1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] whats going on with my PC? (repost)

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by miz, Feb 12, 2010.

  1. miz

    miz Techie7 New Member

    I use windows xp... in the toolbar I have PC tools spyware doctor, Avast anti virus pro and Outpost firewall pro... I also have registry mechanic and uniblue registry booster to hand...

    recently my pc has been showing a box saying that says something about generic host processor has an error, doesnt matter if i press 'send' or 'dont send' within a few minutes my task bar and start menu revert back the windows 98 style and i have no option allowing me to change it back. also after this i lose all sound that is coming from the net, 'youtube, radio, etc.'... i have run all my anti spyware, anti virus, everything but the report always come back clean... also theere is something from the outside constantly trying to connect itself to some file csrss.exe in my system 32 folder... i have been told this is safe but i dunnom cos i aint never seen it before... Also when i search google despite the link i am looking for i end up redirected to some abstract site nothing to do with my search almost 75% of the time and have to manually copty the address myself...

    i aint no whizz but to me it sounds like spyware or virus but all my checks come back clean... shed some light on this for me please


    edit:

    The exact message for the generic process is that of a usual box when something crashes... it says "Generic Host Process For Win32 Services Has Encountered An Error And Needs To Close"... it then gives me the usual send, dont send buttons...

    I ran my pctools spyware doctor this morning and it said that it had found a 'trojan' on a file called sdra64.exe... I googled it and it certainly appeared to find it as a virus... there was instruction to use process explorer to search and delete it that way but it never showed up... i assume that when i told spyware doctor to fix it then that did the trick...

    I followed the instruction further and it told me the place that this file would be... windows/system32... i looked and indeed it was not there, nor was the folder lowsec assosiated with it...

    despite this i am still having the same trouble as described before the edit with my tool bar and browser and generic host crash, etc...

    please help

    also could someone explain this to me... whilst i was in my windows folder i noticed that some of the folders and files names were blue instead of the usual black... what does this mean?

    many thanks
     
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please, uninstall both immediately. Registry tools are nothing else but a disaster waiting to happen.

    It's normal. Blue folders are compressed folders.


    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
    Alternative downloads:
    - |MG| GMER 1.0.15.15281 Download
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    HijackThis - Trend Micro USA
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. miz

    miz Techie7 New Member

    I have run the programs suggested, however during the scan with gmer it got to a file called atapi.sys and stopped responding then my pc froze completely for about 10mins before shutting gmer down... i did manage to get the first logs for it tho

    <<mbam log 1>>
    Malwarebytes' Anti-Malware 1.44
    Database version: 3732
    Windows 5.1.2600 Service Pack 1
    Internet Explorer 6.0.2800.1106

    13/02/2010 13:46:15
    mbam-log-2010-02-13 (13-46-09).txt

    Scan type: Quick Scan
    Objects scanned: 133607
    Time elapsed: 12 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\(default) (Rogue.AdwareAlert) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> No action taken.

    Files Infected:
    C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc58.tmp (Trojan.Hiloti) -> No action taken.
    C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc34.tmp (Trojan.FakeAlert) -> No action taken.
    C:\RECYCLER\S-1-5-21-1177238915-1004336348-839522115-1004\Dc182.exe (Trojan.Downloader) -> No action taken.
    C:\Documents and Settings\INTERNET ONLY\Local Settings\temp\Ogj.exe (Rootkit.TDSS) -> No action taken.
    C:\WINDOWS\len3pu.dll (Trojan.Hiloti) -> No action taken.
    C:\WINDOWS\system32\spool\prtprocs\w32x86\000016de.tmp (Rootkit.TDSS) -> No action taken.
    C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> No action taken.


    <<mbam log 2 >>
    Malwarebytes' Anti-Malware 1.44
    Database version: 3732
    Windows 5.1.2600 Service Pack 1
    Internet Explorer 6.0.2800.1106

    13/02/2010 13:50:51
    mbam-log-2010-02-13 (13-50-51).txt

    Scan type: Quick Scan
    Objects scanned: 133607
    Time elapsed: 12 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\(default) (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc58.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Recycler\S-1-5-21-1177238915-1004336348-839522115-1004\Dc34.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1177238915-1004336348-839522115-1004\Dc182.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\INTERNET ONLY\Local Settings\temp\Ogj.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\len3pu.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\spool\prtprocs\w32x86\000016de.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.




    seeing that makes it patently obvious that there was indeed some viruses that spyware doctor and avast had not noticed in its scans



    <<gmer log 1>>
    GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
    Rootkit quick scan 2010-02-13 14:12:14
    Windows 5.1.2600 Service Pack 1
    Running: gmer.exe; Driver: C:\DOCUME~1\INTERN~1\LOCALS~1\Temp\aweyrpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\System32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xF50158A0]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 8366A8D4

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----



    thats all i could get from gmer as i said it stopped responding during the scan



    <<hijack this log>>
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:20:36, on 13/02/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\UAService7.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm6.ocx
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:eek:s_startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com
    O15 - Trusted Zone: http://*.buy-is2010.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://*.is10-soft-download.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
    O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\BookWorm\Images\armhelper.ocx
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\System32\mqsv32.exe (file missing)
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
    O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

    --
    End of file - 6920 bytes



    and thats it, thanks for the help, hope you can make my pc well again :)
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. miz

    miz Techie7 New Member

    Combo Fix Log

    ComboFix 10-02-12.01 - Miz 13/02/2010 19:57:03.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.735.532 [GMT 0:00]
    Running from: c:\documents and settings\INTERNET ONLY\My Documents\dowloads\New Folder\ComboFix.exe
    .
    /wow section - STAGE 4
    'play.lnk' is not recognized as an internal or external command
    'Malware' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command
    'Malware' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\INTERNET ONLY\Application Data\Desktopicon
    c:\documents and settings\INTERNET ONLY\Application Data\Desktopicon\config.ini
    c:\documents and settings\INTERNET ONLY\Application Data\Desktopicon\eBayShortcuts.exe
    c:\windows\EventSystem.log
    c:\windows\system32\1.tmp
    c:\windows\system32\2.tmp
    c:\windows\system32\3.tmp
    c:\windows\system32\4.tmp
    c:\windows\system32\5.tmp
    c:\windows\system32\msvcsv60.dll
    c:\windows\system32\SHELLLNK.TLB

    Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
    Restored copy from - c:\windows\system32\ReinstallBackups\0020\DriverFiles\i386\atapi.sys
    .
    ((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
    .

    2010-02-13 19:41 . 2010-02-13 19:41 -------- d-----w- c:\documents and settings\Miz\Application Data\SUPERAntiSpyware.com
    2010-02-13 19:29 . 2010-02-13 19:29 -------- d-----w- c:\program files\Bullfrog
    2010-02-13 15:46 . 2010-02-13 15:46 -------- d-----w- c:\program files\Sophos
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com
    2010-02-13 14:20 . 2010-02-13 14:20 -------- d-----w- c:\program files\Trend Micro
    2010-02-13 13:54 . 2010-02-13 13:54 54016 ----a-w- c:\windows\system32\drivers\ivlxc.sys
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Malwarebytes
    2010-02-13 09:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-13 09:39 . 2010-01-07 16:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-12 12:28 . 2010-02-12 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
    2010-02-12 12:25 . 2010-02-12 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
    2010-02-12 12:24 . 2010-02-13 19:35 -------- d-----w- c:\program files\Alawar
    2010-02-12 12:17 . 2002-09-03 16:39 930304 ----a-w- c:\windows\system32\Ole32drv.DLL
    2010-02-12 12:14 . 2010-02-12 12:16 -------- d-----w- c:\program files\EzGenerator3
    2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\windows\system32\aspi
    2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\program files\intelliScore Ensemble
    2010-02-11 15:46 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\Miz\Application Data\Absolutist
    2010-02-11 15:46 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Absolutist
    2010-02-11 15:39 . 2010-02-11 15:40 -------- d-----w- c:\documents and settings\Miz\Application Data\OnlineArmor
    2010-02-11 15:02 . 2009-04-06 11:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
    2010-02-11 15:02 . 2009-02-10 16:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
    2010-02-11 15:02 . 2009-02-18 17:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
    2010-02-11 15:02 . 2010-02-11 15:02 -------- d-----w- c:\program files\Agnitum
    2010-02-11 15:01 . 2010-02-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
    2010-02-11 14:55 . 2010-02-11 14:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OnlineArmor
    2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
    2010-02-11 14:55 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
    2010-02-11 14:55 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
    2010-02-11 14:55 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
    2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\program files\Tall Emu
    2010-02-11 12:14 . 2010-02-11 12:14 -------- d-----w- c:\documents and settings\Miz\Application Data\Uniblue
    2010-02-11 12:14 . 2010-02-11 12:14 -------- d-----w- c:\program files\Uniblue
    2010-02-11 10:44 . 2002-08-29 01:32 57856 -c--a-w- c:\windows\system32\dllcache\drmk.sys
    2010-02-11 10:44 . 2002-08-29 01:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
    2010-02-11 10:44 . 2002-08-29 02:01 134272 -c--a-w- c:\windows\system32\dllcache\portcls.sys
    2010-02-11 10:44 . 2002-08-29 02:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
    2010-02-11 09:18 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-02-11 09:18 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-02-11 09:18 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-02-11 09:17 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-02-11 09:17 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-02-11 09:17 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-02-11 09:17 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-02-11 09:17 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-02-10 21:16 . 2010-02-11 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-02-10 21:16 . 2010-02-10 21:16 -------- d-----w- c:\program files\Alwil Software
    2010-02-10 16:49 . 2010-02-10 16:51 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
    2010-02-10 16:49 . 2007-12-10 14:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
    2010-02-10 16:49 . 2007-12-10 14:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
    2010-02-10 16:49 . 2007-12-10 14:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
    2010-02-10 16:49 . 2010-02-11 16:33 -------- d-----w- c:\program files\Spyware Doctor
    2010-02-10 16:49 . 2010-02-10 16:49 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\PC Tools
    2010-02-10 16:25 . 2010-02-10 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-02-10 16:19 . 2010-02-10 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-02-10 11:45 . 2010-02-10 11:45 -------- d-----w- c:\documents and settings\Miz\Application Data\Spyware Terminator
    2010-02-10 11:39 . 2010-02-10 11:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-02-10 11:30 . 2010-02-10 11:30 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-02-10 11:05 . 2010-02-10 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-10 11:03 . 2010-02-10 11:03 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-10 11:03 . 2010-02-10 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-09 18:30 . 2010-02-09 18:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
    2010-02-09 18:30 . 2010-02-09 18:30 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\skypePM
    2010-02-09 18:25 . 2010-02-09 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-02-09 10:22 . 2010-02-10 15:55 -------- d-----w- c:\program files\WNAS
    2010-02-08 14:23 . 2009-08-06 19:24 209632 ----a-w- c:\windows\system32\wuweb.dll
    2010-02-08 14:23 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-02-08 14:23 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-02-05 08:53 . 2010-02-05 08:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Sony
    2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Publish Providers
    2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NetMedia Providers
    2010-02-04 14:09 . 2010-02-04 14:09 -------- d-----w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\Sony
    2010-02-04 12:25 . 2010-02-04 12:25 -------- d-----w- c:\documents and settings\Miz\Local Settings\Application Data\Oberon Games
    2010-02-04 12:11 . 2010-02-04 12:11 -------- d-----w- c:\documents and settings\Miz\Saved Games
    2010-02-03 18:43 . 2010-02-04 12:04 -------- d-----w- c:\documents and settings\Miz\Application Data\MysteryStudio
    2010-02-03 18:29 . 2010-02-03 18:42 -------- d-----w- c:\program files\FreeGamePick.com
    2010-02-03 14:20 . 2010-02-03 14:20 -------- d-----w- c:\documents and settings\Miz\Application Data\SerpentOfIsis
    2010-02-02 13:56 . 2004-02-25 18:19 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_9.dll
    2010-02-02 13:56 . 2004-01-15 12:41 65536 ----a-w- c:\windows\system32\NI_DFD_1_2_8.dll
    2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_7.dll
    2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD.dll
    2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_KOMPAKT.dll
    2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_4.dll
    2010-02-02 13:56 . 2004-06-07 13:18 258048 ----a-w- c:\windows\system32\REX Shared Library.dll
    2010-02-01 19:31 . 2010-02-01 19:31 -------- d-----w- c:\program files\Total War
    2010-02-01 08:40 . 2010-02-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\East West
    2010-01-31 18:42 . 2010-01-31 18:42 -------- d-----w- c:\program files\Stringer
    2010-01-31 18:40 . 2002-09-03 16:46 323072 ----a-w- c:\windows\system32\msvcrt.dll
    2010-01-31 18:39 . 2010-01-31 18:40 -------- d-----w- c:\windows\speech
    2010-01-31 18:39 . 2010-01-31 18:39 -------- d-----w- c:\program files\VoiceMX
    2010-01-31 18:39 . 2001-10-13 23:48 28672 ----a-w- c:\windows\system32\SmartMenuXP.dll
    2010-01-31 11:10 . 2010-01-31 11:11 -------- d-----w- c:\documents and settings\Miz\Application Data\GetRightToGo
    2010-01-26 11:59 . 2010-01-26 11:59 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\KORG
    2010-01-25 20:10 . 2010-01-25 20:10 -------- d-----w- c:\documents and settings\Miz\Application Data\KORG
    2010-01-25 20:05 . 2010-01-25 20:05 -------- d-----w- c:\documents and settings\Miz\Application Data\Music Recognition
    2010-01-25 20:04 . 2010-01-25 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\KORG
    2010-01-25 16:10 . 2010-01-25 16:10 -------- d-----w- c:\program files\Audacity
    2010-01-25 15:23 . 2010-01-25 15:22 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-23 10:57 . 2003-11-12 23:38 510976 ----a-w- c:\windows\system32\synsoacc.dll
    2010-01-19 12:52 . 2010-02-03 14:00 -------- d-----w- c:\program files\bfgclient
    2010-01-19 12:52 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-01-18 22:01 . 2010-01-18 22:01 -------- d-----w- c:\documents and settings\Miz\Local Settings\Application Data\Xara Online Dreamweaver Cache
    2010-01-18 21:54 . 2010-01-18 21:54 -------- d-----w- c:\program files\DatawareGames

