2009-10-22 13:57 . 2009-10-22 13:57 217088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
2009-09-29 13:05 . 2009-09-29 13:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-09-29 13:02 . 2009-09-29 13:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-09-29 12:56 . 2009-09-29 12:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-04-24 04:38 . 2009-06-02 22:27 307704 ----a-w- c:\program files\iexplore.exe
2009-03-25 12:24 . 2009-04-10 19:13 5292032 ----a-w- c:\program files\PokerTracker.exe
1998-12-01 01:30 . 2007-11-29 23:09 8606 --sha-w- c:\windows\system32\Windowsupdates\updatefiles.dat
.

------- Sigcheck -------

[-] 2009-12-05 . 4614B3E633F4A1F715D952294669090F . 148768 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-04_19.42.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 14:52 . 2009-12-05 14:52 16384 c:\windows\temp\Perflib_Perfdata_7d8.dat
+ 2005-11-30 08:56 . 2009-12-05 14:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-30 08:56 . 2009-12-04 19:39 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-30 08:56 . 2009-12-04 19:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-11-30 08:56 . 2009-12-05 14:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-29 21:06 . 2009-12-05 14:51 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-29 21:06 . 2009-12-04 19:39 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-11-30 08:56 . 2009-12-05 14:51 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-11-30 08:56 . 2009-12-04 19:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2009-12-05 492840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotKey.lnk - c:\program files\TEXTware\HotKey\TWALINK.EXE [2009-5-18 19968]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Tournament Indicator\\Indicator.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/1/2009 1:09 PM 28552]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [3/13/2009 4:50 AM 65536]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 1:57 PM 70952]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C51550E6-BEE1-DC64-9DC1-1168E64FFA74}]
c:\windows\system32\Windowsupdates\Windupdate.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-08 18:51]

2009-12-05 c:\windows\Tasks\User_Feed_Synchronization-{2580DBE6-057E-4864-B4A6-AC2166190203}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2009-12-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-17 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.portal.fo/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.16.10.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.fo/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 14:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D15618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf767ff28
\Driver\ACPI -> ACPI.sys @ 0xf74f2cb8
\Driver\atapi -> atapi.sys @ 0xf7466852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf735fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf736ca21
SendHandler -> NDIS.sys @ 0xf734a87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\program files\MagicDisc\MagicDisc.exe
c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-12-05 15:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 15:05
ComboFix2.txt 2009-12-04 19:52
ComboFix3.txt 2009-12-01 21:57

Pre-Run: 20,578,820,096 bytes free
Post-Run: 20,540,698,624 bytes free

- - End Of File - - 03A97475DB6DFF63AD129F5F85E902D1


Report •

#24
December 5, 2009 at 07:33:04
Let me know if you are still getting pop-ups, redirects or how the computer is running in general.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
Folder::
c:\windows\system32\Windowsupdates

Registry::
-[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C51550E6-BEE1-DC64-9DC1-1168E64FFA74}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#25
December 5, 2009 at 08:36:06
Here's the second combofix log you told me to post. Like in the previous directions.

