Anti-Virus shuts down upon scan starting

tech4707 · 18-Nov-2009, 06:00 PM #1

This problem has been annoying me all week. I downloaded a mysterious file and it loaded a few viruses into my system. I believe them to be b.exe, msa.exe, and a.exe. I have run the ESET online scanner due to the fact that that the virus shut my Anti-Virus software down so I couldn't use it. I have removed the viruses via ESET online scanner, reinstalled all my antivirus, but it still refuses to let me scan. I use Ad-Aware, Malware Bytes anti-malware, and Spybot Search and Destroy. I do not use Trend Micro due to the fact that it screwed my computer over once, and I am not letting it do it again. I do not have HijackThis, nor will I download it. All I want to know is whats behind it, and how to get rid of it.

tech4707 · 18-Nov-2009, 08:44 PM #2

bump

NeonFx · 19-Nov-2009, 03:18 AM #3

Hello there

My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Step 2

Please download Win32Diag from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
A black command prompt window shall appear.
It will now begin to scan. This may take a while, please be paitent until the scan is complete.
Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
A log file called Win32KDiag.txt will be created on your desktop.
Please copy and paste the contents of that log file here in your next reply.

tech4707 · 19-Nov-2009, 04:52 PM #4

Hi Neon, I have read over the steps and will try them as my father gets home, I notified him about the problem and he has told me not to download anything until he comes home. That will be around evening tomorrow. I have only one question. What exactly to these programs do?

NeonFx · 19-Nov-2009, 05:43 PM #5

The first tool will remove some of the files you mentioned and make it easier for our other tools to run while the second will scan for a particular rootkit that I believe to be the cause of your problems.

tech4707 · 20-Nov-2009, 04:46 PM #6

Here is the exeHelper log.

exeHelper by Raktor
Build 20091120
Run at 15:39:27 on 11/20/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Heres the Win32kDiag log:

12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\ 3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706010000000020\ 7.0.0\7.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\ 1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\ 2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome\chrome

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\defaults\preferences\preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2004-08-04 00:56:52 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\b ackup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\b ackup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\chrome_29833\chrome_29833

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\CR_227.tmp\CR_227.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ѕуmbols\ѕуmbols

Mount point destination : \Device\__max++>\^

Finished!

NeonFx · 20-Nov-2009, 06:32 PM #7

Good. I was right in my diagnosis. Please do the following:

STEP 1

Please delete your version of Win32kDiag.exe (along with the old Win32kDiag.txt file that was created) and redownload it from HERE

Make sure win32kdiag.exe is on your Desktop. Click on Start -> Run , and copy-paste the following command (the bolded text) into the "Open" box, and click OK. (If you use Vista just paste it into the text box that apears next to your start button)

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

STEP 2

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

tech4707 · 21-Nov-2009, 08:29 AM #8

Sorry I took so long. Here is the Win32kDiag log:

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome\chrome

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome\chrome

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\defaults\preferences\preferences

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\defaults\preferences\preferences

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\b ackup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\b ackup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\chrome_29833\chrome_29833

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\chrome_29833\chrome_29833

Found mount point : C:\WINDOWS\Temp\CR_227.tmp\CR_227.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\CR_227.tmp\CR_227.tmp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Found mount point : C:\WINDOWS\ѕуmbols\ѕуmbols

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ѕуmbols\ѕуmbols

Finished!