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-13 20:06 . 2009-11-20 16:51 857 --sha-w- c:\windows\system32\mmf.sys
    2010-02-13 19:46 . 2002-08-13 23:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-02-13 19:41 . 2010-02-13 19:41 52224 ----a-w- c:\documents and settings\Miz\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-13 19:41 . 2010-02-13 19:41 117760 ----a-w- c:\documents and settings\Miz\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-13 19:36 . 2010-01-05 10:18 -------- d-----w- c:\program files\Native Instruments
    2010-02-13 16:03 . 2010-01-09 20:06 2464 ----a-w- c:\program files\Absynth 1.3 prefs.ini
    2010-02-13 15:45 . 2010-02-13 15:45 52224 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-13 15:44 . 2010-02-13 15:44 117760 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-13 15:44 . 2009-09-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-02-12 19:48 . 2007-12-01 23:43 141192 ----a-w- c:\documents and settings\Miz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-11 16:49 . 2009-12-15 08:16 -------- d-----w- c:\program files\Registry Easy
    2010-02-11 12:16 . 2009-09-18 17:19 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Uniblue
    2010-02-10 22:28 . 2008-01-27 00:09 -------- d-----w- c:\program files\CROSS
    2010-02-10 22:25 . 2009-09-16 11:36 141192 ----a-w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-10 16:08 . 2009-09-18 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-02-10 15:33 . 2008-01-19 22:08 -------- d-----w- c:\program files\Java
    2010-02-10 11:08 . 2010-02-10 11:08 200 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
    2010-02-10 11:07 . 2010-02-10 11:07 1192 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-09 21:14 . 2007-03-28 15:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-02-09 21:13 . 2010-01-08 20:58 -------- d-----w- c:\program files\Sony
    2010-02-09 16:46 . 2009-04-19 19:16 -------- d-----w- c:\program files\LG PC Suite II
    2010-02-04 14:06 . 2010-01-08 20:57 -------- d-----w- c:\program files\Sony Setup
    2010-02-01 20:04 . 2009-08-14 19:05 1575 -c--a-w- c:\windows\eReg.dat
    2010-02-01 08:55 . 2010-01-04 16:18 -------- d-----w- c:\documents and settings\Miz\Application Data\PACE Anti-Piracy
    2010-02-01 08:55 . 2010-01-04 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
    2010-01-31 09:10 . 2009-12-29 12:14 -------- d-----w- c:\documents and settings\Miz\Application Data\NCH Swift Sound
    2010-01-24 18:00 . 2009-12-10 09:53 48 ----a-w- c:\windows\msocreg32.dat
    2010-01-18 20:29 . 2007-12-14 16:20 -------- d-----w- c:\program files\Xara
    2010-01-18 20:29 . 2007-03-27 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Auslogics
    2010-01-12 21:44 . 2010-01-12 21:44 -------- d-----w- c:\program files\FDF
    2010-01-11 12:01 . 2007-08-08 21:24 -------- d-----w- c:\program files\Image-Line
    2010-01-10 21:07 . 2010-01-10 21:07 -------- d-----w- c:\program files\Pro-53
    2010-01-10 20:09 . 2010-01-10 20:09 -------- d-----w- c:\documents and settings\Miz\Application Data\Deckadance
    2010-01-10 18:44 . 2010-01-10 18:39 -------- d-----w- c:\program files\Common Files\Native Instruments
    2010-01-10 18:31 . 2010-01-10 18:31 -------- d-----w- c:\program files\Tone2
    2010-01-10 18:27 . 2010-01-10 18:27 -------- d-----w- c:\program files\ASIO4ALL v2
    2010-01-09 18:01 . 2009-12-10 09:38 -------- d-----w- c:\program files\IK Multimedia
    2010-01-09 18:01 . 2010-01-09 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\IK Multimedia
    2010-01-09 15:12 . 2010-01-09 15:12 -------- d-----w- c:\program files\Absynth 1.3
    2010-01-08 20:59 . 2010-01-08 20:59 -------- d-----w- c:\documents and settings\Miz\Application Data\Sony
    2010-01-05 22:19 . 2010-01-01 12:55 -------- d-----w- c:\program files\Google
    2010-01-05 12:40 . 2010-01-05 12:37 -------- d-----w- c:\program files\Waves
    2010-01-05 12:39 . 2010-01-05 12:39 -------- d-----w- c:\documents and settings\Miz\Application Data\Waves Preferences
    2010-01-04 16:18 . 2010-01-04 16:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
    2010-01-04 16:12 . 2010-01-04 16:12 -------- d-----w- c:\program files\InterLok
    2010-01-04 16:10 . 2010-01-04 16:10 -------- d-----w- c:\program files\delaydots
    2010-01-04 11:16 . 2010-01-04 11:08 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
    2010-01-02 13:16 . 2009-12-31 08:37 -------- d-----w- c:\program files\SWiSH Max2
    2010-01-02 13:16 . 2009-12-29 12:06 -------- d-----w- c:\program files\NCH Swift Sound
    2010-01-01 20:09 . 2007-04-07 16:27 -------- d-----w- c:\program files\Common Files\Adobe
    2010-01-01 20:06 . 2009-12-30 11:12 -------- d-----w- c:\program files\AnvSoft Web FLV Player Free
    2009-12-31 08:52 . 2009-12-31 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SWiSHMax2WorkFolder
    2009-12-31 08:38 . 2009-12-31 08:38 -------- d-----w- c:\program files\Common Files\SWiSHzone.com
    2009-12-30 10:19 . 2009-12-30 10:17 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\itsourtree
    2009-12-30 09:36 . 2009-12-30 09:36 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Family Tree Pilot
    2009-12-30 08:17 . 2009-12-29 18:59 -------- d-----w- c:\program files\MyHeritage
    2009-12-29 19:51 . 2009-12-29 19:51 -------- d-----w- c:\documents and settings\Miz\Application Data\MyHeritage
    2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\MyHeritage
    2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MyHeritage
    2009-12-29 14:56 . 2009-12-29 09:56 -------- d-----w- c:\program files\Super Internet TV
    2009-12-29 14:56 . 2009-12-28 14:08 -------- d-----w- c:\program files\RapidSolution
    2009-12-29 14:55 . 2009-12-27 19:30 -------- d-----w- c:\program files\NCH Software
    2009-12-29 12:15 . 2009-12-29 12:15 -------- d-----w- c:\documents and settings\Miz\Application Data\NCH Software
    2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Software
    2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2009-12-29 12:08 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Swift Sound
    2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OverDrive
    2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\program files\OverDrive Media Console
    2009-12-28 18:19 . 2009-12-28 17:55 -------- d-----w- c:\program files\NoteCable
    2009-12-28 17:56 . 2009-12-28 17:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NoteCable
    2009-12-28 15:22 . 2009-12-28 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
    2009-12-28 14:29 . 2009-12-28 13:46 -------- d-----w- c:\program files\Mp3 Convert Master
    2009-12-28 14:28 . 2009-12-28 13:36 -------- d-----w- c:\program files\MP3 Convert Lord
    2009-12-28 14:11 . 2009-12-28 14:11 476512 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
    2009-12-28 14:11 . 2009-12-28 14:11 169312 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
    2009-12-28 14:11 . 2009-12-28 14:11 128352 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
    2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
    2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
    2009-12-28 14:11 . 2009-12-28 14:11 99680 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
    2009-12-28 14:11 . 2009-12-28 14:11 230752 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
    2009-12-28 14:11 . 2009-12-28 14:11 120160 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
    2009-12-28 14:11 . 2009-12-28 14:11 87392 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
    2009-12-28 14:11 . 2009-12-28 14:11 140640 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
    2009-12-28 13:53 . 2009-12-28 13:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AccurateRip
    2009-12-28 13:52 . 2008-01-07 00:52 5640880 -c--a-w- c:\windows\system32\SpoonUninstall.exe
    2009-12-28 13:26 . 2009-10-20 12:59 -------- d-----w- c:\program files\Common Files\AVSMedia
    2009-12-27 20:51 . 2009-12-27 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
    2009-12-27 19:46 . 2009-12-27 19:46 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AVS4YOU
    2009-12-27 19:25 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
    2009-12-23 23:22 . 2009-12-23 23:21 -------- d-----w- c:\documents and settings\DVD\Application Data\.clamwin
    2009-12-23 22:59 . 2009-12-23 22:59 53 ----a-w- c:\windows\DelToolbox.bat
    2009-12-22 16:50 . 2009-12-22 16:50 25214 ----a-r- c:\documents and settings\Miz\Application Data\Microsoft\Installer\{F1A36967-8AF5-4BDB-90BB-F6B2750839E1}\_294823.exe
    2009-12-22 16:50 . 2009-12-22 16:50 25214 ----a-r- c:\documents and settings\Miz\Application Data\Microsoft\Installer\{F1A36967-8AF5-4BDB-90BB-F6B2750839E1}\_18be6784.exe
    2009-12-22 16:50 . 2009-12-22 16:50 -------- d-----w- c:\program files\SynthEdit
    2009-12-21 14:34 . 2009-12-28 15:42 25120 ----a-w- c:\windows\system32\drivers\rsvcdwdr.sys
    2009-12-21 14:34 . 2009-12-21 14:34 27168 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
    2009-12-11 10:15 . 2009-12-11 10:09 720896 ----a-w- c:\windows\iun6002.exe
    2009-12-02 13:56 . 2009-12-02 13:56 92792 ----a-w- c:\windows\system32\drivers\tpkd.sys
    2009-12-02 13:51 . 2009-12-02 13:51 54328 ----a-w- c:\windows\system32\drivers\iLokDrvr.sys
    .

