Weird .dll files messing up explorer.exe

Discussion in 'Windows - Virus and spyware problems' started by Ray92, Aug 28, 2008.

  1. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    A while back, while I was on the internet (using dial-up) the taskbar just disappeared,along with the desktop icons and my computer.
    I couldn't fix this and it made my computer unusable, so I did a complete format and windows re-install. The next day when I finished installing everything I went on-line again to check my e-mail and the same thing happened again, so I did another complete format and re-install.

    When I went on-line after formatting a second time, the same thing happened. Before i broke my monitor in frustration, a message pooped up from winPatrol that looked like this.
    [​IMG]

    I then thought to move the .dll file mentioned by Winpatrol to the desktop, and to erase it after a reboot and explorer.exe was fine when I did so

    Since then each time I go on-line the same thing happens and I must repeat the whole process so I can continue to surf in peace.

    These are the names of some of the .dll files:
    WvUkJgWp.dll
    wvukHBTK.dll
    byXOecDW.dll
    iifghGXq.dll
    WVUmnnmn.dll
    nnnkldEx.dll
    pmnkLFXr.dll
    cbXOHxQJ.dll
    Many, many more

    Can someone please tell me how I can stop this from happening as its really annoying me
     
  2. laxos

    laxos Guest

    Hi have the same problem as you, except i found a easier way to get onto the computer without moving .dll files STEP 1 hold controll+alt+delete STEP 2 click on start task manager STEP 3 click file then run
    STEP 4 type in explorer and click ok....

    And yeah it works for me but if anyone can fix this problem permanatly then yeah it will be great :)
     
  3. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hi Ray92

    Woah... a malware that survives formatting... that's unbelievable, even for Vundo. Are you sure it isn't something you installed after reinstalling Windows?

    Let's do a little cleanup.

    Now, please download Combofix.
    With Combofix, at the download window, please rename it to Combo-fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the Comobofix window, as it may cause it to stall.

    Best Regards :D
     
  4. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Just an update
    Thanks for your replies, I found out that there was a file called Urrqhat.dll or similar, and eset found it to be an adware, and this is what was causing the .dll to come into the pc. (may have been due to a keygen I think)

    It wasn't getting deleted, but I was finally able to use FILE assassin to delete it, and all is well now.

    Thanks for replies
     
  5. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    hey Ray92

    KEYGENS!!!!! Oh, the audacity. :(

    Also, Vundo is well known for hiding, so I have a different set of instructions for you, if you don't mind following them.

    Before we begin the cleanup process, it is important to do a little analysis first. We will analyze your computer with a tool called HijackThis.

    Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

    Rename HijackThis(.exe) to scanner(.exe).

    Next, run scanner(.exe). A window will pop up.

    • Click on the button which says Main Menu, then Do a system scan and save a logfile.
    • Please wait for the scan to be completed.
    • After the scan has completed, a text window will pop up. Please post the contents of this window here.

    This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

    NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.

    Best Regards :D
     
  6. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Sorry, I forgot to mention that after I fixed explorer.exe, I ran a full scan with malwarebytes anti-malaware, and it removed some files that were infected with Vundo