ComboFix 09-12-04.05 - Administrator 12/05/2009 16:05.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.622 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-04 19:10 . 2009-12-04 19:10 -------- d-----w- C:\combo-fix
2009-12-04 08:33 . 2009-12-04 08:33 -------- d-----w- C:\$WINDOWS.~BT
2009-12-03 21:29 . 2009-02-24 18:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-12-03 21:29 . 2009-12-03 21:29 -------- d-----w- c:\program files\MagicDisc
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Skype
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-02 18:34 . 2009-12-02 18:34 -------- d-----w- c:\program files\tbh
2009-12-01 18:44 . 2009-12-03 00:02 -------- d-----w- c:\program files\trend micro
2009-12-01 18:44 . 2009-12-01 18:44 -------- d-----w- C:\rsit
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_6536443F4CA0C6BEA2EFA6.exe
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_16533CB10CC63DBBD73CD8.exe
2009-12-01 14:09 . 2009-12-01 14:09 -------- d-----w- C:\document and settings
2009-12-01 13:09 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-01 13:08 . 2009-12-01 13:08 -------- d-----w- c:\program files\Panda Security
2009-12-01 02:39 . 2009-12-01 02:39 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 02:36 . 2009-12-03 00:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 02:36 . 2009-12-01 02:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 02:29 . 2009-12-03 00:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 22:52 . 2009-11-30 22:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2009-11-30 22:47 . 2009-11-30 22:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\program files\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-29 21:06 . 2009-11-29 21:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PACE Anti-Piracy
2009-11-26 04:59 . 2009-11-26 04:59 -------- d-----w- c:\program files\Microsoft.NET
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Antares
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\program files\Antares Audio Technologies
2009-11-15 18:53 . 2009-12-01 11:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Mathematica
2009-11-15 18:50 . 2008-11-10 21:53 185640 ----a-w- c:\windows\system32\mlmodule32.dll
2009-11-15 18:50 . 2008-11-10 21:53 378152 ----a-w- c:\windows\system32\ml32i3.dll
2009-11-15 18:50 . 2008-11-10 21:53 267560 ----a-w- c:\windows\system32\ml32i2.dll
2009-11-15 18:50 . 2008-11-10 21:53 255272 ----a-w- c:\windows\system32\ml32i1.dll
2009-11-15 18:44 . 2009-11-15 18:52 -------- d-----w- c:\program files\Wolfram Research
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\program files\Reference Assemblies
2009-11-07 23:37 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2009-11-07 23:38 -------- d-----w- C:\e82b504fca412224e2
2009-11-07 23:35 . 2009-11-07 23:35 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2009-11-07 23:33 . 2009-11-15 21:18 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2009-11-07 23:30 . 2009-11-07 23:30 -------- d-----w- c:\program files\GIMP-2.0
2009-11-07 23:19 . 2009-11-07 23:19 -------- d-----r- C:\AHCache
2009-11-06 11:47 . 2009-11-06 11:47 -------- d-----w- c:\program files\OnTrade
2009-11-06 11:42 . 2009-11-06 11:42 -------- d-----w- c:\program files\Microsoft Windows Script
2009-11-06 11:29 . 2009-11-06 12:41 -------- d-----w- c:\program files\rapidsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 15:39 . 2004-08-04 12:00 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-05 13:27 . 2009-01-08 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-05 03:54 . 2009-04-17 09:15 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-04 19:20 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-12-04 16:46 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-12-03 21:18 . 2008-11-29 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-12-03 03:19 . 2009-03-11 19:08 -------- d-----w- c:\program files\PokerStars
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----r- c:\program files\Skype
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-03 00:03 . 2009-09-21 17:49 -------- d-----w- c:\program files\TableNinja
2009-12-03 00:03 . 2009-04-10 17:07 -------- d-----w- c:\program files\PokerTracker 3
2009-12-02 15:48 . 2009-12-02 15:48 3301 ----a-w- c:\windows\system32\drivers\stac97e.log
2009-12-02 13:33 . 2009-12-02 23:49 170986 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-01 00:24 . 2008-11-29 22:19 78624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:39 . 2008-11-29 22:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-30 22:35 . 2008-11-29 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-29 18:32 . 1998-12-01 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-25 22:57 . 2009-01-23 19:37 -------- d-----w- c:\program files\VstPlugins
2009-11-23 00:30 . 2009-05-20 23:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\CasinoOnNet
2009-11-23 00:29 . 2009-05-20 23:21 -------- d-----w- c:\program files\CasinoOnNet
2009-11-22 16:49 . 2009-04-18 00:13 -------- d-----w- c:\program files\Tournament Indicator
2009-11-16 14:09 . 2009-04-05 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microgaming
2009-11-12 23:00 . 2008-12-01 23:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-08 14:22 . 2009-03-21 15:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-07 23:39 . 1998-12-01 03:34 -------- d-----w- c:\program files\MSBuild
2009-11-07 22:38 . 1998-12-01 03:34 -------- d-----w- c:\program files\Microsoft Works
2009-10-30 18:19 . 2009-10-30 18:07 -------- d-----w- c:\program files\Heroes of Newerth
2009-10-24 02:30 . 2009-06-09 19:05 -------- d-----w- c:\program files\SharkScope
2009-10-24 02:19 . 2009-01-23 19:34 -------- d-----w- c:\program files\Image-Line
2009-10-24 01:36 . 2009-09-21 22:44 -------- d-----w- c:\program files\PostgreSQL
2009-10-22 13:57 . 2009-10-22 13:57 217088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
2009-09-29 13:05 . 2009-09-29 13:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-09-29 13:02 . 2009-09-29 13:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-09-29 12:56 . 2009-09-29 12:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-04-24 04:38 . 2009-06-02 22:27 307704 ----a-w- c:\program files\iexplore.exe
2009-03-25 12:24 . 2009-04-10 19:13 5292032 ----a-w- c:\program files\PokerTracker.exe
1998-12-01 01:30 . 2007-11-29 23:09 8606 --sha-w- c:\windows\system32\Windowsupdates\updatefiles.dat
.

