To reply on Icrontic, register now.

It only takes 30 seconds.

Have an account? Sign in for less ads.

Forgot?

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

 
Reply to Discussion Options
Kavukamari
Foxes Rule
Kavukamari
21 Posts
27 Jun 2009, 9:53pm

spy.Ursnif.A inside termsrv.dll and Winlogon.exe

NOD32 says I have a virus in Winlogon.exe and Termsrv.dll I know I can't delete these because the computer needs them I don't have a windows CD to replace the files, but i could probably get one anyway, i need help to remove these
chiaz
Spyware Mod
chiaz
1,218 Posts
28 Jun 2009, 1:46am
Hello.

Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.


Please include C:\ComboFix.txt for further review (copy and paste it), so that we may continue cleansing the system.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
Kavukamari
Foxes Rule
Kavukamari
21 Posts
29 Jun 2009, 9:30pm
What if I don't have a windows CD? I guess ill get one somewhere...
Kavukamari edited : 29 Jun 2009 at 9:58pm .
chiaz
Spyware Mod
chiaz
1,218 Posts
30 Jun 2009, 2:12am
There is a section inside the guide I linked to:
If you use Windows XP and do not have the Windows CD

Follow the instructions there to download the file from Microsoft.
Kavukamari
Foxes Rule
Kavukamari
21 Posts
4 Jul 2009, 3:24am
ComboFix 09-07-03.03 - Kavu Kamari 07/03/2009 15:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.444 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp
C:\install.exe
C:\test.txt
c:\windows\Installer\3b1a3.msi
c:\windows\Installer\71b5401.msi
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\mlfcache.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 00:55 . 2001-08-17 22:48 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2009-07-04 00:54 . 2004-08-04 08:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-07-04 00:54 . 2001-08-17 22:11 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2009-07-04 00:54 . 2001-08-17 23:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-07-04 00:54 . 2001-08-17 22:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-07-04 00:54 . 2006-02-28 12:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll
2009-07-04 00:54 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\admxprox.dll
2009-07-04 00:54 . 2004-08-04 08:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2009-07-04 00:54 . 2001-08-17 22:19 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2009-07-04 00:54 . 2001-08-17 22:19 584448 ----a-w- c:\windows\system32\dllcache\adm8810.sys
2009-07-04 00:54 . 2001-08-17 22:11 20160 ----a-w- c:\windows\system32\dllcache\adm8511.sys
2009-07-04 00:54 . 2001-08-17 23:53 7424 ----a-w- c:\windows\system32\dllcache\adicvls.sys
2009-07-04 00:53 . 2001-08-18 08:36 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2009-07-04 00:53 . 2004-08-04 08:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-07-04 00:53 . 2001-08-17 22:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2009-07-04 00:53 . 2001-08-17 22:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2009-07-04 00:53 . 2004-08-04 08:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2009-07-04 00:53 . 2001-08-18 08:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-07-04 00:53 . 2001-08-18 00:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2009-07-04 00:53 . 2008-04-13 18:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2009-07-04 00:53 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2009-07-04 00:53 . 2001-08-17 22:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-07-04 00:53 . 2001-08-18 00:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-07-04 00:52 . 2001-08-17 23:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-07-04 00:52 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2009-07-04 00:52 . 2006-02-28 12:00 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-07-04 00:52 . 2006-02-28 12:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2009-07-04 00:51 . 2001-08-18 00:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-04 00:51 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-07-04 00:51 . 2006-02-28 12:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-07-04 00:51 . 2006-02-28 12:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-07-04 00:51 . 2006-02-28 12:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-07-04 00:51 . 2006-02-28 12:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-07-04 00:51 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13 -------- d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51 -------- d-----w- c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49 -------- dc-h--w- c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 02:07 . 2007-12-29 03:08 -------- d-----w- c:\program files\Steam
2009-07-04 02:06 . 2008-02-14 06:48 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-03 23:23 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-03 22:59 . 2009-05-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat
2009-06-29 21:00 . 2009-05-11 01:59 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52 -------- d-----w- c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 05:29 . 2009-06-03 05:29 -------- d-----w- c:\program files\AskBarDis
2009-06-03 05:29 . 2009-06-03 05:29 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-03 03:01 . 2009-04-26 09:30 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50 -------- d-----w- c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30 -------- d-----w- c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07 -------- d-----w- c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18 -------- d-----w- c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16 -------- d-----w- c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12 -------- d-----w- c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11 -------- d-----w- c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11 -------- d-----w- c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13 -------- d-----w- c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08 -------- d-----w- c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24 -------- d-----w- c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27 -------- d-----w- c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 02:01 . 2008-12-23 09:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-11 01:59 . 2009-05-11 01:59 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54 -------- d-----w- c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38 -------- d-----w- c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11 -------- d-----w- c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43 -------- d-----w- c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03 56 --sh--r- c:\windows\system32\1005515D87.sys
2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-12 00:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]

