Getting Popups again (Keygens )

wadetwadet
edited March 2009 in Spyware & Virus Removal
Hi,

Installed a program from a friend and it must have been infected, getting popups ,

thanks
Wade

Comments

  • KatanaKatana
    edited March 2009
    Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post a log in the HJT forum and wait for help.
    Hello and welcome to the forums

    My name is Katana and I will be helping you to remove any infection(s) that you may have.

    Please observe these rules while we work:
    1. Please Read All Instructions Carefully
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you
    4. Please continue to respond until I give you the "All Clear"
      (Just because you can't see a problem doesn't mean it isn't there)


    If you can do those few things, everything should go smoothly laechel.gif

    Please Note, your security programs may give warnings for some of the tools I will ask you to use.
    Be assured, any links I give are safe
    Installed a program from a friend and it must have been infected
    Not a good friend then ?


    Download and Run RSIT
    • Please download Random's System Information Tool by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open:
      • log.txt will be opened maximized.
      • info.txt will be opened minimized.
    • Please post the contents of both log.txt and info.txt.
  • wadetwadet
    edited March 2009
    HI, and thanks ... I think I have fixed the problem however I will run the program and you can let me know if I need to do anything further , thanks again

    Logfile of random's system information tool 1.05 (written by random/random)
    Run by Owner at 2009-03-11 18:08:46
    Microsoft Windows XP Home Edition Service Pack 2
    System drive C: has 16 GB (51%) free of 31 GB
    Total RAM: 758 MB (53% free)
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:09:04 PM, on 3/11/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\system32\lxdccoms.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\realshed.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Owner\Desktop\RSIT.exe
    C:\Program Files\trend micro\Owner.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [A00FF01DFD.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00FF01DFD.exe
    O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: realshed.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
    O4 - .DEFAULT Startup: realshed.exe (User 'Default user')
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: realshed.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
    O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxchange.com/4.3.07.83/Control/IRCSharc.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.37.5/ttinst.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pointstreak.webex.com/client/T26L/webex/ieatgpc.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
    O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SWAutoLaunch - Unknown owner - C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe
    --
    End of file - 10529 bytes
    ======Scheduled tasks folder======
    C:\WINDOWS\tasks\ISP signup reminder 1.job
    C:\WINDOWS\tasks\ISP signup reminder 2.job
    ======Registry dump======
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
    Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-21 320920]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-26 251504]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-26 657904]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
    Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-26 522224]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-21 34816]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
    JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-21 73728]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-26 251504]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-11-04 98394]
    "SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-11-04 688218]
    "RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
    "Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
    "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-12-24 155648]
    "HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-12-24 118784]
    "lxdcamon"=C:\Program Files\Lexmark 1300 Series\lxdcamon.exe [2007-04-30 20480]
    "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]
    "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
    "LogitechQuickCamRibbon"=C:\Program Files\Logitech\QuickCam\Quickcam.exe [2007-10-25 2178832]
    "LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-10-25 563984]
    "Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2004-10-21 29696]
    "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-05 68856]
    "MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
    "A00FF01DFD.exe"=C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00FF01DFD.exe []
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    BigFix.lnk - C:\Program Files\BigFix\BigFix.exe
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup
    PowerReg Scheduler.exe
    realshed.exe
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    C:\WINDOWS\system32\igfxsrvc.dll [2004-12-24 344064]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
    "C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
    "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
    "C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
    "C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
    "C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\Program Files\Nortel Networks\Extranet.exe"="C:\Program Files\Nortel Networks\Extranet.exe:*:Enabled:Contivity VPN Client"
    "C:\WINDOWS\system32\lxdccoms.exe"="C:\WINDOWS\system32\lxdccoms.exe:*:Enabled:Lexmark Communications System"
    "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe:*:Enabled:Lexmark Device Monitor"
    "C:\Program Files\Lexmark 1300 Series\App4R.exe"="C:\Program Files\Lexmark 1300 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
    "C:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe"="C:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"
    "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
    "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
    "C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
    "C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdctime.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdctime.exe:*:Enabled: "
    "C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcpswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcpswx.exe:*:Enabled: "
    "C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcjswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcjswx.exe:*:Enabled: "
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
    "C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\Program Files\Lexmark 1300 Series\app4r.exe"="C:\Program Files\Lexmark 1300 Series\app4r.exe:*:Enabled:Lexmark Imaging Studio"
    "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    shell\AutoRun\command - E:\start.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{059c0eb3-e792-11dd-8106-00e0b891fc03}]
    shell\AutoRun\command - F:\podcastready.exe