    Anyhow just to be safe, here is the HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:36:32 PM, on 9/6/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\sttray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    D:\Program Files\T-Clock\tclock.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\RaY YaN\Desktop\Scanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0C306420-56E3-4844-9B2F-F718826C3071} - (no file)
    O2 - BHO: (no name) - {11190E82-182E-43D5-A525-D386558A3E7F} - (no file)
    O2 - BHO: (no name) - {1923E897-93F2-458B-9FA7-91DA28F7EFAD} - (no file)
    O2 - BHO: (no name) - {272C30C0-A7CB-4934-B5B9-35F3D802F194} - (no file)
    O2 - BHO: (no name) - {31BA0700-DA83-4F0E-83C6-DE93D1105A95} - (no file)
    O2 - BHO: (no name) - {33CF7186-2125-4820-90C1-9D274513B4A8} - (no file)
    O2 - BHO: (no name) - {34777332-951D-45B1-9A56-D4FC61263073} - (no file)
    O2 - BHO: (no name) - {3C516895-ED1C-40AE-865E-33BC87A81A09} - (no file)
    O2 - BHO: (no name) - {3F5FA489-BC09-407C-99DD-935BDA523C6C} - (no file)
    O2 - BHO: (no name) - {4D43E1AF-1FC7-4821-9E8C-2F2F9BCA7439} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: (no name) - {736B2BF5-429C-4108-B9D7-0B514BEC32DE} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {80ECB9ED-A435-4025-BEFD-C5A35642994D} - (no file)
    O2 - BHO: (no name) - {82C771A6-6EA0-40C7-8B45-CAA35D33DFEC} - (no file)
    O2 - BHO: (no name) - {8ADF9F54-A602-4EB1-AE6E-6346CA16398D} - (no file)
    O2 - BHO: (no name) - {8C250808-0CC7-49C8-8FD6-0E11F06E3ECA} - (no file)
    O2 - BHO: (no name) - {8FCAFB57-6739-47E7-8858-3E50145DC48E} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {98FCD7B9-245E-41E7-A5C2-E68E0ADE836F} - (no file)
    O2 - BHO: (no name) - {9ECC4E08-2C94-4827-A7E8-5454AB2398D4} - (no file)
    O2 - BHO: (no name) - {AA36F939-29B9-4517-B0F7-2575974CA76C} - (no file)
    O2 - BHO: (no name) - {C590C435-F99E-45BB-880C-CA3D4EBA8A3E} - (no file)
    O2 - BHO: (no name) - {D3087919-B7EC-4461-96EF-D6E8E680CCDF} - (no file)
    O2 - BHO: (no name) - {FB954524-B91E-4AE2-9C8D-1B09799D1AFC} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
    O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [mpt] c:\WINDOWS\system32\mpt.exe
    O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: urqQhHAT - urqQhHAT.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

    --
    End of file - 8701 bytes
     
  7. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey Ray

    It's a good thing we ran HijackThis. There were many traces left behind by the malware.

    Please run HijackThis.

    • Click on the button which says Main Menu, then Do a system scan only.
    • Please wait for the scan to be completed.
    • After the scan has completed, check the following entries.

    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: (no name) - {0C306420-56E3-4844-9B2F-F718826C3071} - (no file)
    O2 - BHO: (no name) - {11190E82-182E-43D5-A525-D386558A3E7F} - (no file)
    O2 - BHO: (no name) - {1923E897-93F2-458B-9FA7-91DA28F7EFAD} - (no file)
    O2 - BHO: (no name) - {272C30C0-A7CB-4934-B5B9-35F3D802F194} - (no file)
    O2 - BHO: (no name) - {31BA0700-DA83-4F0E-83C6-DE93D1105A95} - (no file)
    O2 - BHO: (no name) - {33CF7186-2125-4820-90C1-9D274513B4A8} - (no file)
    O2 - BHO: (no name) - {34777332-951D-45B1-9A56-D4FC61263073} - (no file)
    O2 - BHO: (no name) - {3C516895-ED1C-40AE-865E-33BC87A81A09} - (no file)
    O2 - BHO: (no name) - {3F5FA489-BC09-407C-99DD-935BDA523C6C} - (no file)
    O2 - BHO: (no name) - {4D43E1AF-1FC7-4821-9E8C-2F2F9BCA7439} - (no file)
    O2 - BHO: (no name) - {736B2BF5-429C-4108-B9D7-0B514BEC32DE} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {80ECB9ED-A435-4025-BEFD-C5A35642994D} - (no file)
    O2 - BHO: (no name) - {82C771A6-6EA0-40C7-8B45-CAA35D33DFEC} - (no file)
    O2 - BHO: (no name) - {8ADF9F54-A602-4EB1-AE6E-6346CA16398D} - (no file)
    O2 - BHO: (no name) - {8C250808-0CC7-49C8-8FD6-0E11F06E3ECA} - (no file)
    O2 - BHO: (no name) - {8FCAFB57-6739-47E7-8858-3E50145DC48E} - (no file)
    O2 - BHO: (no name) - {98FCD7B9-245E-41E7-A5C2-E68E0ADE836F} - (no file)
    O2 - BHO: (no name) - {9ECC4E08-2C94-4827-A7E8-5454AB2398D4} - (no file)
    O2 - BHO: (no name) - {AA36F939-29B9-4517-B0F7-2575974CA76C} - (no file)
    O2 - BHO: (no name) - {C590C435-F99E-45BB-880C-CA3D4EBA8A3E} - (no file)
    O2 - BHO: (no name) - {D3087919-B7EC-4461-96EF-D6E8E680CCDF} - (no file)
    O2 - BHO: (no name) - {FB954524-B91E-4AE2-9C8D-1B09799D1AFC} - (no file)
    O20 - Winlogon Notify: urqQhHAT - urqQhHAT.dll (file missing)