c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-3-23 225280]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 16:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Classes\.*e%%g*]
@="-¦g_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2248)
c:\windows\system32\WININET.dll
c:\documents and settings\Kavu Kamari\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'explorer.exe'(2660)
c:\windows\system32\WININET.dll
c:\documents and settings\Kavu Kamari\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\program files\MyWaySA\SrchAsDe\deSrcAs.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dlcccoms.exe
c:\docume~1\KAVUKA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-07-04 16:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 02:19

Pre-Run: 9,339,797,504 bytes free
Post-Run: 9,290,412,032 bytes free

414 --- E O F --- 2009-06-29 19:51


i hope this program didn't delete anything i need...
chiaz edited : 4 Jul 2009 at 3:30am . Reason: removed code box
chiaz
Spyware Mod
chiaz
1,218 Posts
4 Jul 2009, 3:41am
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below.


There is a potentially unwanted pieces of software I have detected on your PC called AskBar.

More information here:
http://www.spywarelib.com/remove-Adware-AskBar-a.html

We usually deem this optional to remove. But, I strongly suggest you do so by going to Control Panel > Add / Remove Programs and uninstalling it. Reboot your PC after uninstallation is complete.

Then, navigate to the following directory and delete it if it is still present:
c:\program files\AskBarDis

=====================================================

Next,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:
File::
c:\windows\system32\1005515D87.sys
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply please, as well as let me know whether you had removed Askbar.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
Kavukamari
Foxes Rule
Kavukamari
21 Posts
4 Jul 2009, 10:05pm
ComboFix 09-07-03.03 - Kavu Kamari 07/03/2009 16:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kavu Kamari\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::
"c:\windows\system32\1005515D87.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\system32\1005515D87.sys
c:\windows\system32\drivers\beep.sys
c:\windows\system32\drivers\null.sys