    ------- Sigcheck -------

    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll

    c:\windows\System32\wscntfy.exe ... is missing !!
    c:\windows\System32\xmlprov.dll ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
    "SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
    "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
    "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-03 13312]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoThumbnailCache"= 1 (0x1)
    "link"= 00000000

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "midi3"=usbmn1x1.dll
    "midi4"=usbmn1x1.dll
    "midi7"=usbmn1x1.dll
    "midi8"=usbmn1x1.dll
    "midi9"=usbmn1x1.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/02/2010 09:18 162512]
    R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [11/02/2010 15:02 704384]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
    R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/02/2010 15:02 1195008]
    R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [20/11/2009 16:41 2560]
    R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/02/2010 15:02 31128]
    R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [11/02/2010 15:02 257432]
    R3 cdiport;cdiport;c:\windows\system32\drivers\cdiport.sys [08/04/2007 22:30 72064]
    R3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys [03/01/2010 10:40 5664]
    R3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys [03/01/2010 10:39 23328]
    S0 nullcd;nullcd; [x]
    S2 MSMQSVC;Message Queuing Service;c:\windows\System32\mqsv32.exe --> c:\windows\System32\mqsv32.exe [?]
    S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [13/12/2009 09:24 10122]
    S3 DbusAudio;DbusAudio;c:\windows\system32\drivers\DbusAudio.sys [28/12/2009 17:34 23096]
    S3 EN1207D;Accton EN1207D/2242A Adapter Driver;c:\windows\system32\drivers\ACC07D.sys [09/07/2001 15:57 23661]
    S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [27/12/2009 19:36 23096]
    S3 notecable;NoteCable Driver (WDM);c:\windows\System32\drivers\notcable.sys --> c:\windows\System32\drivers\notcable.sys [?]
    S3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pctplfw.sys --> c:\windows\system32\drivers\pctplfw.sys [?]
    S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvcdwdr.sys [28/12/2009 15:42 25120]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
    S3 ScratchAmp;ScratchAmp Driver (ScratchAmp.sys);c:\windows\system32\drivers\ScratchAmp.sys [05/01/2010 10:19 22912]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/02/2010 16:51 337800]
    S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

    2010-01-30 c:\windows\Tasks\Schedule Task Weekly.job
    - c:\program files\Registry Easy\RE.exe [2009-12-15 13:13]
    c:\windows\Tasks\zuluSevenDaysInit.job
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = ;<local>
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: Add to Windows &Live Favorites - Sign In
    IE: Keyword Density
    IE: Link Popularity
    IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?8d06aa4bc5444d8ea8fea09c27556402
    IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?8d06aa4bc5444d8ea8fea09c27556402
    IE: Position Reporter
    IE: SE Optimizer
    IE: SE Submission
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    Handler: DirectDVD - {85A81A02-336B-43FF-998B-FE8E194FBA4D} - c:\windows\system32\DirectDVDProtocol.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-02-13 20:08
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
    "1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
    c2
    "2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
    76,64,10,04,f0,92,77,f9,20
    "3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
    07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\0ECC3A43B9416605BEB3AE7E61B07718]
    "1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
    1a,42,2c,55,e0,34,81,ae,ca
    "2"=hex:14,ce,87,8d,79,74,ee,b2
    "3"=hex:81,20,8f,ab,28,6a,52,9c
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
    51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
    "7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
    d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
    "8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,b2,a0,c4,0f,9f,bf,5f,
    2d,98,42,c1,23,08,65,81,7e,37,62,bf,dc,f3,71,e2,a0
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:70,56,26,33,e3,20,f8,ab
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:81,20,8f,ab,28,6a,52,9c
    "13"=hex:81,20,8f,ab,28,6a,52,9c
    "14"=hex:81,20,8f,ab,28,6a,52,9c
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:81,20,8f,ab,28,6a,52,9c
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(900)
    c:\windows\System32\ODBC32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(956)
    c:\windows\System32\dssenh.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\System32\SCardSvr.exe
    c:\windows\System32\wdfmgr.exe
    c:\windows\System32\UAService7.exe
    c:\windows\SOUNDMAN.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-02-13 20:17:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-13 20:17

    Pre-Run: 8,755,236,864 bytes free
    Post-Run: 10,632,888,320 bytes free

    Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
    - - End Of File - - BD8EB5CB5CDBF8061305C2D38FAC7FE6




    Hijack This Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:37:28, on 13/02/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm6.ocx
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:eek:s_startup
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com
    O15 - Trusted Zone: http://*.buy-is2010.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://*.is10-soft-download.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
    O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\BookWorm\Images\armhelper.ocx
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\System32\mqsv32.exe (file missing)
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
    O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

    --
    End of file - 7366 bytes


    Thanks for all your help with this :)
     
  6. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\ivlxc.sys
    c:\windows\system32\Ole32drv.DLL
    c:\windows\system32\ezsidmv.dat
    c:\windows\system32\drivers\kgpfr2.cfg
    c:\windows\system32\drivers\kgpcpy.cfg
    
    
    Folder::
    
    Driver::
    nullcd
    
    
    Registry::
    
    RegLockDel::
    
    MIA::
    c:\windows\System32\wscntfy.exe
    c:\windows\System32\xmlprov.dll
    
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  7. miz

    miz Techie7 New Member

    Todays\Logs

    <<COMBO-FIX>>

    ComboFix 10-02-12.01 - INTERNET ONLY 14/02/2010 10:23:58.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.735.454 [GMT 0:00]
    Running from: c:\documents and settings\INTERNET ONLY\My Documents\dowloads\New Folder\ComboFix.exe
    Command switches used :: c:\documents and settings\INTERNET ONLY\My Documents\CFScript.txt

    FILE ::
    "c:\windows\system32\drivers\ivlxc.sys"
    "c:\windows\system32\drivers\kgpcpy.cfg"
    "c:\windows\system32\drivers\kgpfr2.cfg"
    "c:\windows\system32\ezsidmv.dat"
    "c:\windows\system32\Ole32drv.DLL"
    .
    /wow section - STAGE 4
    'play.lnk' is not recognized as an internal or external command
    'Malware' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command
    'Malware' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Drivers\ivlxc.sys
    c:\windows\system32\drivers\kgpcpy.cfg
    c:\windows\system32\drivers\kgpfr2.cfg
    c:\windows\system32\ezsidmv.dat
    c:\windows\system32\Ole32drv.DLL

    c:\windows\System32\wscntfy.exe . . . is missing!!

    c:\windows\System32\xmlprov.dll . . . is missing!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_nullcd


    ((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
    .