    Click on the button Fix checked

    NOTE:: Close all browsers before fixing anything.

    Also, please to go C:\Windows\system32. Find a file called mpt.exe and then upload it to www.virustotal.com. Send me the results.

    After that, reboot.

    Best Regards :D
     
  8. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
  9. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
  10. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey Ray

    Now, please download Combofix.
    With Combofix, at the download window, please rename it to Combo-fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the Comobofix window, as it may cause it to stall.

    Best Regards :D
     
  11. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Thanks for your help
    Here is the combofix log, it opened directly after the pc was rebooted by comboFix

    ComboFix 08-09-05.02 - RaY YaN 2008-09-07 15:32:59.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT 3:00]
    Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\msvrc20.dll
    C:\WINDOWS\system32\AJjlkUtv.ini
    C:\WINDOWS\system32\AJjlkUtv.ini2
    C:\WINDOWS\system32\BJlTwGgh.ini
    C:\WINDOWS\system32\BJlTwGgh.ini2
    C:\WINDOWS\system32\Cache
    C:\WINDOWS\system32\ccIjPXbc.ini
    C:\WINDOWS\system32\ccIjPXbc.ini2
    C:\WINDOWS\system32\ccKRBcdd.ini
    C:\WINDOWS\system32\ccKRBcdd.ini2
    C:\WINDOWS\system32\CehRrXbc.ini
    C:\WINDOWS\system32\CehRrXbc.ini2
    C:\WINDOWS\system32\CKkkQXbc.ini
    C:\WINDOWS\system32\CKkkQXbc.ini2
    C:\WINDOWS\system32\dJRBbcdd.ini
    C:\WINDOWS\system32\dJRBbcdd.ini2
    C:\WINDOWS\system32\EMmSAcfe.ini
    C:\WINDOWS\system32\EMmSAcfe.ini2
    C:\WINDOWS\system32\FffeLnpo.ini
    C:\WINDOWS\system32\FffeLnpo.ini2
    C:\WINDOWS\system32\fgPYyyay.ini
    C:\WINDOWS\system32\fgPYyyay.ini2
    C:\WINDOWS\system32\HkRCefhk.ini
    C:\WINDOWS\system32\HkRCefhk.ini2
    C:\WINDOWS\system32\jbgndpdu.ini
    C:\WINDOWS\system32\JQXHOXbc.ini
    C:\WINDOWS\system32\JQXHOXbc.ini2
    C:\WINDOWS\system32\KTBHkUvw.ini
    C:\WINDOWS\system32\KTBHkUvw.ini2
    C:\WINDOWS\system32\lTBLknmp.ini
    C:\WINDOWS\system32\lTBLknmp.ini2
    C:\WINDOWS\system32\nmnnmUvw.ini
    C:\WINDOWS\system32\nmnnmUvw.ini2
    C:\WINDOWS\system32\NoUEOqss.ini
    C:\WINDOWS\system32\NoUEOqss.ini2
    C:\WINDOWS\system32\OVxHRXbc.ini
    C:\WINDOWS\system32\OVxHRXbc.ini2
    C:\WINDOWS\system32\popqBJjl.ini
    C:\WINDOWS\system32\popqBJjl.ini2
    C:\WINDOWS\system32\Pruwxyay.ini
    C:\WINDOWS\system32\Pruwxyay.ini2
    C:\WINDOWS\system32\pWyJkUvw.ini
    C:\WINDOWS\system32\pWyJkUvw.ini2
    C:\WINDOWS\system32\qXGhgfii.ini
    C:\WINDOWS\system32\qXGhgfii.ini2
    C:\WINDOWS\system32\RqqpYcdd.ini
    C:\WINDOWS\system32\RqqpYcdd.ini2
    C:\WINDOWS\system32\rXFLknmp.ini
    C:\WINDOWS\system32\rXFLknmp.ini2
    C:\WINDOWS\system32\tBJikkkj.ini
    C:\WINDOWS\system32\tBJikkkj.ini2
    C:\WINDOWS\system32\WDceOXyb.ini
    C:\WINDOWS\system32\WDceOXyb.ini2
    C:\WINDOWS\system32\XEdLknnn.ini
    C:\WINDOWS\system32\XEdLknnn.ini2
    C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
    .