c:\windows\system32\drivers\null.sys was missing
Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0198007.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 03:02 . 2004-08-10 11:00 2944 ----a-w- c:\windows\system32\dllcache\null.sys
2009-07-04 00:55 . 2001-08-17 22:48 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2009-07-04 00:54 . 2004-08-04 08:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-07-04 00:54 . 2001-08-17 22:11 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2009-07-04 00:54 . 2001-08-17 23:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-07-04 00:54 . 2001-08-17 22:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-07-04 00:54 . 2006-02-28 12:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll
2009-07-04 00:54 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\admxprox.dll
2009-07-04 00:54 . 2004-08-04 08:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2009-07-04 00:54 . 2001-08-17 22:19 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2009-07-04 00:54 . 2001-08-17 22:19 584448 ----a-w- c:\windows\system32\dllcache\adm8810.sys
2009-07-04 00:54 . 2001-08-17 22:11 20160 ----a-w- c:\windows\system32\dllcache\adm8511.sys
2009-07-04 00:54 . 2001-08-17 23:53 7424 ----a-w- c:\windows\system32\dllcache\adicvls.sys
2009-07-04 00:53 . 2001-08-18 08:36 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2009-07-04 00:53 . 2004-08-04 08:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-07-04 00:53 . 2001-08-17 22:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2009-07-04 00:53 . 2001-08-17 22:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2009-07-04 00:53 . 2004-08-04 08:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2009-07-04 00:53 . 2001-08-18 08:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-07-04 00:53 . 2001-08-18 00:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2009-07-04 00:53 . 2008-04-13 18:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2009-07-04 00:53 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2009-07-04 00:53 . 2001-08-17 22:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-07-04 00:53 . 2001-08-18 00:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-07-04 00:52 . 2001-08-17 23:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-07-04 00:52 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2009-07-04 00:52 . 2006-02-28 12:00 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-07-04 00:52 . 2006-02-28 12:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2009-07-04 00:51 . 2001-08-18 00:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-04 00:51 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-07-04 00:51 . 2006-02-28 12:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-07-04 00:51 . 2006-02-28 12:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-07-04 00:51 . 2006-02-28 12:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-07-04 00:51 . 2006-02-28 12:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-07-04 00:51 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13 -------- d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51 -------- d-----w- c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49 -------- dc-h--w- c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 03:08 . 2008-02-14 06:48 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-04 03:07 . 2007-12-29 03:08 -------- d-----w- c:\program files\Steam
2009-07-04 02:46 . 2009-06-03 05:29 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-07-04 02:22 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-03 22:59 . 2009-05-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat
2009-06-29 21:00 . 2009-05-11 01:59 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52 -------- d-----w- c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 03:01 . 2009-04-26 09:30 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50 -------- d-----w- c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30 -------- d-----w- c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07 -------- d-----w- c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18 -------- d-----w- c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16 -------- d-----w- c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12 -------- d-----w- c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11 -------- d-----w- c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11 -------- d-----w- c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13 -------- d-----w- c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08 -------- d-----w- c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24 -------- d-----w- c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27 -------- d-----w- c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:59 . 2009-05-11 01:59 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54 -------- d-----w- c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38 -------- d-----w- c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11 -------- d-----w- c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43 -------- d-----w- c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]

c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-3-23 225280]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= c:\program files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= c:\program files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe"= c:\program files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= c:\program files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Messenger\\msmsgs.exe"= c:\program files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= c:\program files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Program Files\\uTorrent\\uTorrent.exe"= c:\program files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"= c:\program files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"c:\\Program Files\\Steam\\steam.exe"= c:\program files\Steam\steam.exe:*:Enabled:Steam
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= c:\program files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\garrysmod\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\team fortress 2\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\counter-strike source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\day of defeat source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life deathmatch source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life\hl.exe:*:Enabled:Half-Life Launcher
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"= c:\softimage\XSI_6.01_Mod_Tool\Application\bin\XSI.exe:*:Enabled:XSI
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"= c:\program files\Steam\SteamApps\common\peggle deluxe\Peggle.exe:*:Enabled:Peggle Deluxe
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"= c:\program files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:*:Enabled:Peggle Extreme
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\Shadowgrounds.exe:*:Enabled:Shadowgrounds
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\ShadowgroundsLauncher.exe:*:Enabled:Shadowgrounds
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"= c:\program files\Steam\SteamApps\common\eets\Eets.exe:*:Enabled:Eets
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"= c:\program files\Steam\SteamApps\common\world of goo\WorldOfGoo.exe:*:Enabled:World of Goo
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"= c:\program files\Steam\SteamApps\common\bullet candy\BulletCandyV2.exe:*:Enabled:Bullet Candy
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\ShadowgroundsEditor.exe:*:Enabled:Shadowgrounds Editor
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"= c:\program files\uTorrent\utorrent-1.8.2.upx.exe:*:Enabled:µTorrent
"c:\\Program Files\\Skype\\Phone\\Skype.exe"= c:\program files\Skype\Phone\Skype.exe:*:Enabled:Skype
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"= c:\program files\Steam\SteamApps\common\peggle nights\PeggleNights.exe:*:Enabled:Peggle Nights
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= c:\program files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"= c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"= c:\program files\Steam\SteamApps\common\left 4 dead\srcds.exe:*:Enabled:Left 4 Dead Dedicated Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:LocalSubNetisabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:LocalSubNetisabled:@xpsp2res.dll,-22008