------- Sigcheck -------

[-] 2009-12-05 . 4614B3E633F4A1F715D952294669090F . 148768 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2009-12-05 492840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotKey.lnk - c:\program files\TEXTware\HotKey\TWALINK.EXE [2009-5-18 19968]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Tournament Indicator\\Indicator.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/1/2009 1:09 PM 28552]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [3/13/2009 4:50 AM 65536]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 1:57 PM 70952]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C51550E6-BEE1-DC64-9DC1-1168E64FFA74}]
c:\windows\system32\Windowsupdates\Windupdate.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-08 18:51]

2009-12-05 c:\windows\Tasks\User_Feed_Synchronization-{2580DBE6-057E-4864-B4A6-AC2166190203}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2009-12-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-17 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.portal.fo/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.16.10.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.fo/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 16:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D15618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf767ff28
\Driver\ACPI -> ACPI.sys @ 0xf74f2cb8
\Driver\atapi -> atapi.sys @ 0xf7466852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf735fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf736ca21
SendHandler -> NDIS.sys @ 0xf734a87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1228)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\MagicDisc\MagicDisc.exe
c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-12-05 16:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 16:36
ComboFix2.txt 2009-12-05 15:05

Pre-Run: 20,561,190,912 bytes free
Post-Run: 20,485,042,176 bytes free

- - End Of File - - D706158506A5F2B26A118F7EABB5E2E9


Report •

#26
December 5, 2009 at 08:43:44
BitDefender QuickScan Beta 32-bit v0.9.8.2
------------------------------------------

Scan date: Sat Dec 05 16:44:33 2009
Machine ID: F86D550F

No infection found.
---------------------


Processes
---------
<unsigned> ATI Desktop Control Panel 3336 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
<unsigned> Intel 802.1x Server 2696 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
<unsigned> Intel(R) PROSet/Wireless Event Log 1276 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
<unsigned> Intel Framework MFC Application 3412 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
<unsigned> Intel(R) PROSet/Wireless Registry Service 384 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
<unsigned> Wireless Management Service 1324 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
<unsigned> WLANKEEPER 1376 C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
<unsigned> ZeroCfgSvc MFC Application 3348 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
<unsigned> MagicISO Virtual CD/DVD Manager 484 C:\Program Files\MagicDisc\MagicDisc.exe
<unsigned> pg_ctl - starts/stops/restarts the PostgreSQL serv 256 C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
<unsigned> PostgreSQL Server 2132 C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
<unsigned> PostgreSQL Server 208 C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
<unsigned> PostgreSQL Server 540 C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
<unsigned> PostgreSQL Server 2124 C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
<unsigned> PostgreSQL Server 2148 C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
<unsigned> PostgreSQL Server 2140 C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
<unsigned> TWALINK.EXE 2004 C:\Program Files\TEXTware\HotKey\TWALINK.EXE