--------------------------------

The ComboFix log is too big to include in this post, I'll post it in another post.

tech4707 · 21-Nov-2009, 08:30 AM #9

ComboFix Log:

Here is the ComboFix one, it's pretty lengthy:

ComboFix 09-11-20.02 - michael 11/20/2009 21:59.1.1 - x86
Running from: c:\documents and settings\michael\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\michael\Application Data\inst.exe
c:\documents and settings\michael\Application Data\wiaserva.log
c:\documents and settings\michael\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\dobe~1
c:\program files\mcroso~1.net
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\mbols~1
c:\windows\sorry.exe
c:\windows\system32\asks~1
c:\windows\system32\Cache
c:\windows\system32\drivers\pciide.sys
c:\windows\system32\Drivers\seupsbw.sys
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
E:\AUTORUN.INF
E:\resycled

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_msqpdxserv.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_msqpdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-19 23:25 . 2009-11-19 23:25 138240 ----a-w- c:\documents and settings\michael\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-11-19 23:25 . 2009-11-19 23:25 138240 ----a-w- c:\documents and settings\michael\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-11-19 23:25 . 2009-11-19 23:25 138240 ----a-w- c:\documents and settings\michael\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-11-19 23:25 . 2009-11-19 23:25 138240 ----a-w- c:\documents and settings\michael\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-11-19 00:53 . 2009-11-19 00:53 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-11-18 23:16 . 2009-11-20 01:04 -------- d-----w- c:\program files\Microsoft Works
2009-11-18 23:15 . 2009-11-18 23:15 -------- d-----w- c:\program files\Microsoft.NET
2009-11-18 23:13 . 2009-11-18 23:13 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Microsoft Help
2009-11-18 23:13 . 2009-11-20 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-18 23:12 . 2009-11-18 23:12 -------- d-----r- C:\MSOCache
2009-11-18 21:35 . 2009-11-18 21:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 21:23 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-18 21:23 . 2009-11-18 21:23 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-18 21:23 . 2009-11-18 21:23 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\SBREDrv.sys
2009-11-18 21:23 . 2009-11-18 21:23 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-11-18 21:21 . 2009-11-18 21:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-18 21:21 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-18 21:19 . 2009-11-18 21:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-17 20:58 . 2009-11-17 20:58 -------- d-----w- c:\program files\ESET
2009-11-17 01:46 . 2009-11-21 01:45 0 ----a-r- c:\windows\win32k.sys
2009-11-17 01:38 . 2009-11-17 01:38 -------- d-----w- c:\documents and settings\michael\Application Data\QuickScan
2009-11-15 21:41 . 2009-11-15 21:41 -------- d-----w- c:\documents and settings\michael\Application Data\Atari
2009-11-15 21:39 . 2009-11-15 21:39 -------- d-----w- c:\program files\Atari
2009-11-08 14:45 . 2009-11-08 14:45 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-11-08 14:45 . 2009-11-08 14:45 -------- d-----w- c:\program files\TechSmith
2009-11-07 20:38 . 2009-11-07 20:39 1794456 ----a-w- c:\documents and settings\michael\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-11-06 23:36 . 2009-11-06 23:36 -------- d-----w- c:\program files\Xvid
2009-11-06 23:36 . 2009-06-07 21:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-11-06 23:36 . 2009-06-07 21:16 819200 ----a-w- c:\windows\system32\xvidcore.dll
2009-11-01 01:32 . 2009-11-01 01:32 -------- d-----w- c:\program files\iPod
2009-11-01 01:32 . 2009-11-01 01:32 -------- d-----w- c:\program files\iTunes
2009-11-01 01:28 . 2009-11-01 01:28 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 23:33 . 2009-03-20 21:32 -------- d-----w- c:\program files\Steam
2009-11-20 22:05 . 2006-12-15 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-19 23:25 . 2009-01-01 14:37 -------- d-----w- c:\documents and settings\michael\Application Data\SystemRequirementsLab