    2010-02-13 19:29 . 2010-02-13 19:29 -------- d-----w- c:\program files\Bullfrog
    2010-02-13 15:46 . 2010-02-13 15:46 -------- d-----w- c:\program files\Sophos
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com
    2010-02-13 14:20 . 2010-02-13 14:20 -------- d-----w- c:\program files\Trend Micro
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Malwarebytes
    2010-02-13 09:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-13 09:39 . 2010-01-07 16:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-12 12:28 . 2010-02-12 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
    2010-02-12 12:25 . 2010-02-12 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
    2010-02-12 12:24 . 2010-02-13 19:35 -------- d-----w- c:\program files\Alawar
    2010-02-12 12:14 . 2010-02-12 12:16 -------- d-----w- c:\program files\EzGenerator3
    2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\windows\system32\aspi
    2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\program files\intelliScore Ensemble
    2010-02-11 15:46 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Absolutist
    2010-02-11 15:02 . 2009-04-06 11:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
    2010-02-11 15:02 . 2009-02-10 16:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
    2010-02-11 15:02 . 2009-02-18 17:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
    2010-02-11 15:02 . 2010-02-11 15:02 -------- d-----w- c:\program files\Agnitum
    2010-02-11 15:01 . 2010-02-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
    2010-02-11 14:55 . 2010-02-11 14:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OnlineArmor
    2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
    2010-02-11 14:55 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
    2010-02-11 14:55 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
    2010-02-11 14:55 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
    2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\program files\Tall Emu
    2010-02-11 12:14 . 2010-02-11 12:14 -------- d-----w- c:\program files\Uniblue
    2010-02-11 10:44 . 2002-08-29 01:32 57856 -c--a-w- c:\windows\system32\dllcache\drmk.sys
    2010-02-11 10:44 . 2002-08-29 01:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
    2010-02-11 10:44 . 2002-08-29 02:01 134272 -c--a-w- c:\windows\system32\dllcache\portcls.sys
    2010-02-11 10:44 . 2002-08-29 02:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
    2010-02-11 09:18 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-02-11 09:18 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-02-11 09:18 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-02-11 09:17 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-02-11 09:17 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-02-11 09:17 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-02-11 09:17 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-02-11 09:17 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-02-10 21:16 . 2010-02-11 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-02-10 21:16 . 2010-02-10 21:16 -------- d-----w- c:\program files\Alwil Software
    2010-02-10 16:49 . 2010-02-10 16:51 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
    2010-02-10 16:49 . 2007-12-10 14:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
    2010-02-10 16:49 . 2007-12-10 14:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
    2010-02-10 16:49 . 2007-12-10 14:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
    2010-02-10 16:49 . 2010-02-11 16:33 -------- d-----w- c:\program files\Spyware Doctor
    2010-02-10 16:49 . 2010-02-10 16:49 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\PC Tools
    2010-02-10 16:25 . 2010-02-10 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-02-10 16:19 . 2010-02-10 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-02-10 11:39 . 2010-02-10 11:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-02-10 11:30 . 2010-02-10 11:30 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-02-10 11:05 . 2010-02-10 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-10 11:03 . 2010-02-10 11:03 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-10 11:03 . 2010-02-10 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-09 18:30 . 2010-02-09 18:30 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\skypePM
    2010-02-09 18:25 . 2010-02-09 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-02-09 10:22 . 2010-02-10 15:55 -------- d-----w- c:\program files\WNAS
    2010-02-08 14:23 . 2009-08-06 19:24 209632 ----a-w- c:\windows\system32\wuweb.dll
    2010-02-08 14:23 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-02-08 14:23 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-02-05 08:53 . 2010-02-05 08:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Sony
    2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Publish Providers
    2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NetMedia Providers
    2010-02-04 14:09 . 2010-02-04 14:09 -------- d-----w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\Sony
    2010-02-03 18:29 . 2010-02-03 18:42 -------- d-----w- c:\program files\FreeGamePick.com
    2010-02-02 13:56 . 2004-02-25 18:19 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_9.dll
    2010-02-02 13:56 . 2004-01-15 12:41 65536 ----a-w- c:\windows\system32\NI_DFD_1_2_8.dll
    2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_7.dll
    2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD.dll
    2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_KOMPAKT.dll
    2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_4.dll
    2010-02-02 13:56 . 2004-06-07 13:18 258048 ----a-w- c:\windows\system32\REX Shared Library.dll
    2010-02-01 19:31 . 2010-02-01 19:31 -------- d-----w- c:\program files\Total War
    2010-02-01 08:40 . 2010-02-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\East West
    2010-01-31 18:42 . 2010-01-31 18:42 -------- d-----w- c:\program files\Stringer
    2010-01-31 18:40 . 2002-09-03 16:46 323072 ------w- c:\windows\system32\msvcrt.dll
    2010-01-31 18:39 . 2010-01-31 18:40 -------- d-----w- c:\windows\speech
    2010-01-31 18:39 . 2010-01-31 18:39 -------- d-----w- c:\program files\VoiceMX
    2010-01-31 18:39 . 2001-10-13 23:48 28672 ----a-w- c:\windows\system32\SmartMenuXP.dll
    2010-01-26 11:59 . 2010-01-26 11:59 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\KORG
    2010-01-25 20:04 . 2010-01-25 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\KORG
    2010-01-25 16:10 . 2010-01-25 16:10 -------- d-----w- c:\program files\Audacity
    2010-01-25 15:23 . 2010-01-25 15:22 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-23 10:57 . 2003-11-12 23:38 510976 ----a-w- c:\windows\system32\synsoacc.dll
    2010-01-19 12:52 . 2010-02-03 14:00 -------- d-----w- c:\program files\bfgclient
    2010-01-19 12:52 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-01-18 21:54 . 2010-01-18 21:54 -------- d-----w- c:\program files\DatawareGames

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-14 10:39 . 2002-08-13 23:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-02-14 10:37 . 2009-11-20 16:51 857 --sha-w- c:\windows\system32\mmf.sys
    2010-02-13 19:36 . 2010-01-05 10:18 -------- d-----w- c:\program files\Native Instruments
    2010-02-13 16:03 . 2010-01-09 20:06 2464 ----a-w- c:\program files\Absynth 1.3 prefs.ini
    2010-02-13 15:45 . 2010-02-13 15:45 52224 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-13 15:44 . 2010-02-13 15:44 117760 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-13 15:44 . 2009-09-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-02-11 16:49 . 2009-12-15 08:16 -------- d-----w- c:\program files\Registry Easy
    2010-02-11 12:16 . 2009-09-18 17:19 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Uniblue
    2010-02-10 22:28 . 2008-01-27 00:09 -------- d-----w- c:\program files\CROSS
    2010-02-10 22:25 . 2009-09-16 11:36 141192 ----a-w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-10 16:08 . 2009-09-18 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-02-10 15:33 . 2008-01-19 22:08 -------- d-----w- c:\program files\Java
    2010-02-09 21:14 . 2007-03-28 15:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-02-09 21:13 . 2010-01-08 20:58 -------- d-----w- c:\program files\Sony
    2010-02-09 16:46 . 2009-04-19 19:16 -------- d-----w- c:\program files\LG PC Suite II
    2010-02-04 14:06 . 2010-01-08 20:57 -------- d-----w- c:\program files\Sony Setup
    2010-02-01 20:04 . 2009-08-14 19:05 1575 -c--a-w- c:\windows\eReg.dat
    2010-02-01 08:55 . 2010-01-04 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
    2010-01-24 18:00 . 2009-12-10 09:53 48 ----a-w- c:\windows\msocreg32.dat
    2010-01-18 20:29 . 2007-12-14 16:20 -------- d-----w- c:\program files\Xara
    2010-01-18 20:29 . 2007-03-27 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Auslogics
    2010-01-12 21:44 . 2010-01-12 21:44 -------- d-----w- c:\program files\FDF
    2010-01-11 12:01 . 2007-08-08 21:24 -------- d-----w- c:\program files\Image-Line
    2010-01-10 21:07 . 2010-01-10 21:07 -------- d-----w- c:\program files\Pro-53
    2010-01-10 18:44 . 2010-01-10 18:39 -------- d-----w- c:\program files\Common Files\Native Instruments
    2010-01-10 18:31 . 2010-01-10 18:31 -------- d-----w- c:\program files\Tone2
    2010-01-10 18:27 . 2010-01-10 18:27 -------- d-----w- c:\program files\ASIO4ALL v2
    2010-01-09 18:01 . 2009-12-10 09:38 -------- d-----w- c:\program files\IK Multimedia
    2010-01-09 18:01 . 2010-01-09 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\IK Multimedia
    2010-01-09 15:12 . 2010-01-09 15:12 -------- d-----w- c:\program files\Absynth 1.3
    2010-01-05 22:19 . 2010-01-01 12:55 -------- d-----w- c:\program files\Google
    2010-01-05 12:40 . 2010-01-05 12:37 -------- d-----w- c:\program files\Waves
    2010-01-04 16:18 . 2010-01-04 16:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
    2010-01-04 16:12 . 2010-01-04 16:12 -------- d-----w- c:\program files\InterLok
    2010-01-04 16:10 . 2010-01-04 16:10 -------- d-----w- c:\program files\delaydots
    2010-01-04 11:16 . 2010-01-04 11:08 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
    2010-01-02 13:16 . 2009-12-31 08:37 -------- d-----w- c:\program files\SWiSH Max2
    2010-01-02 13:16 . 2009-12-29 12:06 -------- d-----w- c:\program files\NCH Swift Sound
    2010-01-01 20:09 . 2007-04-07 16:27 -------- d-----w- c:\program files\Common Files\Adobe
    2010-01-01 20:06 . 2009-12-30 11:12 -------- d-----w- c:\program files\AnvSoft Web FLV Player Free
    2009-12-31 08:52 . 2009-12-31 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SWiSHMax2WorkFolder
    2009-12-31 08:38 . 2009-12-31 08:38 -------- d-----w- c:\program files\Common Files\SWiSHzone.com
    2009-12-30 10:19 . 2009-12-30 10:17 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\itsourtree
    2009-12-30 09:36 . 2009-12-30 09:36 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Family Tree Pilot
    2009-12-30 08:17 . 2009-12-29 18:59 -------- d-----w- c:\program files\MyHeritage
    2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\MyHeritage
    2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MyHeritage
    2009-12-29 14:56 . 2009-12-29 09:56 -------- d-----w- c:\program files\Super Internet TV
    2009-12-29 14:56 . 2009-12-28 14:08 -------- d-----w- c:\program files\RapidSolution
    2009-12-29 14:55 . 2009-12-27 19:30 -------- d-----w- c:\program files\NCH Software
    2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Software
    2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2009-12-29 12:08 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Swift Sound
    2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OverDrive
    2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\program files\OverDrive Media Console
    2009-12-28 18:19 . 2009-12-28 17:55 -------- d-----w- c:\program files\NoteCable
    2009-12-28 17:56 . 2009-12-28 17:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NoteCable
    2009-12-28 15:22 . 2009-12-28 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
    2009-12-28 14:29 . 2009-12-28 13:46 -------- d-----w- c:\program files\Mp3 Convert Master
    2009-12-28 14:28 . 2009-12-28 13:36 -------- d-----w- c:\program files\MP3 Convert Lord
    2009-12-28 14:11 . 2009-12-28 14:11 476512 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
    2009-12-28 14:11 . 2009-12-28 14:11 169312 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
    2009-12-28 14:11 . 2009-12-28 14:11 128352 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
    2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
    2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
    2009-12-28 14:11 . 2009-12-28 14:11 99680 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
    2009-12-28 14:11 . 2009-12-28 14:11 230752 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
    2009-12-28 14:11 . 2009-12-28 14:11 120160 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
    2009-12-28 14:11 . 2009-12-28 14:11 87392 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
    2009-12-28 14:11 . 2009-12-28 14:11 140640 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
    2009-12-28 13:53 . 2009-12-28 13:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AccurateRip
    2009-12-28 13:52 . 2008-01-07 00:52 5640880 -c--a-w- c:\windows\system32\SpoonUninstall.exe
    2009-12-28 13:26 . 2009-10-20 12:59 -------- d-----w- c:\program files\Common Files\AVSMedia
    2009-12-27 20:51 . 2009-12-27 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
    2009-12-27 19:46 . 2009-12-27 19:46 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AVS4YOU
    2009-12-27 19:25 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
    2009-12-23 23:22 . 2009-12-23 23:21 -------- d-----w- c:\documents and settings\DVD\Application Data\.clamwin
    2009-12-23 22:59 . 2009-12-23 22:59 53 ----a-w- c:\windows\DelToolbox.bat
    2009-12-22 16:50 . 2009-12-22 16:50 -------- d-----w- c:\program files\SynthEdit
    2009-12-21 14:34 . 2009-12-28 15:42 25120 ----a-w- c:\windows\system32\drivers\rsvcdwdr.sys
    2009-12-21 14:34 . 2009-12-21 14:34 27168 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
    2009-12-11 10:15 . 2009-12-11 10:09 720896 ----a-w- c:\windows\iun6002.exe
    2009-12-02 13:56 . 2009-12-02 13:56 92792 ----a-w- c:\windows\system32\drivers\tpkd.sys
    2009-12-02 13:51 . 2009-12-02 13:51 54328 ----a-w- c:\windows\system32\drivers\iLokDrvr.sys
    2009-12-02 12:03 . 2009-12-02 12:03 0 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\GUIcommon.dll
    2009-11-27 18:23 . 2009-11-27 18:22 5394440 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\Blitware\DriverRobot\updates\1.2.0.1\DriverRobot_Setup.exe
    2009-11-20 16:41 . 2009-11-20 16:41 49152 ----a-w- c:\windows\mmfs.dll
    2009-11-20 16:41 . 2009-11-20 16:41 2560 ----a-w- c:\windows\Runservice.exe
    2009-11-19 16:52 . 2009-12-28 17:34 23096 ----a-w- c:\windows\system32\drivers\DbusAudio.sys
    2009-11-19 16:43 . 2007-04-07 15:33 30 -c--a-w- c:\windows\popcinfo.dat
    2009-11-19 16:34 . 2009-12-27 19:36 23096 ----a-w- c:\windows\system32\drivers\MusCAudio.sys
    .