<verified> Alps Pointing-device Driver for Windows NT/2000/XP 2812 C:\Program Files\Apoint\Apntex.exe
<verified> Alps Pointing-device Driver 3456 C:\Program Files\Apoint\Apoint.exe
<verified> Alps Pointing-device Driver 2564 C:\Program Files\Apoint\HidFind.exe
<verified> ESET GUI 3548 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
<verified> ESET Service 1888 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
<verified> Java(TM) Quick Starter Service 2008 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Java(TM) Platform SE binary 3592 C:\Program Files\Java\jre6\bin\jusched.exe
<verified> GrooveMonitor Utility 3420 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
<verified> Firefox 600 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> SUPERAntiSpyware Application 3732 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
<verified> tbhDaemon.exe 2184 C:\Program Files\tbh\base\bin\tbhDaemon.exe
<verified> tbhSystray 3644 C:\Program Files\tbh\base\bin\tbhSystray.exe
<verified> tbhMonitor.exe 680 C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
<verified> Windows Search System Tray 188 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
<verified> Windows Explorer 1228 C:\WINDOWS\explorer.exe
<verified> Application Layer Gateway Service 3028 C:\WINDOWS\System32\alg.exe
<verified> ATI External Event Utility EXE Module 944 C:\WINDOWS\system32\Ati2evxx.exe
<verified> Client Server Runtime Process 684 C:\WINDOWS\system32\csrss.exe
<verified> CTF Loader 3948 C:\WINDOWS\system32\ctfmon.exe
<verified> LSA Shell (Export Version) 780 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft Windows Search Indexer 1552 C:\WINDOWS\system32\SearchIndexer.exe
<verified> Services and Controller app 768 C:\WINDOWS\system32\services.exe
<verified> Windows NT Session Manager 620 C:\WINDOWS\System32\smss.exe
<verified> Spooler SubSystem App 1764 C:\WINDOWS\system32\spoolsv.exe
<verified> Generic Host Process for Win32 Services 576 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1844 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1448 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1168 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1560 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1124 C:\WINDOWS\System32\svchost.exe
<verified> Generic Host Process for Win32 Services 1084 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 972 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 2776 C:\WINDOWS\System32\svchost.exe
<verified> Windows NT Logon Application 716 C:\WINDOWS\system32\winlogon.exe


Network activity
----------------
Process ekrn.exe (1888) connected on port 80 (HTTP) - wy-in-f148.1e100.net
Process ekrn.exe (1888) connected on port 80 (HTTP) - pagead.l.doubleclick.net
Process ekrn.exe (1888) connected on port 80 (HTTP) - 64.236.76.160
Process ekrn.exe (1888) connected on port 80 (HTTP) - www-google-analytics.l.google.com
Process ekrn.exe (1888) connected on port 80 (HTTP) - www-google-analytics.l.google.com
Process ekrn.exe (1888) connected on port 80 (HTTP) - e2943.c.akamaiedge.net
Process ekrn.exe (1888) connected on port 80 (HTTP) - www-google-analytics.l.google.com
Process ekrn.exe (1888) connected on port 80 (HTTP) - a92-122-216-145.deploy.akamaitechnologies.com

Process svchost.exe (1084) listens on ports: 135 (RPC)
Process svchost.exe (1560) listens on ports: 2869 (SSDP event notification, UPNP)


Autoruns and critical files
---------------------------
<unsigned> ATI Desktop Control Panel C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
<unsigned> Intel Framework MFC Application C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
<unsigned> ZeroCfgSvc MFC Application C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
<unsigned> MagicISO Virtual CD/DVD Manager C:\Program Files\MagicDisc\MagicDisc.exe
<unsigned> ShellExecuteHook C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
<unsigned> TWALINK.EXE C:\Program Files\TEXTware\HotKey\TWALINK.EXE
<unsigned> AutoHotkey C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
<unsigned> Windows Search Namespace Manager C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll

<verified> Adobe Acrobat SpeedLauncher C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
<verified> Alps Pointing-device Driver C:\Program Files\Apoint\Apoint.exe
<verified> Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
<verified> ESET GUI C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
<verified> gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
<verified> Java(TM) Platform SE binary C:\Program Files\Java\jre6\bin\jusched.exe
<verified> Malwarebytes' Anti-Malware C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
<verified> GrooveMonitor Utility C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
<verified> GrooveShellExtensions Module C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
<verified> Microsoft Office OneNote Quick Launcher C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
<verified> SUPERAntiSpyware Application C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
<verified> tbhSystray C:\Program Files\tbh\base\bin\tbhSystray.exe
<verified> Windows Search System Tray C:\Program Files\Windows Desktop Search\WindowsSearch.exe
<verified> Shockwave Helper C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
<verified> Shell Browser UI Library C:\WINDOWS\system32\browseui.dll
<verified> Windows Genuine Advantage Notifications Setup C:\WINDOWS\system32\KB905474\wgasetup.exe
<verified> Windows Logon UI C:\WINDOWS\system32\logonui.exe
<verified> Microsoft Feeds Synchronization C:\WINDOWS\system32\msfeedssync.exe
<verified> Windows Shell Common Dll C:\WINDOWS\system32\shell32.dll
<verified> Systray shell service object C:\WINDOWS\system32\stobject.dll
<verified> Userinit Logon Application c:\windows\system32\userinit.exe
<verified> Web Site Monitor C:\WINDOWS\system32\webcheck.dll
<verified> Windows Portable Device Shell Service Object C:\WINDOWS\system32\WPDShServiceObj.dll