    ======List of files/folders created in the last 1 months======
    2009-03-10 00:47:18 ----D---- C:\Documents and Settings\Owner\Application Data\WinRAR
    2009-03-10 00:32:56 ----D---- C:\WINDOWS\ERUNT
    2009-03-10 00:29:59 ----A---- C:\WINDOWS\ntbtlog.txt
    2009-03-10 00:28:03 ----D---- C:\SDFix
    2009-03-07 17:39:26 ----D---- C:\Program Files\Medley Games
    2009-03-07 17:38:47 ----A---- C:\WINDOWS\Runservice.exe
    2009-03-07 17:38:47 ----A---- C:\WINDOWS\mmfs.dll
    2009-03-07 17:19:40 ----A---- C:\WINDOWS\system32\midas.dll
    2009-03-07 17:19:11 ----D---- C:\Program Files\400 Software Studios
    2009-03-07 13:19:57 ----A---- C:\WINDOWS\GnuHashes.ini
    2009-03-07 02:43:46 ----A---- C:\WINDOWS\system32\cc3250mt.dll
    2009-03-07 02:42:16 ----A---- C:\WINDOWS\system32\borlndmm.dll
    2009-03-01 12:52:05 ----A---- C:\WINDOWS\system32\DBCLIENT.DLL
    ======List of files/folders modified in the last 1 months======
    2009-03-11 18:08:52 ----D---- C:\Program Files\trend micro
    2009-03-11 18:08:50 ----D---- C:\WINDOWS\Prefetch
    2009-03-11 18:07:56 ----A---- C:\WINDOWS\system32\taskmgrþ.exe
    2009-03-11 18:06:42 ----D---- C:\Program Files\Lx_cats
    2009-03-11 18:06:06 ----D---- C:\WINDOWS\Temp
    2009-03-10 01:52:59 ----D---- C:\WINDOWS\system32
    2009-03-10 01:52:58 ----D---- C:\WINDOWS\system32\drivers
    2009-03-10 01:29:36 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-03-10 00:53:26 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
    2009-03-10 00:32:56 ----D---- C:\WINDOWS
    2009-03-10 00:17:50 ----AC---- C:\WINDOWS\NeroDigital.ini
    2009-03-08 22:06:53 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
    2009-03-08 20:25:36 ----RD---- C:\Program Files
    2009-03-07 17:17:51 ----D---- C:\Program Files\FTP Commander
    2009-03-07 15:43:08 ----D---- C:\Program Files\PokerStars.NET
    2009-03-07 13:13:11 ----D---- C:\Documents and Settings\Owner\Application Data\LimeWire
    2009-03-07 03:16:03 ----HD---- C:\Program Files\InstallShield Installation Information
    2009-03-07 03:16:02 ----D---- C:\Program Files\Full Tilt Poker.Net
    2009-02-28 16:38:31 ----D---- C:\WINDOWS\system32\CatRoot2
    2009-02-28 16:00:45 ----A---- C:\WINDOWS\ModemLog_Sierra Wireless AirCard 595U Modem Device #2.txt
    2009-02-15 16:37:50 ----D---- C:\Program Files\Citrix
    2009-02-15 16:37:06 ----SHD---- C:\WINDOWS\Installer
    2009-02-14 13:35:17 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2009-02-13 15:04:31 ----RSD---- C:\WINDOWS\assembly
    2009-02-13 15:04:26 ----D---- C:\Program Files\Common Files
    2009-02-13 15:04:26 ----D---- C:\Documents and Settings\All Users\Application Data\Bluebeam Software
    2009-02-13 15:04:25 ----D---- C:\Program Files\Bluebeam Software
    2009-02-13 14:53:18 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
    2009-02-13 14:53:12 ----SD---- C:\WINDOWS\Downloaded Program Files
    2009-02-13 14:52:47 ----D---- C:\Program Files\NOS
    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
    R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2005-11-25 8552]
    R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-01-28 13059]
    R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
    R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2004-12-14 45056]
    R3 CAMCAUD;Conexant AMC 2 Channel Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-01-28 37760]
    R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-01-28 346496]
    R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
    R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
    R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-01-28 1036544]
    R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2005-01-28 205696]