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter
DcomLaunch REG_MULTI_SZ DcomLaunch TermService
WudfServiceGroup REG_MULTI_SZ WUDFSvc
eapsvcs REG_MULTI_SZ eaphost
dot3svc REG_MULTI_SZ dot3svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 17:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\.*e%%g*]
@="-¦g_auto_file"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
"{21701DD0-9D7E-43f7-A1B2-E92ED6E90A51}"=hex:ef,12,30,55,c0,8a,2f,9f,d5,7b,ec,
55,20,39,3f,ec,5e,85,51,91,80,5c,f6,6d,9c,aa,c6,01

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2716)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\docume~1\KAVUKA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\dlcccoms.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-07-04 17:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 03:15
ComboFix2.txt 2009-07-04 02:19

Pre-Run: 9,307,774,976 bytes free
Post-Run: 9,287,135,232 bytes free

527 --- E O F --- 2009-06-29 19:51

my internet broke for a day...
oh also, combofix says not to open any programs when it's preparing the log, but then all of my startup programs start, will this create problems? it didn't seem to create problems...
chiaz edited : 5 Jul 2009 at 1:26am . Reason: removed code box
chiaz
Spyware Mod
chiaz
1,218 Posts
5 Jul 2009, 1:32am
Hi,
If ComboFix auto-executes, then don't worry about the startup progams opening.


I also noticed that you have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
  • Viewpoint Experience Technology

If you are having trouble removing Viewpoint, I suggest that you use ViewpointKiller. You may download it from this link.

Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop. Run ViewpointKiller, and select File > Do All Killings. Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with. A logfile will be created in the folder you unzipped ViewpointKiller to, please paste the contents here.

=====================================================

Now go HERE to run Panda ActiveScan 2.0
  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • The scan may take some time. Once it is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply, as well as the ViewPointKiller logfile if you ran it.
Kavukamari
Foxes Rule
Kavukamari
21 Posts
5 Jul 2009, 3:35am
oh by the way, I uninstalled that askbar thing, and i uninstalled viewpoint. (viewpoint uninstalled just fine... i think)

also eset found the same virus (Ursnif.A) in a file that's like A01[more numbers here].exe in the recovery sector and deleted it, just thought you might want to know
chiaz
Spyware Mod
chiaz
1,218 Posts
5 Jul 2009, 3:46am
also eset found the same virus (Ursnif.A) in a file that's like A01[more numbers here].exe in the recovery sector and deleted it, just thought you might want to know
That's probably your old System Restore points.