    ------- Sigcheck -------

    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll

    c:\windows\System32\wscntfy.exe ... is missing !!
    c:\windows\System32\xmlprov.dll ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
    "SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
    "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
    "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
    "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-02-10 1107848]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-03 13312]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoThumbnailCache"= 1 (0x1)
    "link"= 00000000

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "midi3"=usbmn1x1.dll
    "midi4"=usbmn1x1.dll
    "midi7"=usbmn1x1.dll
    "midi8"=usbmn1x1.dll
    "midi9"=usbmn1x1.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/02/2010 09:18 162512]
    R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [11/02/2010 15:02 704384]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
    R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/02/2010 15:02 1195008]
    R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [20/11/2009 16:41 2560]
    R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/02/2010 16:51 337800]
    R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/02/2010 15:02 31128]
    R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [11/02/2010 15:02 257432]
    R3 cdiport;cdiport;c:\windows\system32\drivers\cdiport.sys [08/04/2007 22:30 72064]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
    R3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys [03/01/2010 10:40 5664]
    R3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys [03/01/2010 10:39 23328]
    S2 MSMQSVC;Message Queuing Service;c:\windows\System32\mqsv32.exe --> c:\windows\System32\mqsv32.exe [?]
    S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [13/12/2009 09:24 10122]
    S3 DbusAudio;DbusAudio;c:\windows\system32\drivers\DbusAudio.sys [28/12/2009 17:34 23096]
    S3 EN1207D;Accton EN1207D/2242A Adapter Driver;c:\windows\system32\drivers\ACC07D.sys [09/07/2001 15:57 23661]
    S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [27/12/2009 19:36 23096]
    S3 notecable;NoteCable Driver (WDM);c:\windows\System32\drivers\notcable.sys --> c:\windows\System32\drivers\notcable.sys [?]
    S3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pctplfw.sys --> c:\windows\system32\drivers\pctplfw.sys [?]
    S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvcdwdr.sys [28/12/2009 15:42 25120]
    S3 ScratchAmp;ScratchAmp Driver (ScratchAmp.sys);c:\windows\system32\drivers\ScratchAmp.sys [05/01/2010 10:19 22912]
    S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mchInjDrv
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

    2010-01-30 c:\windows\Tasks\Schedule Task Weekly.job
    - c:\program files\Registry Easy\RE.exe [2009-12-15 13:13]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=KZdBalJOEowZgHW..FBEFA
    uInternet Connection Wizard,ShellNext = hxxp://www.savewealth.com/support/ie6/welcome.html
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: Add to Windows &Live Favorites - Sign In
    IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
    IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    Trusted Zone: is-software-download.com
    Trusted Zone: is10-soft-download.com
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    Handler: DirectDVD - {85A81A02-336B-43FF-998B-FE8E194FBA4D} - c:\windows\system32\DirectDVDProtocol.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{081230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    HKCU-Run-FAST Defrag - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-02-14 10:40
    Windows 5.1.2600 Service Pack 1 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
    "1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
    c2
    "2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
    76,64,10,04,f0,92,77,f9,20
    "3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
    07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\0ECC3A43B9416605BEB3AE7E61B07718]
    "1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
    1a,42,2c,55,e0,34,81,ae,ca
    "2"=hex:14,ce,87,8d,79,74,ee,b2
    "3"=hex:81,20,8f,ab,28,6a,52,9c
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
    51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
    "7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
    d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
    "8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,b2,a0,c4,0f,9f,bf,5f,
    2d,98,42,c1,23,08,65,81,7e,37,62,bf,dc,f3,71,e2,a0
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:70,56,26,33,e3,20,f8,ab
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:81,20,8f,ab,28,6a,52,9c
    "13"=hex:81,20,8f,ab,28,6a,52,9c
    "14"=hex:81,20,8f,ab,28,6a,52,9c
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:81,20,8f,ab,28,6a,52,9c
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(900)
    c:\windows\System32\ODBC32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(956)
    c:\windows\System32\dssenh.dll

    - - - - - - - > 'explorer.exe'(404)
    c:\windows\System32\SHDOCVW.dll
    c:\windows\System32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Spyware Doctor\pctsSvc.exe
    c:\windows\System32\wdfmgr.exe
    c:\windows\System32\UAService7.exe
    c:\windows\SOUNDMAN.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-02-14 10:50:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-02-14 10:50
    ComboFix2.txt 2010-02-13 20:17

    Pre-Run: 10,640,949,248 bytes free
    Post-Run: 10,612,191,232 bytes free

    Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
    - - End Of File - - 24B951E710783CF2BAE527955D923551





    <<HIJACK THIS>>

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:52:12, on 14/02/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm6.ocx
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:eek:s_startup
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com
    O15 - Trusted Zone: http://*.buy-is2010.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://*.is10-soft-download.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
    O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\BookWorm\Images\armhelper.ocx
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\System32\mqsv32.exe (file missing)
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
    O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

    --
    End of file - 7217 bytes
     
  8. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      wscntfy.exe
      xmlprov.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  9. miz

    miz Techie7 New Member

    Hi Broni, this is the log from system look

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 09:26 on 15/02/2010 by INTERNET ONLY (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "wscnthy.exe"
    No files found.

    Searching for "xmlprov.dll"
    C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll --a--- 129536 bytes [07:56 04/08/2004] [07:56 04/08/2004] EEF46DAB68229A14DA3D8E73C99E2959

    -=End Of File=-
     
  10. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Attached is zipped wscntfy.exe file. Unzip it and paste wscntfy.exe file into c:\windows\System32 folder.

    Then.....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    
    Driver::
    
    Fcopy::
    C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll | c:\windows\System32\xmlprov.dll
    
    Registry::
    
    RegLockDel::
    
    
    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     

    Attached Files:

  11. miz

    miz Techie7 New Member

    Combo fix log >

    ComboFix 10-02-12.01 - INTERNET ONLY 15/02/2010 19:37:48.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.735.416 [GMT 0:00]
    Running from: c:\documents and settings\INTERNET ONLY\My Documents\dowloads\New Folder\ComboFix.exe
    Command switches used :: c:\documents and settings\INTERNET ONLY\My Documents\CFScript.txt
    .
    /wow section - STAGE 4
    'play.lnk' is not recognized as an internal or external command
    'Malware' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command
    'Malware' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command
    'play.lnk' is not recognized as an internal or external command


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    --------------- FCopy ---------------

    c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll --> c:\windows\System32\xmlprov.dll
    .
    ((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
    .