Browser plugins
---------------
<unsigned> Java(TM) Quick Starter binary c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> RunApp MFC Application C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
<unsigned> Adobe Shockwave for Director Netscape plug-in, ver C:\WINDOWS\system32\Adobe\Director\np32dsw.dll

<verified> Adobe PDF Helper for Internet Explorer c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified> WindowsLiveLogin.dll c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
<verified> Google Updater plugin
<a href="http://pack.goog C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
<verified> GoogleToolbarNotifier c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
<verified> Adobe PDF Plug-In For Firefox and Netscape C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> Java(TM) Platform SE binary c:\program files\java\jre6\bin\jp2ssv.dll
<verified> Windows Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> GrooveShellExtensions Module C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
<verified> 3.0.40818.0 c:\Program Files\Microsoft Silverlight\3.0.40818.0\npctrl.dll
<verified> NPRuntime Script Plug-in Library for Java(TM) Depl C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> Adobe PDF Plug-In For Firefox and Netscape C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> Panda ActiveScan 2.0 Plugin for Firefox C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll
<verified> PokerStars Update C:\Program Files\PokerStars\PokerStarsUpdate.exe
<verified> Skype add-on for IE c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
<verified> Adobe® Flash® Player ActiveX Installer C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
<verified> Windows Presentation Foundation (WPF) plug-in for c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Network Diagnostic for Windows XP C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Microsoft Windows Sockets 2.0 Service Provider C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft Windows Rsvp 1.0 Service Provider C:\WINDOWS\system32\rsvpsp.dll
<verified> LDAP RnR Provider DLL C:\WINDOWS\system32\winrnr.dll


Missing files
-------------
File not found: C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
referenced in: HKLM\Software\Microsoft\Internet Explorer\Extensions\{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}\"Exec"


Scan
----

No file uploaded.

Scan finished - communication took 3 sec
Total traffic - 0.06 MB sent, 2.86 KB recvd
Scanned 1095 files and modules - 68 seconds


Report •

#27
December 5, 2009 at 09:26:57
And how is the computer operating?

Report •

#28
December 5, 2009 at 09:42:45
This is the last combofix log report from response #22

The system/computer is running pretty standard I think. Given that it's not supercomputer, it runs as it should be running.

The culprit program ("tableninja.exe") still takes up the rest of the cpu when I turn it on. I don't think I mentioned that the program/tableninja.exe doesn't work at all now, it hasn't been working since it started taking up all the cpu power, i.e. tableninja.exe does not show up at all, neither does it show up on the process bar on the bottom right corner of windows. The only place it shows up, is in the taskmanager processes bar.
I just don't understand why this is happening, it doesn't make much sense to me.
It seems as if some other program/virus is taking over this application, or disguising as this program and then taking what is left of the cpu, but i don't know.

I've been trying to take the easy way out, by just formatting the computer and re-installing xp, but it seems as if the cd-rom is malfunctioning and therefore making the cd-boot not work, this is probably cause the comp is so old. Then I have tried to boot from an USB device, but I couldn't get that working either.

anyway here's the combofix log.