    R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-12-24 708989]
    R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2007-10-11 25624]
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
    R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
    R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
    R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-11-04 185824]
    R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-02-11 157056]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-01-28 702592]
    R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2008-07-05 186592]
    S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
    S3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-02-11 371712]
    S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
    S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
    S3 IPSECSHM;Nortel IPSECSHM Adapter; C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
    S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2004-10-21 24671]
    S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2004-10-21 38691]
    S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2004-10-21 71535]
    S3 LVcKap;Logitech AEC Driver; C:\WINDOWS\system32\DRIVERS\LVcKap.sys [2007-10-19 2109976]
    S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys [2007-10-11 2142488]
    S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2007-10-11 41752]
    S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
    S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
    S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
    S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
    S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
    S3 PID_0928;Logitech QuickCam Express(PID_0928); C:\WINDOWS\system32\DRIVERS\LV561AV.SYS [2007-10-11 490776]
    S3 pohci13F;pohci13F; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\pohci13F.sys []
    S3 QCDonner;Logitech QuickCam Express; C:\WINDOWS\system32\DRIVERS\OVCD.sys [2001-08-17 28032]
    S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
    S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
    S3 SWMX00;Sierra Wireless USB MUX Driver (#00); C:\WINDOWS\system32\DRIVERS\swmx00.sys [2007-02-22 71168]
    S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00); C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [2007-01-12 102144]
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
    S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
    S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
    R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-11-19 611664]
    R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
    R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
    R2 LicCtrlService;LicCtrl Service; C:\WINDOWS\runservice.exe [2009-03-07 2560]
    R2 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2007-10-19 186904]
    R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2007-10-19 141848]
    R2 lxdc_device;lxdc_device; C:\WINDOWS\system32\lxdccoms.exe [2007-05-25 537520]
    R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2005-11-25 172032]
    R2 SWAutoLaunch;SWAutoLaunch; C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe [2007-03-12 65536]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
    R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
    S2 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-10-19 141848]
    S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-05-25 99248]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
    S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
    S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-26 137200]
    S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
    EOF