    2010-02-15 19:37 . 2004-08-04 07:56 129536 ----a-w- c:\windows\system32\xmlprov.dll
    2010-02-15 12:13 . 2010-02-15 12:13 -------- d-----w- c:\windows\LastGood
    2010-02-15 11:48 . 2010-02-15 11:48 -------- d-----w- c:\program files\M-Audio USB Keyboard Device
    2010-02-15 11:47 . 2010-02-15 11:47 82944 ----a-w- c:\windows\system32\usbkt1x1.dll
    2010-02-15 11:47 . 2010-02-15 11:47 22304 ----a-w- c:\windows\system32\drivers\usbkt1x1.sys
    2010-02-15 11:47 . 2010-02-15 11:47 13504 ----a-w- c:\windows\system32\drivers\uks11ldr.sys
    2010-02-13 19:29 . 2010-02-13 19:29 -------- d-----w- c:\program files\Bullfrog
    2010-02-13 15:46 . 2010-02-13 15:46 -------- d-----w- c:\program files\Sophos
    2010-02-13 15:45 . 2010-02-13 15:45 52224 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-13 15:44 . 2010-02-13 15:44 117760 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\SUPERAntiSpyware.com
    2010-02-13 14:20 . 2010-02-13 14:20 -------- d-----w- c:\program files\Trend Micro
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Malwarebytes
    2010-02-13 09:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-13 09:39 . 2010-02-13 09:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-13 09:39 . 2010-01-07 16:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-12 12:28 . 2010-02-12 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
    2010-02-12 12:25 . 2010-02-12 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
    2010-02-12 12:24 . 2010-02-13 19:35 -------- d-----w- c:\program files\Alawar
    2010-02-12 12:14 . 2010-02-12 12:16 -------- d-----w- c:\program files\EzGenerator3
    2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\windows\system32\aspi
    2010-02-12 12:08 . 2010-02-12 12:08 -------- d-----w- c:\program files\intelliScore Ensemble
    2010-02-11 15:46 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Absolutist
    2010-02-11 15:02 . 2009-04-06 11:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
    2010-02-11 15:02 . 2009-02-10 16:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
    2010-02-11 15:02 . 2009-02-18 17:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
    2010-02-11 15:02 . 2010-02-11 15:02 -------- d-----w- c:\program files\Agnitum
    2010-02-11 15:01 . 2010-02-11 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
    2010-02-11 14:55 . 2010-02-11 14:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OnlineArmor
    2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
    2010-02-11 14:55 . 2009-12-05 07:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
    2010-02-11 14:55 . 2009-12-05 07:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
    2010-02-11 14:55 . 2009-12-05 07:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
    2010-02-11 14:55 . 2010-02-11 14:55 -------- d-----w- c:\program files\Tall Emu
    2010-02-11 12:14 . 2010-02-11 12:14 -------- d-----w- c:\program files\Uniblue
    2010-02-11 10:44 . 2002-08-29 01:32 57856 -c--a-w- c:\windows\system32\dllcache\drmk.sys
    2010-02-11 10:44 . 2002-08-29 01:32 57856 ----a-w- c:\windows\system32\drivers\drmk.sys
    2010-02-11 10:44 . 2002-08-29 02:01 134272 -c--a-w- c:\windows\system32\dllcache\portcls.sys
    2010-02-11 10:44 . 2002-08-29 02:01 134272 ----a-w- c:\windows\system32\drivers\portcls.sys
    2010-02-11 09:18 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-02-11 09:18 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-02-11 09:18 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-02-11 09:17 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-02-11 09:17 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-02-11 09:17 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-02-11 09:17 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-02-11 09:17 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-02-10 21:16 . 2010-02-11 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-02-10 21:16 . 2010-02-10 21:16 -------- d-----w- c:\program files\Alwil Software
    2010-02-10 16:49 . 2010-02-10 16:51 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
    2010-02-10 16:49 . 2007-12-10 14:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
    2010-02-10 16:49 . 2007-12-10 14:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
    2010-02-10 16:49 . 2007-12-10 14:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
    2010-02-10 16:49 . 2010-02-11 16:33 -------- d-----w- c:\program files\Spyware Doctor
    2010-02-10 16:49 . 2010-02-10 16:49 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\PC Tools
    2010-02-10 16:25 . 2010-02-10 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-02-10 16:19 . 2010-02-10 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-02-10 11:39 . 2010-02-10 11:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-02-10 11:30 . 2010-02-10 11:30 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-02-10 11:05 . 2010-02-10 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-10 11:03 . 2010-02-10 11:03 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-10 11:03 . 2010-02-10 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-09 18:30 . 2010-02-09 18:30 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\skypePM
    2010-02-09 18:25 . 2010-02-09 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-02-09 10:22 . 2010-02-10 15:55 -------- d-----w- c:\program files\WNAS
    2010-02-08 14:23 . 2009-08-06 19:24 209632 ----a-w- c:\windows\system32\wuweb.dll
    2010-02-08 14:23 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-02-08 14:23 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-02-05 08:53 . 2010-02-05 08:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Sony
    2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Publish Providers
    2010-02-05 08:51 . 2010-02-05 08:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NetMedia Providers
    2010-02-04 14:09 . 2010-02-04 14:09 -------- d-----w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\Sony
    2010-02-03 18:29 . 2010-02-03 18:42 -------- d-----w- c:\program files\FreeGamePick.com
    2010-02-02 13:56 . 2004-02-25 18:19 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_9.dll
    2010-02-02 13:56 . 2004-01-15 12:41 65536 ----a-w- c:\windows\system32\NI_DFD_1_2_8.dll
    2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_7.dll
    2010-02-02 13:56 . 2003-12-15 16:02 69632 ----a-w- c:\windows\system32\NI_DFD.dll
    2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_KOMPAKT.dll
    2010-02-02 13:56 . 2003-12-04 12:47 69632 ----a-w- c:\windows\system32\NI_DFD_1_2_4.dll
    2010-02-02 13:56 . 2004-06-07 13:18 258048 ----a-w- c:\windows\system32\REX Shared Library.dll
    2010-02-01 19:31 . 2010-02-01 19:31 -------- d-----w- c:\program files\Total War
    2010-02-01 08:40 . 2010-02-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\East West
    2010-01-31 18:42 . 2010-01-31 18:42 -------- d-----w- c:\program files\Stringer
    2010-01-31 18:40 . 2002-09-03 16:46 323072 ------w- c:\windows\system32\msvcrt.dll
    2010-01-31 18:39 . 2010-01-31 18:40 -------- d-----w- c:\windows\speech
    2010-01-31 18:39 . 2010-01-31 18:39 -------- d-----w- c:\program files\VoiceMX
    2010-01-31 18:39 . 2001-10-13 23:48 28672 ----a-w- c:\windows\system32\SmartMenuXP.dll
    2010-01-26 11:59 . 2010-01-26 11:59 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\KORG
    2010-01-25 20:04 . 2010-01-25 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\KORG
    2010-01-25 16:10 . 2010-01-25 16:10 -------- d-----w- c:\program files\Audacity
    2010-01-25 15:23 . 2010-01-25 15:22 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-23 10:57 . 2003-11-12 23:38 510976 ----a-w- c:\windows\system32\synsoacc.dll
    2010-01-19 12:52 . 2010-02-03 14:00 -------- d-----w- c:\program files\bfgclient
    2010-01-19 12:52 . 2010-02-11 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-01-18 21:54 . 2010-01-18 21:54 -------- d-----w- c:\program files\DatawareGames

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-15 18:42 . 2002-08-13 23:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-02-15 11:57 . 2009-11-20 16:51 857 --sha-w- c:\windows\system32\mmf.sys
    2010-02-15 11:47 . 2009-12-11 10:09 724992 ----a-w- c:\windows\iun6002.exe
    2010-02-14 12:12 . 2009-12-15 08:16 -------- d-----w- c:\program files\Registry Easy
    2010-02-13 19:36 . 2010-01-05 10:18 -------- d-----w- c:\program files\Native Instruments
    2010-02-13 16:03 . 2010-01-09 20:06 2464 ----a-w- c:\program files\Absynth 1.3 prefs.ini
    2010-02-13 15:44 . 2009-09-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-02-11 12:16 . 2009-09-18 17:19 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Uniblue
    2010-02-10 22:28 . 2008-01-27 00:09 -------- d-----w- c:\program files\CROSS
    2010-02-10 22:25 . 2009-09-16 11:36 141192 ----a-w- c:\documents and settings\INTERNET ONLY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-10 16:08 . 2009-09-18 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-02-10 15:33 . 2008-01-19 22:08 -------- d-----w- c:\program files\Java
    2010-02-09 21:14 . 2007-03-28 15:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-02-09 21:13 . 2010-01-08 20:58 -------- d-----w- c:\program files\Sony
    2010-02-09 16:46 . 2009-04-19 19:16 -------- d-----w- c:\program files\LG PC Suite II
    2010-02-04 14:06 . 2010-01-08 20:57 -------- d-----w- c:\program files\Sony Setup
    2010-02-01 20:04 . 2009-08-14 19:05 1575 -c--a-w- c:\windows\eReg.dat
    2010-02-01 08:55 . 2010-01-04 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
    2010-01-24 18:00 . 2009-12-10 09:53 48 ----a-w- c:\windows\msocreg32.dat
    2010-01-18 20:29 . 2007-12-14 16:20 -------- d-----w- c:\program files\Xara
    2010-01-18 20:29 . 2007-03-27 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Auslogics
    2010-01-12 21:44 . 2010-01-12 21:44 -------- d-----w- c:\program files\FDF
    2010-01-11 12:01 . 2007-08-08 21:24 -------- d-----w- c:\program files\Image-Line
    2010-01-10 21:07 . 2010-01-10 21:07 -------- d-----w- c:\program files\Pro-53
    2010-01-10 18:44 . 2010-01-10 18:39 -------- d-----w- c:\program files\Common Files\Native Instruments
    2010-01-10 18:31 . 2010-01-10 18:31 -------- d-----w- c:\program files\Tone2
    2010-01-10 18:27 . 2010-01-10 18:27 -------- d-----w- c:\program files\ASIO4ALL v2
    2010-01-09 18:01 . 2009-12-10 09:38 -------- d-----w- c:\program files\IK Multimedia
    2010-01-09 18:01 . 2010-01-09 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\IK Multimedia
    2010-01-09 15:12 . 2010-01-09 15:12 -------- d-----w- c:\program files\Absynth 1.3
    2010-01-05 22:19 . 2010-01-01 12:55 -------- d-----w- c:\program files\Google
    2010-01-05 12:40 . 2010-01-05 12:37 -------- d-----w- c:\program files\Waves
    2010-01-04 16:18 . 2010-01-04 16:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
    2010-01-04 16:12 . 2010-01-04 16:12 -------- d-----w- c:\program files\InterLok
    2010-01-04 16:10 . 2010-01-04 16:10 -------- d-----w- c:\program files\delaydots
    2010-01-04 11:16 . 2010-01-04 11:08 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
    2010-01-02 13:16 . 2009-12-31 08:37 -------- d-----w- c:\program files\SWiSH Max2
    2010-01-02 13:16 . 2009-12-29 12:06 -------- d-----w- c:\program files\NCH Swift Sound
    2010-01-01 20:09 . 2007-04-07 16:27 -------- d-----w- c:\program files\Common Files\Adobe
    2010-01-01 20:06 . 2009-12-30 11:12 -------- d-----w- c:\program files\AnvSoft Web FLV Player Free
    2009-12-31 08:52 . 2009-12-31 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SWiSHMax2WorkFolder
    2009-12-31 08:38 . 2009-12-31 08:38 -------- d-----w- c:\program files\Common Files\SWiSHzone.com
    2009-12-30 10:19 . 2009-12-30 10:17 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\itsourtree
    2009-12-30 09:36 . 2009-12-30 09:36 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\Family Tree Pilot
    2009-12-30 08:17 . 2009-12-29 18:59 -------- d-----w- c:\program files\MyHeritage
    2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\MyHeritage
    2009-12-29 19:02 . 2009-12-29 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MyHeritage
    2009-12-29 14:56 . 2009-12-29 09:56 -------- d-----w- c:\program files\Super Internet TV
    2009-12-29 14:56 . 2009-12-28 14:08 -------- d-----w- c:\program files\RapidSolution
    2009-12-29 14:55 . 2009-12-27 19:30 -------- d-----w- c:\program files\NCH Software
    2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Software
    2009-12-29 12:08 . 2009-12-29 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2009-12-29 12:08 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NCH Swift Sound
    2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\OverDrive
    2009-12-29 10:51 . 2009-12-29 10:51 -------- d-----w- c:\program files\OverDrive Media Console
    2009-12-28 18:19 . 2009-12-28 17:55 -------- d-----w- c:\program files\NoteCable
    2009-12-28 17:56 . 2009-12-28 17:56 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\NoteCable
    2009-12-28 15:22 . 2009-12-28 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RapidSolution
    2009-12-28 14:29 . 2009-12-28 13:46 -------- d-----w- c:\program files\Mp3 Convert Master
    2009-12-28 14:28 . 2009-12-28 13:36 -------- d-----w- c:\program files\MP3 Convert Lord
    2009-12-28 14:11 . 2009-12-28 14:11 476512 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
    2009-12-28 14:11 . 2009-12-28 14:11 169312 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
    2009-12-28 14:11 . 2009-12-28 14:11 128352 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
    2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
    2009-12-28 14:11 . 2009-12-28 14:11 111968 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
    2009-12-28 14:11 . 2009-12-28 14:11 99680 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
    2009-12-28 14:11 . 2009-12-28 14:11 230752 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
    2009-12-28 14:11 . 2009-12-28 14:11 120160 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
    2009-12-28 14:11 . 2009-12-28 14:11 87392 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
    2009-12-28 14:11 . 2009-12-28 14:11 140640 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
    2009-12-28 13:53 . 2009-12-28 13:53 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AccurateRip
    2009-12-28 13:52 . 2008-01-07 00:52 5640880 -c--a-w- c:\windows\system32\SpoonUninstall.exe
    2009-12-28 13:26 . 2009-10-20 12:59 -------- d-----w- c:\program files\Common Files\AVSMedia
    2009-12-27 20:51 . 2009-12-27 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
    2009-12-27 19:46 . 2009-12-27 19:46 -------- d-----w- c:\documents and settings\INTERNET ONLY\Application Data\AVS4YOU
    2009-12-27 19:25 . 2009-12-27 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
    2009-12-23 23:22 . 2009-12-23 23:21 -------- d-----w- c:\documents and settings\DVD\Application Data\.clamwin
    2009-12-23 22:59 . 2009-12-23 22:59 53 ----a-w- c:\windows\DelToolbox.bat
    2009-12-22 16:50 . 2009-12-22 16:50 -------- d-----w- c:\program files\SynthEdit
    2009-12-21 14:34 . 2009-12-28 15:42 25120 ----a-w- c:\windows\system32\drivers\rsvcdwdr.sys
    2009-12-21 14:34 . 2009-12-21 14:34 27168 ----a-w- c:\windows\system32\drivers\rrnetcap.sys
    2009-12-02 13:56 . 2009-12-02 13:56 92792 ----a-w- c:\windows\system32\drivers\tpkd.sys
    2009-12-02 13:51 . 2009-12-02 13:51 54328 ----a-w- c:\windows\system32\drivers\iLokDrvr.sys
    2009-12-02 12:03 . 2009-12-02 12:03 0 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\GUIcommon.dll
    2009-11-27 18:23 . 2009-11-27 18:22 5394440 ----a-w- c:\documents and settings\INTERNET ONLY\Application Data\Blitware\DriverRobot\updates\1.2.0.1\DriverRobot_Setup.exe
    2009-11-20 16:41 . 2009-11-20 16:41 49152 ----a-w- c:\windows\mmfs.dll
    2009-11-20 16:41 . 2009-11-20 16:41 2560 ----a-w- c:\windows\Runservice.exe
    2009-11-19 16:52 . 2009-12-28 17:34 23096 ----a-w- c:\windows\system32\drivers\DbusAudio.sys
    2009-11-19 16:43 . 2007-04-07 15:33 30 -c--a-w- c:\windows\popcinfo.dat
    2009-11-19 16:34 . 2009-12-27 19:36 23096 ----a-w- c:\windows\system32\drivers\MusCAudio.sys
    .