Will you run the Panda ActiveScan?
Kavukamari
Foxes Rule
Kavukamari
21 Posts
5 Jul 2009, 4:20am
Yes, I'm running it right now.
chiaz
Spyware Mod
chiaz
1,218 Posts
5 Jul 2009, 4:37am
OK - I'll wait for it to be posted up.
Kavukamari
Foxes Rule
Kavukamari
21 Posts
5 Jul 2009, 10:15am
Code:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-07-04 23:11:58
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 9
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;===================================================================================================================================================================================
ESET Smart Security 3.0                      3.0                           Yes       Yes
;===================================================================================================================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===================================================================================================================================================================================
00139060  Cookie/Casalemedia                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Kavu Kamari\Cookies\kavu_kamari@atdmt[1].txt
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Kavu Kamari\Cookies\kavu_kamari@atdmt[2].txt
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00145457  Cookie/FastClick                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@fastclick[2].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt
00169190  Cookie/Advertising                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt
00170554  Cookie/Overture                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@overture[2].txt
00172221  Cookie/Zedo                        TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Guest\Cookies\guest@zedo[1].txt
00172825  Joke/Stress                        Jokes               No        0         Yes            No           C:\Documents and Settings\Kavu Kamari\Desktop\!My Computer Folder\Installed games\n_v1pc\N downloads\Screen Buddies\stressreducer.exe
00335980  Application/MyWay                  HackTools           Yes       0         Yes            No           C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
00527204  Application/PRScheduler            HackTools           Yes       0         Yes            No           C:\Documents and Settings\Kavu Kamari\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
02164907  Generic Malware                    Virus/Trojan        No        0         Yes            No           C:\Program Files\DIGStream\digstream.exe
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0195882.sys
03074964  Trj/CI.A                           Virus/Trojan        No        0         No             No           C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP766\A0180945.exe[winupdae.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent      Location                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
;===================================================================================================================================================================================
No        C:\Program Files\Rainmeter\Skins\Dark_Rainmeter\SystemInfo\empty.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                  
No        C:\Program Files\Rainmeter\Skins\HUD.Vision\Black\util\fileExec.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                   
No        C:\Program Files\Rainmeter\Skins\HUD.Vision\White\util\fileExec.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                   
No        I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\HUD.Vision\White\UTIL\fileExec.exe                                                                                                                                                                                                                                                                                                                                                                                                                                        
No        I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\HUD.Vision\Black\UTIL\fileExec.exe                                                                                                                                                                                                                                                                                                                                                                                                                                        
No        I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\Dark_Rainmeter\SystemInfo\EMPTY.EXE                                                                                                                                                                                                                                                                                                                                                                                                                                       
No        I:\Kavukamari\Misc\Rainmeter Skins\Dark_Rainmeter.zip[Dark_Rainmeter/SystemInfo/empty.exe]                                                                                                                                                                                                                                                                                                                                                                                                                            
No        I:\Kavukamari\Misc\Rainmeter Skins\coryskins.rar[Skins\HUD.Vision\White\util\fileExec.exe]                                                                                                                                                                                                                                                                                                                                                                                                                            
No        I:\Kavukamari\Misc\Rainmeter Skins\coryskins.rar[Skins\HUD.Vision\Black\util\fileExec.exe]                                                                                                                                                                                                                                                                                                                                                                                                                            
;===================================================================================================================================================================================
VULNERABILITIES
Id        Severity   Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
;===================================================================================================================================================================================
;===================================================================================================================================================================================
there's the log from the activescan panda thing
chiaz
Spyware Mod
chiaz
1,218 Posts
5 Jul 2009, 11:04am
Hi,

Please go to Control Panel > Add/Remove Programs and uninstall the following if found:
MyWaySA

After that, reboot your PC.

Then navigate to and delete the following file:
C:\Documents and Settings\Kavu Kamari\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

As well as the following folder if still existent:
C:\Program Files\MyWaySA\


Reboot your PC once more.


Can I know how your PC is running at this point in time?
Kavukamari
Foxes Rule
Kavukamari
21 Posts
5 Jul 2009, 11:42pm
It seems to be running fine, but I believe termsrv.dll never got cleaned
chiaz
Spyware Mod
chiaz
1,218 Posts
6 Jul 2009, 3:13am
Run a scan with NOD32 now, does it still give out any alerts (termsrv.dll or any other stuff)?
Kavukamari
Foxes Rule
Kavukamari
21 Posts
6 Jul 2009, 5:09am
yea, it still says termsrv.dll is infected, if eset deletes it, will it do anything to my computer?
chiaz
Spyware Mod
chiaz
1,218 Posts
6 Jul 2009, 5:28am
Yes, because termsrv.dll is a legitimate system file.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
termsrv.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Kavukamari
Foxes Rule
Kavukamari
21 Posts
6 Jul 2009, 5:48am
Code:
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 18:41 on 05/07/2009 by Kavu Kamari (Administrator - Elevation successful)

========== filefind ==========

Searching for "termsrv.dll"
C:\i_386\termsrv.dll    --a--- 295424 bytes    [19:51 31/12/2005]    [01:49 10/03/2005] C29A5286E64D97385178452D5F307B98
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll    -----c 295424 bytes    [07:56 12/11/2008]    [01:49 10/03/2005] C29A5286E64D97385178452D5F307B98
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll    ------ 295424 bytes    [05:43 20/09/2008]    [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll    --a--- 295424 bytes    [10:37 16/08/2005]    [06:29 29/11/2008] (Unable to calculate MD5)

-=End Of File=-
da log.
chiaz
Spyware Mod
chiaz
1,218 Posts
6 Jul 2009, 6:43am
OK....