    2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
    2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
    2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
    2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
    2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
    2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
    2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
    2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
    2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
    2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
    2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
    2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
    2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
    2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
    2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
    2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
    2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
    2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
    2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
    2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
    2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
    2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
    2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
    2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
    2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
    2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
    2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
    2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
    2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
    2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
    2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
    2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
    2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
    2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
    2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
    2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
    2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
    2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
    2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
    2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
    2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
    2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
    2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
    2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
    2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
    2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
    2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
    2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
    2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
    2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
    2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
    2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
    2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
    2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
    2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
    2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
    2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
    2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
    2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
    2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
    2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
    2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
    2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
    2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
    2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
    2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
    2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
    2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
    2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
    2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
    2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
    2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
    2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
    2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
    2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
    2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
    2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
    2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
    2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
    2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
    2008-08-06 04:42 126,976 ----a-w C:\WINDOWS\system32\cheeto.exe
    2008-07-14 19:03 58,594 ----a-w C:\WINDOWS\system32\mpt.exe
    2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
    2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
    "SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
    "mpt"="c:\WINDOWS\system32\mpt.exe" [2008-07-14 58594]
    "TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
    "Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveSearch"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "D:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
    S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
    S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
    S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
    \Shell\AutoRun\command - L:\autorun.exe
    \Shell\Demo\command - JSDemo.exe
    \Shell\help\command - kahelp.exe
    \Shell\Setup\command - L:\setup.exe
    \Shell\website\command - L:\website.exe
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-NvCplDaemon - (no file)
    ShellExecuteHooks-{38B9D19D-021A-4282-A2BD-F9E40DCBA8C9} - (no file)


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\RaY YaN\Application Data\Mozilla\Firefox\Profiles\2amwhqwo.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.live.com/
    FF -: plugin - D:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-07 15:35:52
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\stacsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-07 15:37:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-07 12:37:18

    Pre-Run: 8,651,595,776 bytes free
    Post-Run: 8,563,462,144 bytes free

    303 --- E O F --- 2008-09-07 10:00:33
     
  12. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey Ray

    Please run HijackThis.

    • Click on the button which says Main Menu, then Do a system scan only.
    • Please wait for the scan to be completed.
    • After the scan has completed, check the following entries.

    O4 - HKCU\..\Run: [mpt] c:\WINDOWS\system32\mpt.exe

    Click on the button Fix checked

    NOTE:: Close all browsers before fixing anything.


    Open Notepad and copy/paste the text in the code box below into it:

    Code:
    File::
    C:\Windows\System32\cheeto.exe
    C:\Windows\System32\mpt.exe
    C:\Windows\System32\mpxa.exe
    
    Save this as CFScript.txt in the same folder as Combofix

    Then drag the CFScript.txt into ComboFix.exe.

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Tell me how's your computer doing.

    Best Regards :D
     
  13. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Here is the combo fix log:

    ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
    Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Windows\System32\cheeto.exe
    C:\Windows\System32\mpt.exe
    C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
    .