    ------- Sigcheck -------

    [-] 2007-10-30 . E9EEB38B858B637F4F8FA3401F325DC5 . 13824 . . [5.1.2600.3244] . . c:\windows\system32\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
    "SoundMan"="SOUNDMAN.EXE" [2002-03-21 46592]
    "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
    "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
    "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-02-10 1107848]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-03 13312]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoThumbnailCache"= 1 (0x1)
    "link"= 00000000

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "midi3"=usbmn1x1.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/02/2010 09:18 162512]
    R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [11/02/2010 15:02 704384]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
    R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/02/2010 15:02 1195008]
    R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/02/2010 16:51 337800]
    R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/02/2010 15:02 31128]
    R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [11/02/2010 15:02 257432]
    R3 cdiport;cdiport;c:\windows\system32\drivers\cdiport.sys [08/04/2007 22:30 72064]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
    R3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [15/02/2010 11:47 22304]
    R3 USBMM1X1;USB Midi 1x1 USB Driver;c:\windows\system32\drivers\usbmm1x1.sys [03/01/2010 10:39 23328]
    S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [20/11/2009 16:41 2560]
    S2 MSMQSVC;Message Queuing Service;c:\windows\System32\mqsv32.exe --> c:\windows\System32\mqsv32.exe [?]
    S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [13/12/2009 09:24 10122]
    S3 DbusAudio;DbusAudio;c:\windows\system32\drivers\DbusAudio.sys [28/12/2009 17:34 23096]
    S3 EN1207D;Accton EN1207D/2242A Adapter Driver;c:\windows\system32\drivers\ACC07D.sys [09/07/2001 15:57 23661]
    S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [27/12/2009 19:36 23096]
    S3 notecable;NoteCable Driver (WDM);c:\windows\System32\drivers\notcable.sys --> c:\windows\System32\drivers\notcable.sys [?]
    S3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pctplfw.sys --> c:\windows\system32\drivers\pctplfw.sys [?]
    S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvcdwdr.sys [28/12/2009 15:42 25120]
    S3 ScratchAmp;ScratchAmp Driver (ScratchAmp.sys);c:\windows\system32\drivers\ScratchAmp.sys [05/01/2010 10:19 22912]
    S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [15/02/2010 11:47 13504]
    S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\System32\drivers\usbmidim.sys --> c:\windows\System32\drivers\usbmidim.sys [?]
    S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mchInjDrv
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=KZdBalJOEowZgHW..FBEFA
    uInternet Connection Wizard,ShellNext = hxxp://www.savewealth.com/support/ie6/welcome.html
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: Add to Windows &Live Favorites - Sign In
    IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
    IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    Trusted Zone: is-software-download.com
    Trusted Zone: is10-soft-download.com
    Trusted Zone: buy-internetsecurity10.com
    Trusted Zone: buy-is2010.com
    Handler: DirectDVD - {85A81A02-336B-43FF-998B-FE8E194FBA4D} - c:\windows\system32\DirectDVDProtocol.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-02-15 19:45
    Windows 5.1.2600 Service Pack 1 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
    "1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
    c2
    "2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
    76,64,10,04,f0,92,77,f9,20
    "3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
    07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\0ECC3A43B9416605BEB3AE7E61B07718]
    "1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
    1a,42,2c,55,e0,34,81,ae,ca
    "2"=hex:14,ce,87,8d,79,74,ee,b2
    "3"=hex:81,20,8f,ab,28,6a,52,9c
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
    51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
    "7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
    d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
    "8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,b2,a0,c4,0f,9f,bf,5f,
    2d,98,42,c1,23,08,65,81,7e,37,62,bf,dc,f3,71,e2,a0
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:70,56,26,33,e3,20,f8,ab
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:81,20,8f,ab,28,6a,52,9c
    "13"=hex:81,20,8f,ab,28,6a,52,9c
    "14"=hex:81,20,8f,ab,28,6a,52,9c
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:81,20,8f,ab,28,6a,52,9c
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(896)
    c:\windows\System32\ODBC32.dll
    c:\windows\System32\usbmn1x1.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(952)
    c:\windows\System32\dssenh.dll

    - - - - - - - > 'explorer.exe'(1904)
    c:\windows\System32\SHDOCVW.dll
    c:\windows\System32\msi.dll
    .
    Completion time: 2010-02-15 19:49:50
    ComboFix-quarantined-files.txt 2010-02-15 19:49
    ComboFix2.txt 2010-02-14 10:50
    ComboFix3.txt 2010-02-13 20:17

    Pre-Run: 9,606,074,368 bytes free
    Post-Run: 9,984,663,552 bytes free

    Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
    - - End Of File - - E72E311160B56CD6CE3E2D225BB51846



    hi-jack this log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:51:10, on 15/02/2010
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\Msdxm6.ocx
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:eek:s_startup
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?7428e0f6f22344959e2ad530df292c8f
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?7428e0f6f22344959e2ad530df292c8f
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com
    O15 - Trusted Zone: http://*.buy-is2010.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://*.is10-soft-download.com
    O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
    O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\BookWorm\Images\armhelper.ocx
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\System32\mqsv32.exe (file missing)
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
    O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

    --
    End of file - 7106 bytes
     
  12. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  13. miz

    miz Techie7 New Member

    21:50:33:203 2392 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
    21:50:33:203 2392 ================================================================================
    21:50:33:203 2392 SystemInfo:

    21:50:33:203 2392 OS Version: 5.1.2600 ServicePack: 1.0
    21:50:33:203 2392 Product type: Workstation
    21:50:33:203 2392 ComputerName: FOUR-TWENTY-ONE
    21:50:33:203 2392 UserName: INTERNET ONLY
    21:50:33:203 2392 Windows directory: C:\WINDOWS
    21:50:33:203 2392 Processor architecture: Intel x86
    21:50:33:203 2392 Number of processors: 1
    21:50:33:203 2392 Page size: 0x1000
    21:50:33:234 2392 Boot type: Normal boot
    21:50:33:234 2392 ================================================================================
    21:50:33:812 2392 UnloadDriverW: NtUnloadDriver error 2
    21:50:33:812 2392 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    21:50:33:812 2392 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    21:50:34:359 2392 UtilityInit: KLMD drop and load success
    21:50:34:359 2392 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
    21:50:34:359 2392 UtilityInit: KLMD open success
    21:50:34:359 2392 UtilityInit: Initialize success
    21:50:34:359 2392
    21:50:34:359 2392 Scanning Services ...
    21:50:34:359 2392 CreateRegParser: Registry parser init started
    21:50:34:359 2392 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
    21:50:34:359 2392 CreateRegParser: DisableWow64Redirection error
    21:50:34:359 2392 wfopen_ex: Trying to open file C:\WINDOWS\System32\config\system
    21:50:34:359 2392 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\System32\config\system) returned status C0000043
    21:50:34:359 2392 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    21:50:34:359 2392 wfopen_ex: Trying to KLMD file open
    21:50:34:359 2392 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\config\system
    21:50:34:359 2392 wfopen_ex: File opened ok (Flags 2)
    21:50:34:359 2392 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\System32\config\system) init success: A04C50
    21:50:34:359 2392 wfopen_ex: Trying to open file C:\WINDOWS\System32\config\software
    21:50:34:359 2392 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\System32\config\software) returned status C0000043
    21:50:34:359 2392 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    21:50:34:359 2392 wfopen_ex: Trying to KLMD file open
    21:50:34:359 2392 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\config\software
    21:50:34:359 2392 wfopen_ex: File opened ok (Flags 2)
    21:50:34:359 2392 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\System32\config\software) init success: A04CF8
    21:50:34:359 2392 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
    21:50:34:359 2392 CreateRegParser: EnableWow64Redirection error
    21:50:34:359 2392 CreateRegParser: RegParser init completed
    21:50:34:687 2392 GetAdvancedServicesInfo: Raw services enum returned 365 services
    21:50:34:703 2392 fclose_ex: Trying to close file C:\WINDOWS\System32\config\system
    21:50:34:703 2392 fclose_ex: Trying to close file C:\WINDOWS\System32\config\software
    21:50:34:703 2392
    21:50:34:703 2392 Scanning Kernel memory ...
    21:50:34:703 2392 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
    21:50:34:703 2392 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 836E4910
    21:50:34:703 2392 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
    21:50:34:703 2392
    21:50:34:703 2392 DetectCureTDL3: DEVICE_OBJECT: 836E1CF8
    21:50:34:703 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 836E1CF8
    21:50:34:703 2392 KLMD_ReadMem: Trying to ReadMemory 0x836E1CF8[0x38]
    21:50:34:703 2392 DetectCureTDL3: DRIVER_OBJECT: 836E4910
    21:50:34:703 2392 KLMD_ReadMem: Trying to ReadMemory 0x836E4910[0xA8]
    21:50:34:703 2392 KLMD_ReadMem: Trying to ReadMemory 0xE1A61818[0x18]
    21:50:34:703 2392 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (0) addr: F77E02CD
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (1) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (2) addr: F77E02CD
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (3) addr: F77DAAAE
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (4) addr: F77DAAAE
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (5) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (6) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (7) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (8) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (9) addr: F77DB34C
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (10) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (11) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (12) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (13) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (14) addr: F77DB3D4
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (15) addr: F77DEAAC
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (16) addr: F77DB34C
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (17) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (18) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (19) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (20) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (21) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (22) addr: F77DC08F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (23) addr: F77E0E61
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (24) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (25) addr: 804F886F
    21:50:34:703 2392 DetectCureTDL3: IrpHandler (26) addr: 804F886F
    21:50:34:703 2392 TDL3_FileDetect: Processing driver: Disk
    21:50:34:703 2392 TDL3_FileDetect: Processing driver file: C:\WINDOWS\System32\DRIVERS\disk.sys
    21:50:34:703 2392 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\DRIVERS\disk.sys
    21:50:34:718 2392 TDL3_FileDetect: C:\WINDOWS\System32\DRIVERS\disk.sys - Verdict: Clean
    21:50:34:718 2392
    21:50:34:718 2392 DetectCureTDL3: DEVICE_OBJECT: 8371ACF8
    21:50:34:718 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8371ACF8
    21:50:34:718 2392 KLMD_ReadMem: Trying to ReadMemory 0x8371ACF8[0x38]
    21:50:34:718 2392 DetectCureTDL3: DRIVER_OBJECT: 836E4910
    21:50:34:718 2392 KLMD_ReadMem: Trying to ReadMemory 0x836E4910[0xA8]
    21:50:34:718 2392 KLMD_ReadMem: Trying to ReadMemory 0xE1A61818[0x18]
    21:50:34:718 2392 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (0) addr: F77E02CD
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (1) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (2) addr: F77E02CD
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (3) addr: F77DAAAE
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (4) addr: F77DAAAE
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (5) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (6) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (7) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (8) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (9) addr: F77DB34C
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (10) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (11) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (12) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (13) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (14) addr: F77DB3D4
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (15) addr: F77DEAAC
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (16) addr: F77DB34C
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (17) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (18) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (19) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (20) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (21) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (22) addr: F77DC08F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (23) addr: F77E0E61
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (24) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (25) addr: 804F886F
    21:50:34:718 2392 DetectCureTDL3: IrpHandler (26) addr: 804F886F
    21:50:34:718 2392 TDL3_FileDetect: Processing driver: Disk
    21:50:34:718 2392 TDL3_FileDetect: Processing driver file: C:\WINDOWS\System32\DRIVERS\disk.sys
    21:50:34:718 2392 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\DRIVERS\disk.sys
    21:50:34:718 2392 TDL3_FileDetect: C:\WINDOWS\System32\DRIVERS\disk.sys - Verdict: Clean
    21:50:34:718 2392
    21:50:34:718 2392 DetectCureTDL3: DEVICE_OBJECT: 836E3B48
    21:50:34:718 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 836E3B48
    21:50:34:718 2392 DetectCureTDL3: DEVICE_OBJECT: 8371A9E8
    21:50:34:718 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8371A9E8
    21:50:34:718 2392 DetectCureTDL3: DEVICE_OBJECT: 8373BD98
    21:50:34:718 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8373BD98
    21:50:34:718 2392 KLMD_ReadMem: Trying to ReadMemory 0x8373BD98[0x38]
    21:50:34:718 2392 DetectCureTDL3: DRIVER_OBJECT: 836EBF38
    21:50:34:718 2392 KLMD_ReadMem: Trying to ReadMemory 0x836EBF38[0xA8]
    21:50:34:718 2392 KLMD_ReadMem: Trying to ReadMemory 0xE1A7EEB0[0x1A]
    21:50:34:734 2392 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (0) addr: F771186C
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (1) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (2) addr: F771186C
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (3) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (4) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (5) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (6) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (7) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (8) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (9) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (10) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (11) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (12) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (13) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (14) addr: F7711882
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (15) addr: F770E03C
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (16) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (17) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (18) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (19) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (20) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (21) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (22) addr: F77118A2
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (23) addr: F7717BE0
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (24) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (25) addr: 804F886F
    21:50:34:734 2392 DetectCureTDL3: IrpHandler (26) addr: 804F886F
    21:50:34:734 2392 KLMD_ReadMem: Trying to ReadMemory 0xF770F02E[0x400]
    21:50:34:734 2392 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
    21:50:34:734 2392 TDL3_FileDetect: Processing driver: atapi
    21:50:34:734 2392 TDL3_FileDetect: Processing driver file: C:\WINDOWS\System32\DRIVERS\atapi.sys
    21:50:34:734 2392 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\DRIVERS\atapi.sys
    21:50:34:750 2392 TDL3_FileDetect: C:\WINDOWS\System32\DRIVERS\atapi.sys - Verdict: Clean
    21:50:34:750 2392
    21:50:34:750 2392 DetectCureTDL3: DEVICE_OBJECT: 8370CB48
    21:50:34:750 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8370CB48
    21:50:34:750 2392 DetectCureTDL3: DEVICE_OBJECT: 836E9F18
    21:50:34:750 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 836E9F18
    21:50:34:750 2392 DetectCureTDL3: DEVICE_OBJECT: 8371BD98
    21:50:34:750 2392 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8371BD98
    21:50:34:750 2392 KLMD_ReadMem: Trying to ReadMemory 0x8371BD98[0x38]
    21:50:34:750 2392 DetectCureTDL3: DRIVER_OBJECT: 836EBF38
    21:50:34:750 2392 KLMD_ReadMem: Trying to ReadMemory 0x836EBF38[0xA8]
    21:50:34:750 2392 KLMD_ReadMem: Trying to ReadMemory 0xE1A7EEB0[0x1A]
    21:50:34:750 2392 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (0) addr: F771186C
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (1) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (2) addr: F771186C
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (3) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (4) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (5) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (6) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (7) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (8) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (9) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (10) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (11) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (12) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (13) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (14) addr: F7711882
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (15) addr: F770E03C
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (16) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (17) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (18) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (19) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (20) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (21) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (22) addr: F77118A2
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (23) addr: F7717BE0
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (24) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (25) addr: 804F886F
    21:50:34:750 2392 DetectCureTDL3: IrpHandler (26) addr: 804F886F
    21:50:34:750 2392 KLMD_ReadMem: Trying to ReadMemory 0xF770F02E[0x400]
    21:50:34:750 2392 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
    21:50:34:750 2392 TDL3_FileDetect: Processing driver: atapi
    21:50:34:750 2392 TDL3_FileDetect: Processing driver file: C:\WINDOWS\System32\DRIVERS\atapi.sys
    21:50:34:750 2392 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\DRIVERS\atapi.sys
    21:50:34:765 2392 TDL3_FileDetect: C:\WINDOWS\System32\DRIVERS\atapi.sys - Verdict: Clean
    21:50:34:765 2392
    21:50:34:765 2392 Completed
    21:50:34:765 2392
    21:50:34:765 2392 Results:
    21:50:34:765 2392 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    21:50:34:765 2392 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    21:50:34:765 2392 File objects infected / cured / cured on reboot: 0 / 0 / 0
    21:50:34:765 2392
    21:50:35:515 2392 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    21:50:35:515 2392 UtilityDeinit: KLMD(ARK) unloaded successfully




    Since doing this scan with TDS I think im cured! my spyware docotor does an automatic scan as does my anti virus whenever i power up... both reports came back clean, maybe im cured? what do you think?
     
  14. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Let's see...

    Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
    Alternative downloads:
    - |MG| GMER 1.0.15.15281 Download
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Zip the log, and attach zipped file to your next reply.
     
  15. miz

    miz Techie7 New Member

    I cannot create a gmer.log...
    After a few moments of running the scan my pc,without warning, resets itself...
    is there an alternative method i can try?
     
  16. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Uncheck "Devices" and try again.