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Delete CFScript.txt from your desktop first.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:
FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll|c:\windows\system32\termsrv.dll
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply please, as well as let me know the latest results from a NOD32 scan.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
Kavukamari
Foxes Rule
Kavukamari
21 Posts
6 Jul 2009, 7:49am
Code:
ComboFix 09-07-03.03 - Kavu Kamari 07/05/2009 20:19.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.631 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kavu Kamari\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
(((((((((((((((((((((((((   Files Created from 2009-06-06 to 2009-07-06  )))))))))))))))))))))))))))))))
.

2009-07-06 04:08 . 2009-07-06 04:08    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-07-05 06:07 . 2009-07-05 06:15    --------    d-----w-    c:\program files\Pokemon World Online
2009-07-05 02:15 . 2008-06-20 03:24    28544    ----a-w-    c:\windows\system32\drivers\pavboot.sys
2009-07-05 02:13 . 2009-07-05 02:13    --------    d-----w-    c:\program files\Panda Security
2009-07-04 21:58 . 2009-07-04 21:58    --------    d-sh--w-    c:\documents and settings\LocalService\IETldCache
2009-07-04 04:42 . 2004-08-10 11:00    2944    ----a-w-    c:\windows\system32\drivers\null.sys
2009-07-04 04:05 . 2009-07-04 04:05    --------    d-sh--w-    c:\documents and settings\Kavu Kamari\PrivacIE
2009-07-04 03:02 . 2004-08-10 11:00    2944    ----a-w-    c:\windows\system32\dllcache\null.sys
2009-07-03 23:22 . 2009-07-03 23:22    --------    d-----w-    c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22    --------    d-----w-    c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13    --------    d-sh--w-    c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57    3851784    ----a-w-    c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12    102912    ------w-    c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51    --------    d-----w-    c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22    12800    ------w-    c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22    246272    ------w-    c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49    --------    dc-h--w-    c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52    94208    ----a-w-    c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52    102400    ----a-w-    c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 01:01 . 2009-05-08 13:21    --------    d-----w-    c:\documents and settings\All Users\Application Data\Google Updater
2009-07-05 23:12 . 2008-02-14 06:48    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-05 23:05 . 2009-05-11 01:59    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-07-05 22:38 . 2008-08-02 21:30    169936    ----a-w-    c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-05 22:33 . 2007-12-29 03:08    --------    d-----w-    c:\program files\Steam
2009-07-05 02:11 . 2005-12-08 08:55    --------    d-----w-    c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-04 02:46 . 2009-06-03 05:29    --------    d-----w-    c:\program files\Ask & Record Toolbar
2009-07-02 03:33 . 2008-01-16 05:33    61    ----a-w-    c:\windows\popcinfot.dat
2009-06-29 20:40 . 2009-02-16 08:42    1    ----a-w-    c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52    --------    d-----w-    c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02    --------    d-----w-    c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00    9030    ----a-w-    c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 03:01 . 2009-04-26 09:30    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44    165232    ---ha-w-    c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49    --------    d--h--w-    c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50    --------    d-----w-    c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30    --------    d-----w-    c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02    97440    ----a-w-    c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09    7424000    ----a-r-    c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07    --------    d-----w-    c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19    --------    d-----w-    c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18    --------    d-----w-    c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16    --------    d-----w-    c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37    1    ----a-w-    c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56    --------    d-----w-    c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48    --------    d-----w-    c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38    --------    d-----w-    c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38    --------    d-----w-    c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12    --------    d-----w-    c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11    --------    d-----w-    c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56    --------    d-----w-    c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22    --------    d-----w-    c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11    --------    d-----w-    c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13    --------    d-----w-    c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08    --------    d-----w-    c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06    --------    d-----w-    c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43    --------    d-----w-    c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24    --------    d-----w-    c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27    --------    d-----w-    c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05    --------    d-----w-    c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18    915456    ----a-w-    c:\windows\system32\wininet.dll
2009-05-11 02:01 . 2008-12-23 09:38    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2009-05-11 01:59 . 2009-05-11 01:59    --------    d-----w-    c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54    --------    d-----w-    c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38    --------    d-----w-    c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07    --------    d-----w-    c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11    --------    d-----w-    c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01    --------    d-----w-    c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08    --------    d-----w-    c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07    --------    d-----w-    c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01    721904    ----a-w-    c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43    --------    d-----w-    c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18    345600    ----a-w-    c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18    1847168    ----a-w-    c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54    152576    ----a-w-    c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18    585216    ----a-w-    c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16    1079    ----a-w-    c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16    695578    ----a-w-    c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57    134    ----a-w-    c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08    64512    ----a-w-    c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06    698511    ----a-w-    c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06    225280    ----a-w-    c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05    1896448    ----a-w-    c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05    123138    ----a-w-    c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03    96648    ----a-w-    c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03    3350    --sha-w-    c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   SnapShot@2009-07-04_02.05.12   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-05 22:32 . 2009-07-05 22:32    16384              c:\windows\Temp\Perflib_Perfdata_7a4.dat
+ 2005-08-16 10:18 . 2009-07-05 22:36    63732              c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2009-05-22 03:07    63732              c:\windows\system32\perfc009.dat
+ 2005-08-16 10:18 . 2009-07-05 22:36    404082              c:\windows\system32\perfh009.dat
- 2005-08-16 10:18 . 2009-05-22 03:07    404082              c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52    80384    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]