2009-11-18 23:21 . 2006-12-15 18:37 85128 ----a-w- c:\documents and settings\michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 21:23 . 2009-11-18 21:22 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\sbap.dll
2009-11-18 21:21 . 2006-12-15 22:28 -------- d-----w- c:\program files\Lavasoft
2009-11-18 21:07 . 2007-06-08 23:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 21:39 . 2006-12-15 19:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-15 03:14 . 2009-07-19 15:27 138936 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-15 03:12 . 2009-07-19 15:27 214504 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-14 16:05 . 2008-11-25 02:45 -------- d-----w- c:\program files\Paint.NET
2009-11-14 05:00 . 2009-07-21 03:46 -------- d-----w- c:\program files\PokerStars.NET
2009-11-14 03:29 . 2008-11-20 21:11 -------- d-----w- c:\documents and settings\michael\Application Data\Any Video Converter
2009-11-07 23:47 . 2007-05-22 00:36 -------- d-----w- c:\documents and settings\michael\Application Data\Move Networks
2009-11-07 20:39 . 2009-05-19 13:54 143976 ----a-w- c:\documents and settings\michael\Application Data\Move Networks\uninstall.exe
2009-11-07 20:39 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\michael\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-01 01:32 . 2009-10-02 19:58 -------- d-----w- c:\program files\Common Files\Apple
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\michael\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-12 20:44 . 2009-10-12 20:44 -------- d-----w- c:\program files\Crossword Weaver
2009-10-10 12:23 . 2009-10-03 11:58 32328 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-06 11:02 . 2009-10-06 11:02 -------- d-----w- c:\program files\MSECache
2009-10-04 18:24 . 2009-10-04 18:24 -------- d-----w- c:\program files\DIYPhotoBits.com Camera Control 4.1
2009-10-04 18:19 . 2009-10-04 18:02 -------- d-----w- c:\program files\Common Files\Nikon
2009-10-04 18:19 . 2009-10-04 18:02 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLeh.DAT
2009-10-04 18:07 . 2009-10-04 18:07 26006046 ----a-w- c:\documents and settings\michael\Application Data\Nikon\Message Center\DOWNLOAD_LOG\12594\S-CCPRO_-130WU-EUREN.exe
2009-10-04 18:03 . 2009-10-04 18:03 -------- d-----w- c:\documents and settings\michael\Application Data\Nikon
2009-10-04 18:02 . 2009-10-04 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultima_T15
2009-10-04 18:02 . 2009-10-04 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\EnterNHelp
2009-10-04 01:17 . 2009-10-04 01:17 -------- d-----w- c:\program files\AviSynth 2.5
2009-10-02 20:15 . 2007-03-14 03:27 -------- d-----w- c:\documents and settings\michael\Application Data\Apple Computer
2009-10-02 20:00 . 2009-10-02 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-02 20:00 . 2007-03-14 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-02 20:00 . 2009-10-02 20:00 -------- d-----w- c:\program files\Bonjour
2009-10-02 19:59 . 2007-01-07 03:23 -------- d-----w- c:\program files\QuickTime
2009-10-02 19:59 . 2009-01-25 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-01-11 00:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-01-11 00:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-12-15 18:27 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-29 05:09 . 2009-08-29 05:09 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-08-28 23:42 . 2009-10-02 19:58 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-10-02 19:58 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-06-21 02:52 . 2009-06-21 02:52 508 ----a-w- c:\program files\dwinst.log
2009-06-21 02:52 . 2001-11-29 06:34 353393 ----a-w- c:\program files\un-SwapManager.exe
2009-06-21 02:52 . 2001-11-10 01:25 225280 ----a-w- c:\program files\SM2000XP.dll
2009-06-21 02:52 . 2001-11-06 23:07 217088 ----a-w- c:\program files\SM30_9X.dll
2009-06-21 02:52 . 2001-11-06 23:07 13381 ----a-w- c:\program files\HotSwap3.VXD
2009-06-21 02:52 . 2001-11-06 23:07 114688 ----a-w- c:\program files\SwapManager.exe
2009-03-29 00:01 . 2009-03-30 12:01 44 ---h--w- c:\program files\2c310e44.tmp
.