    2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
    2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
    2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
    2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
    2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
    2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
    2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
    2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
    2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
    2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
    2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
    2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
    2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
    2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
    2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
    2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
    2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
    2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
    2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
    2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
    2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
    2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
    2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
    2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
    2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
    2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
    2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
    2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
    2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
    2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
    2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
    2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
    2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
    2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
    2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
    2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
    2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
    2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
    2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
    2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
    2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
    2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
    2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
    2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
    2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
    2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
    2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
    2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
    2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
    2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
    2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
    2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
    2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
    2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
    2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
    2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
    2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
    2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
    2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
    2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
    2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
    2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
    2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
    2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
    2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
    2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
    2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
    2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
    2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
    2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
    2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
    2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
    2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
    2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
    2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
    2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
    2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
    2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
    2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
    2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
    2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
    "SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
    "TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
    "Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveSearch"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "D:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
    S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
    S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
    S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
    \Shell\AutoRun\command - L:\autorun.exe
    \Shell\Demo\command - JSDemo.exe
    \Shell\help\command - kahelp.exe
    \Shell\Setup\command - L:\setup.exe
    \Shell\website\command - L:\website.exe
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-08 14:32:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\stacsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-08 14:34:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-08 11:34:02
    ComboFix2.txt 2008-09-07 12:37:22

    Pre-Run: 8,470,482,944 bytes free
    Post-Run: 8,457,781,248 bytes free

    243 --- E O F --- 2008-09-08 10:53:53

    This is the HijackThis log after running combofix:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:35:07 PM, on 9/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\sttray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\RaY YaN\Desktop\scanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
    O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

    --
    End of file - 6964 bytes


    Thanks for your help, pc is running fine.
     
  14. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Here is the combo fix log:

    ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
    Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Windows\System32\cheeto.exe
    C:\Windows\System32\mpt.exe
    C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
    .

    2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
    2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
    2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
    2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
    2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
    2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
    2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
    2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
    2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
    2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
    2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
    2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
    2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
    2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
    2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
    2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
    2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
    2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
    2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
    2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
    2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
    2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
    2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
    2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
    2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
    2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
    2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
    2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
    2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
    2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
    2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
    2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
    2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
    2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
    2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
    2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
    2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
    2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
    2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
    2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
    2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
    2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
    2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
    2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
    2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
    2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
    2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
    2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
    2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
    2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
    2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
    2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
    2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
    2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
    2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
    2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
    2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
    2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
    2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
    2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
    2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
    2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
    2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
    2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
    2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
    2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
    2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
    2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
    2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
    2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
    2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
    2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
    2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
    2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
    2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
    2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
    2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
    2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
    2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
    2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
    2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
    "SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
    "TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
    "Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveSearch"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "D:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
    S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
    S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
    S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
    \Shell\AutoRun\command - L:\autorun.exe
    \Shell\Demo\command - JSDemo.exe
    \Shell\help\command - kahelp.exe
    \Shell\Setup\command - L:\setup.exe
    \Shell\website\command - L:\website.exe
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-08 14:32:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\stacsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-08 14:34:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-08 11:34:02
    ComboFix2.txt 2008-09-07 12:37:22

    Pre-Run: 8,470,482,944 bytes free
    Post-Run: 8,457,781,248 bytes free

    243 --- E O F --- 2008-09-08 10:53:53

    This is the HijackThis log after running combofix:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:35:07 PM, on 9/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\sttray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\RaY YaN\Desktop\scanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
    O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

    --
    End of file - 6964 bytes


    Thanks for your help, pc is running fine.
     
  15. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    I recently got a new laptop, and installed similar programs on it.
    I became worried that it may have been infected, and after scanning with malwarebytes anti-malware, it was confirmed that I had been infected by Vundo

    Is it okay is I post a HijackThis log for my laptop here as well.
     
    Last edited: Sep 8, 2008
  16. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Here is the combo fix log:

    ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
    Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Windows\System32\cheeto.exe
    C:\Windows\System32\mpt.exe
    C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
    .