ComboFix 09-12-04.05 - Administrator 12/05/2009 17:00.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.627 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Windowsupdates
c:\windows\system32\Windowsupdates\updatefiles.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 16:44 . 2009-12-05 16:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2009-12-05 16:44 . 2009-11-26 17:39 678912 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2009-12-05 16:44 . 2009-11-26 17:37 768512 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2009-12-04 19:10 . 2009-12-04 19:10 -------- d-----w- C:\combo-fix
2009-12-04 08:33 . 2009-12-04 08:33 -------- d-----w- C:\$WINDOWS.~BT
2009-12-03 21:29 . 2009-02-24 18:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-12-03 21:29 . 2009-12-03 21:29 -------- d-----w- c:\program files\MagicDisc
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Skype
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-03 00:03 . 2009-12-03 00:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-02 18:34 . 2009-12-02 18:34 -------- d-----w- c:\program files\tbh
2009-12-01 18:44 . 2009-12-03 00:02 -------- d-----w- c:\program files\trend micro
2009-12-01 18:44 . 2009-12-01 18:44 -------- d-----w- C:\rsit
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_6536443F4CA0C6BEA2EFA6.exe
2009-12-01 14:14 . 2009-12-01 14:14 13406 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{7DFDD4D1-89FF-4F8C-B925-7D609D1FD8F7}\_16533CB10CC63DBBD73CD8.exe
2009-12-01 14:09 . 2009-12-01 14:09 -------- d-----w- C:\document and settings
2009-12-01 13:09 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-01 13:08 . 2009-12-01 13:08 -------- d-----w- c:\program files\Panda Security
2009-12-01 02:39 . 2009-12-01 02:39 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-01 02:36 . 2009-12-03 00:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 02:36 . 2009-12-01 02:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 02:29 . 2009-12-01 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 02:29 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 02:29 . 2009-12-03 00:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 22:52 . 2009-11-30 22:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2009-11-30 22:47 . 2009-11-30 22:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\program files\ESET
2009-11-30 22:43 . 2009-11-30 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-29 21:06 . 2009-11-29 21:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-11-26 10:42 . 2009-11-26 10:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PACE Anti-Piracy
2009-11-26 04:59 . 2009-11-26 04:59 -------- d-----w- c:\program files\Microsoft.NET
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Antares
2009-11-25 22:56 . 2009-11-25 22:56 -------- d-----w- c:\program files\Antares Audio Technologies
2009-11-15 18:53 . 2009-12-01 11:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Mathematica
2009-11-15 18:52 . 2009-11-15 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Mathematica
2009-11-15 18:50 . 2008-11-10 21:53 185640 ----a-w- c:\windows\system32\mlmodule32.dll
2009-11-15 18:50 . 2008-11-10 21:53 378152 ----a-w- c:\windows\system32\ml32i3.dll
2009-11-15 18:50 . 2008-11-10 21:53 267560 ----a-w- c:\windows\system32\ml32i2.dll
2009-11-15 18:50 . 2008-11-10 21:53 255272 ----a-w- c:\windows\system32\ml32i1.dll
2009-11-15 18:44 . 2009-11-15 18:52 -------- d-----w- c:\program files\Wolfram Research
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-07 23:39 . 2009-11-07 23:39 -------- d-----w- c:\program files\Reference Assemblies
2009-11-07 23:37 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-07 23:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-07 23:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-07 23:36 . 2009-11-07 23:38 -------- d-----w- C:\e82b504fca412224e2
2009-11-07 23:35 . 2009-11-07 23:35 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2009-11-07 23:33 . 2009-11-15 21:18 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2009-11-07 23:30 . 2009-11-07 23:30 -------- d-----w- c:\program files\GIMP-2.0
2009-11-07 23:19 . 2009-11-07 23:19 -------- d-----r- C:\AHCache
2009-11-06 11:47 . 2009-11-06 11:47 -------- d-----w- c:\program files\OnTrade
2009-11-06 11:42 . 2009-11-06 11:42 -------- d-----w- c:\program files\Microsoft Windows Script
2009-11-06 11:29 . 2009-11-06 12:41 -------- d-----w- c:\program files\rapidsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 16:53 . 2004-08-04 12:00 148768 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-05 13:27 . 2009-01-08 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-05 03:54 . 2009-04-17 09:15 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-04 19:20 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-12-04 16:46 . 2008-12-06 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-12-03 21:18 . 2008-11-29 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-12-03 03:19 . 2009-03-11 19:08 -------- d-----w- c:\program files\PokerStars
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----r- c:\program files\Skype
2009-12-03 00:03 . 2008-12-06 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-03 00:03 . 2009-09-21 17:49 -------- d-----w- c:\program files\TableNinja
2009-12-03 00:03 . 2009-04-10 17:07 -------- d-----w- c:\program files\PokerTracker 3
2009-12-02 15:48 . 2009-12-02 15:48 3301 ----a-w- c:\windows\system32\drivers\stac97e.log
2009-12-02 13:33 . 2009-12-02 23:49 170986 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-12-01 00:24 . 2008-11-29 22:19 78624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:39 . 2008-11-29 22:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-30 22:35 . 2008-11-29 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-29 18:32 . 1998-12-01 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-25 22:57 . 2009-01-23 19:37 -------- d-----w- c:\program files\VstPlugins
2009-11-23 00:30 . 2009-05-20 23:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\CasinoOnNet
2009-11-23 00:29 . 2009-05-20 23:21 -------- d-----w- c:\program files\CasinoOnNet
2009-11-22 16:49 . 2009-04-18 00:13 -------- d-----w- c:\program files\Tournament Indicator
2009-11-16 14:09 . 2009-04-05 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microgaming
2009-11-12 23:00 . 2008-12-01 23:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-08 14:22 . 2009-03-21 15:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-07 23:39 . 1998-12-01 03:34 -------- d-----w- c:\program files\MSBuild
2009-11-07 22:38 . 1998-12-01 03:34 -------- d-----w- c:\program files\Microsoft Works
2009-10-30 18:19 . 2009-10-30 18:07 -------- d-----w- c:\program files\Heroes of Newerth
2009-10-24 02:30 . 2009-06-09 19:05 -------- d-----w- c:\program files\SharkScope
2009-10-24 02:19 . 2009-01-23 19:34 -------- d-----w- c:\program files\Image-Line
2009-10-24 01:36 . 2009-09-21 22:44 -------- d-----w- c:\program files\PostgreSQL
2009-10-22 13:57 . 2009-10-22 13:57 217088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
2009-09-29 13:05 . 2009-09-29 13:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-09-29 13:02 . 2009-09-29 13:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-09-29 12:56 . 2009-09-29 12:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-04-24 04:38 . 2009-06-02 22:27 307704 ----a-w- c:\program files\iexplore.exe
2009-03-25 12:24 . 2009-04-10 19:13 5292032 ----a-w- c:\program files\PokerTracker.exe
.