------- Sigcheck -------

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-19 . 2A7BD330924252A2FD80344FC949BB72 . 1036288 . . [6.00.2900.2180] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^michael^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\michael\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^michael^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\michael\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^michael^Start Menu^Programs^Startup^MP3 Rocket (Minimized).lnk]
path=c:\documents and settings\michael\Start Menu\Programs\Startup\MP3 Rocket (Minimized).lnk
backup=c:\windows\pss\MP3 Rocket (Minimized).lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^michael^Start Menu^Programs^Startup^MP3 Rocket (silent).lnk]
backup=c:\windows\pss\MP3 Rocket (silent).lnkStartup
path=c:\documents and settings\michael\Start Menu\Programs\Startup\MP3 Rocket (silent).lnk

[HKLM\~\startupfolder\C:^Documents and Settings^michael^Start Menu^Programs^Startup^rncsys32.exe]
path=c:\documents and settings\michael\Start Menu\Programs\Startup\rncsys32.exe
backup=c:\windows\pss\rncsys32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^michael^Start Menu^Programs^Startup^V CAST Music Monitor.lnk]
backup=c:\windows\pss\V CAST Music Monitor.lnkStartup
path=c:\documents and settings\michael\Start Menu\Programs\Startup\V CAST Music Monitor.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1c97f516e30a9b2"=2 (0x2)
"aawservice"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Adobe Version Cue CS2"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xxncxx\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xxncxx\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xxncxx\\source sdk base 2007\\hl2.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xxncxx\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xxncxx\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/18/2009 4:23 PM 64288]
R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [11/21/2006 1:34 PM 203264]
S3 cpuz130;cpuz130;\??\c:\docume~1\michael\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\michael\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [9/27/2009 6:18 PM 33792]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [6/16/2008 4:08 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/16/2008 4:08 PM 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/16/2008 4:08 PM 22528]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 12:19 PM 23064]
S4 gupdate1c97f516e30a9b2;Google Update Service (gupdate1c97f516e30a9b2);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2009 8:00 PM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:22]

2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-12 c:\windows\Tasks\Defrag.job
- c:\windows\system32\dfrg.msc [2003-03-31 12:00]

2009-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-26 01:00]

2009-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-26 01:00]

2009-10-12 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2009-11-18 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\michael\Application Data\Mozilla\Firefox\Profiles\opoqrvzp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\michael\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\michael\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\michael\Application Data\Mozilla\Firefox\Profiles\opoqrvzp.default\extensions\battlefieldheroes patcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\michael\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{4492AA3F-6DF4-632A-A140-1DE337E4F3BF} - (no file)
BHO-{4696AC65-66F1-6624-A340-1DE337E4F2EF} - (no file)
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKU-Default-Run-OE - c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\michael\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 22:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-343818398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FB22981-6C35-944B-21D3-AB043A318AC5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iacieljmimchocagfk"=hex:6a,61,68,6f,6c,65,64,65,64,6a,69,61,6a,70,70,67,70 ,6e,
68,66,00,9b
"haihkodgffpighml"=hex:6a,61,68,6f,6c,65,64,65,64,6a,69,61,6a,70,70,67,70,6 e,
68,66,00,d1

[HKEY_USERS\S-1-5-21-515967899-343818398-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7a,96,08,fb,7e,00,5e,49,43,48,fc,df,19,dd,62,1c,6b,22,fb,b8,91,d3, a5,
c1,61,3a,23,f1,c0,e0,e0,8b,68,66,3b,12,fa,f8,a5,ae,28,a8,de,be,7d,1f,4f,25, \
"??"=hex:4a,63,af,f7,c7,ce,02,7b,03,07,d2,dc,b3,bb,a7,cc
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
.
**************************************************************************
.
Completion time: 2009-11-20 22:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 03:22

Pre-Run: 228,820,529,152 bytes free
Post-Run: 228,788,027,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 49697DD88C0F9D7B83E1E79FF177CB88

tech4707 · 21-Nov-2009, 01:28 PM **#10**

bump

NeonFx · 04:25 PM

There's no need to bump posts that have already been replied to by a helper. I get notified of all responses.

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir

Quit::

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard mouse network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!