c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/4/2009 4:15 PM 28544]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP111

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]

2009-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
   dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Classes\.*e%%g*]
@="-¦g_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-06 20:34
ComboFix-quarantined-files.txt  2009-07-06 06:34
ComboFix2.txt  2009-07-04 04:45
ComboFix4.txt  2009-07-04 02:19

Pre-Run: 30,297,817,088 bytes free
Post-Run: 30,372,638,720 bytes free

331    --- E O F ---    2009-06-29 19:51
I'll virus scan and post anything that comes up when it finishes
chiaz
Spyware Mod
chiaz
1,218 Posts
6 Jul 2009, 8:34am
OK, I'll wait for the NOD32 results.
Kavukamari
Foxes Rule
Kavukamari
21 Posts
6 Jul 2009, 11:08am
I think everything's good.
chiaz
Spyware Mod
chiaz
1,218 Posts
6 Jul 2009, 11:23am
Java is outdated on your PC.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

=============================================================

It's time to remove ComboFix.

Go to to Start > Run
Type in box

combofix /u

Note: the space between the X and the /u

Press Enter.

This command will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.


If you'll reply after you have seen this, I will be able to have this thread archived. Thanks.
Kavukamari
Foxes Rule
Kavukamari
21 Posts
6 Jul 2009, 7:29pm
Thanks for all the help! I installed the latest java and I'm pretty sure all the "ursnif.a" notifications have stopped popping up.
chiaz
Spyware Mod
chiaz
1,218 Posts
7 Jul 2009, 2:52am
Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead
_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.
Similar Threads
Thread Thread Starter Forum Replies Last Post
Ursnif.A sneekypeeks Resolved / Inactive 8 16 Jul 2009 9:18pm
Please Help! Ursnif.A and Ursnif.B djp200 Resolved / Inactive 9 28 Jun 2009 9:51pm
win32 spy.ursnif.a help removal exclusive501 Resolved / Inactive 18 27 Jun 2009 12:12pm
Help! Trojan ursnif.A drkdx64 Resolved / Inactive 6 27 Jun 2009 11:52am
Help: Ursnif.A virus apezam Resolved / Inactive 10 27 Jun 2009 3:59am

Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Reload this Page spy.Ursnif.A inside termsrv.dll and Winlogon.exe
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 2:32am (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.