------- Sigcheck -------

[-] 2009-12-05 . 4614B3E633F4A1F715D952294669090F . 148768 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-05_16.24.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 17:12 . 2009-12-05 17:12 16384 c:\windows\temp\Perflib_Perfdata_7f4.dat
+ 2005-11-30 08:56 . 2009-12-05 17:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-30 08:56 . 2009-12-05 16:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-30 08:56 . 2009-12-05 16:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-11-30 08:56 . 2009-12-05 17:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-29 21:06 . 2009-12-05 17:12 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-29 21:06 . 2009-12-05 16:22 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-11-30 08:56 . 2009-12-05 17:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-11-30 08:56 . 2009-12-05 16:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2009-12-05 492840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotKey.lnk - c:\program files\TEXTware\HotKey\TWALINK.EXE [2009-5-18 19968]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Tournament Indicator\\Indicator.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/1/2009 1:09 PM 28552]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [3/13/2009 4:50 AM 65536]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 1:57 PM 70952]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C51550E6-BEE1-DC64-9DC1-1168E64FFA74}]
c:\windows\system32\Windowsupdates\Windupdate.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-08 18:51]

2009-12-05 c:\windows\Tasks\User_Feed_Synchronization-{2580DBE6-057E-4864-B4A6-AC2166190203}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2009-12-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-17 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.portal.fo/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.16.10.1:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.fo/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hwdyrlmu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 17:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\HTT11.tmp 756 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D15618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf767ff28
\Driver\ACPI -> ACPI.sys @ 0xf74f2cb8
\Driver\atapi -> atapi.sys @ 0xf7466852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf735fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf736ca21
SendHandler -> NDIS.sys @ 0xf734a87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OUP1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,18,aa,f3,9f,0b,71,41,ba,fb,68,\

[HKEY_USERS\S-1-5-21-1757981266-1614895754-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1304)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\program files\MagicDisc\MagicDisc.exe
c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-12-05 17:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 17:24
ComboFix2.txt 2009-12-05 16:36
ComboFix3.txt 2009-12-05 15:05

Pre-Run: 20,484,665,344 bytes free
Post-Run: 20,447,150,080 bytes free

- - End Of File - - 99E50E8A8A2EC3A83ACF987DF842C719


Report •

#29
December 11, 2009 at 04:02:48
Hey Jabuck, are you done with this problem?
Is there nothing to be done to fix it?

Report •


Ask Question