    2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
    2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
    2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
    2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
    2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
    2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
    2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
    2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
    2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
    2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
    2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
    2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
    2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
    2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
    2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
    2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
    2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
    2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
    2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
    2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
    2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
    2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
    2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
    2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
    2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
    2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
    2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
    2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
    2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
    2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
    2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
    2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
    2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
    2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
    2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
    2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
    2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
    2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
    2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
    2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
    2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
    2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
    2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
    2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
    2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
    2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
    2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
    2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
    2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
    2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
    2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
    2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
    2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
    2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
    2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
    2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
    2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
    2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
    2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
    2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
    2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
    2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
    2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
    2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
    2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
    2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
    2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
    2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
    2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
    2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
    2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
    2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
    2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
    2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
    2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
    2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
    2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
    2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
    2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
    2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
    2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
    "SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
    "TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
    "Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveSearch"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "D:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
    S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
    S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
    S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
    \Shell\AutoRun\command - L:\autorun.exe
    \Shell\Demo\command - JSDemo.exe
    \Shell\help\command - kahelp.exe
    \Shell\Setup\command - L:\setup.exe
    \Shell\website\command - L:\website.exe
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-08 14:32:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\stacsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-08 14:34:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-08 11:34:02
    ComboFix2.txt 2008-09-07 12:37:22

    Pre-Run: 8,470,482,944 bytes free
    Post-Run: 8,457,781,248 bytes free

    243 --- E O F --- 2008-09-08 10:53:53

    This is the HijackThis log after running combofix:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:35:07 PM, on 9/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\sttray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\RaY YaN\Desktop\scanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
    O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

    --
    End of file - 6964 bytes


    Thanks for your help, pc is running fine.
     
  17. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey Ray92

    You look clean. Enjoy!

    Best Regards :D
     
  18. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Here is the combo fix log:

    ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
    Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
    Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Windows\System32\cheeto.exe
    C:\Windows\System32\mpt.exe
    C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
    .

    2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
    2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
    2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
    2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
    2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
    2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
    2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
    2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
    2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
    2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
    2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
    2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
    2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
    2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
    2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
    2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
    2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
    2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
    2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
    2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
    2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
    2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
    2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
    2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
    2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
    2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
    2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
    2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
    2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
    2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
    2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
    2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
    2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
    2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
    2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
    2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
    2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
    2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
    2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
    2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
    2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
    2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
    2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
    2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
    2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
    2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
    2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
    2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
    2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
    2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
    2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
    2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
    2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
    2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
    2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
    2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
    2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
    2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
    2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
    2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
    2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
    2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
    2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
    2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
    2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
    2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
    2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
    2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
    2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
    2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
    2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
    2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
    2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
    2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
    2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
    2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
    2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
    2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
    2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
    2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
    2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
    2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
    2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
    2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
    2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
    2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
    2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
    2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
    2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
    2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    + 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
    "SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
    "TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
    "Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveSearch"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "D:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
    S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
    S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
    S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
    \Shell\AutoRun\command - L:\autorun.exe
    \Shell\Demo\command - JSDemo.exe
    \Shell\help\command - kahelp.exe
    \Shell\Setup\command - L:\setup.exe
    \Shell\website\command - L:\website.exe
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-08 14:32:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\stacsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-08 14:34:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-08 11:34:02
    ComboFix2.txt 2008-09-07 12:37:22

    Pre-Run: 8,470,482,944 bytes free
    Post-Run: 8,457,781,248 bytes free

    243 --- E O F --- 2008-09-08 10:53:53

    This is the HijackThis log after running combofix:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:35:07 PM, on 9/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\sttray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\RaY YaN\Desktop\scanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
    O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

    --
    End of file - 6964 bytes


    Thanks for your help, pc is running fine.
     
  19. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    No problem. Just give me the HijackThis log and I'll look at it. And what is up with all these combofix and hijackthis logs? There must be a thousand around here!

    And stop using keygens!!!!! All cracks are potential malware which prey on people, and they are illegal as well. If you like a software so much that you will risk infection for it, you might as well buy it.
     
    Last edited: Sep 8, 2008
  20. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    I stopped some time ago, this was the only left. It too has gone now :p
    Everything else I have is now freeware :D

    EDITED :p

    Thanks for your help
     
    Last edited: Sep 9, 2008

Share This Page