    Didnt get a info.txt .....
  • KatanaKatana
    edited March 2009
    Information

    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    LimeWire
    I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

    Also available here.

    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs
    Please note: you must NOT use any P2P whilst we are cleaning your machine.


    Step 1

    Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If requested, please reboot
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Step 2


    Download and Run ComboFix (by sUBs)
    Please visit this webpage for instructions for downloading and running ComboFix:

    Bleeping Computer ComboFix Tutorial

    • You must download it to and run it from your Desktop
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply
    • Re-enable all the programs that were disabled during the running of ComboFix..



    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper



    Step 3


    Logs/Information to Post in Reply
    Please post the following logs/Information in your reply
    • MalwareBytes Log
    • Combofix Log
    • C:\RSIT\Info.txt
  • wadetwadet
    edited March 2009
    Hi thanks again

    Malwarebytes' Anti-Malware 1.34
    Database version: 1842
    Windows 5.1.2600 Service Pack 2
    3/12/2009 9:40:59 PM
    mbam-log-2009-03-12 (21-40-59).txt
    Scan type: Full Scan (C:\|)
    Objects scanned: 135116
    Time elapsed: 46 minute(s), 39 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP875\A0064275.dll (Trojan.Agent) -> Quarantined and deleted successfully.
  • wadetwadet
    edited March 2009
    ComboFix 09-03-12.01 - Owner 2009-03-12 23:58:25.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.490 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Owner\Application Data\020000009b642ab1548C.manifest
    c:\documents and settings\Owner\Application Data\020000009b642ab1548O.manifest
    c:\documents and settings\Owner\Application Data\020000009b642ab1548P.manifest
    c:\documents and settings\Owner\Application Data\020000009b642ab1548S.manifest
    c:\windows\GnuHashes.ini
    c:\windows\system32\GroupPolicy000.dat
    D:\Autorun.inf
    BITS: Possible infected sites
    hxxp://www.dapsp.com
    .
    ((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
    .
    2009-03-10 00:32 . 2009-03-10 00:33 <DIR> d
    c:\windows\ERUNT
    2009-03-10 00:28 . 2009-03-10 00:52 <DIR> d
    C:\SDFix
    2009-03-07 17:39 . 2009-03-07 17:39 <DIR> d
    c:\program files\Medley Games
    2009-03-07 17:38 . 2009-03-07 17:38 120,832 --a
    c:\windows\lcmmfu.cpl
    2009-03-07 17:38 . 2009-03-07 17:38 45,056 --a
    c:\windows\mmfs.dll
    2009-03-07 17:38 . 2009-03-07 17:38 2,560 --a
    c:\windows\Runservice.exe
    2009-03-07 17:38 . 2009-03-12 21:45 889 --ahs---- c:\windows\system32\mmf.sys
    2009-03-07 17:19 . 2009-03-07 17:19 <DIR> d
    c:\program files\400 Software Studios
    2009-03-07 17:19 . 2002-09-02 01:38 603,136 --a
    c:\windows\system32\qrpt50.bpl
    2009-03-07 17:19 . 2000-01-24 05:01 264,192 --a
    c:\windows\system32\midas.dll
    2009-03-07 17:19 . 2000-08-07 05:01 84,480 --a
    c:\windows\system32\bcbie50.bpl
    2009-03-07 02:46 . 2000-01-24 05:01 300,032 --a
    c:\windows\system32\VCLBDE50.BPL
    2009-03-07 02:45 . 2000-01-24 05:01 558,080 --a
    c:\windows\system32\VCLDB50.BPL
    2009-03-07 02:43 . 2000-08-07 06:01 1,497,088 --a
    c:\windows\system32\cc3250mt.dll
    2009-03-07 02:42 . 2000-01-31 06:00 25,600 --a
    c:\windows\system32\borlndmm.dll
    2009-03-07 02:39 . 2000-01-31 05:00 147,456 --a
    c:\windows\system32\BCBSMP50.BPL
    2009-03-07 02:21 . 2000-01-24 06:01 248,832 --a
    c:\windows\system32\VCLX50.BPL
    2009-03-01 12:52 . 1999-01-20 06:01 210,032 --a
    c:\windows\system32\DBCLIENT.DLL
    2009-03-01 12:52 . 2009-03-07 17:45 13,030 --a
    C:\PDOXUSRS.NET
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-13 05:04 114,289 ----a-w c:\windows\system32\taskmgrþ.exe
    2009-03-12 01:08
    d
    w c:\program files\trend micro
    2009-03-12 01:06
    d
    w c:\program files\Lx_cats
    2009-03-09 05:06
    d
    w c:\documents and settings\All Users\Application Data\avg8
    2009-03-08 00:17
    d
    w c:\program files\FTP Commander
    2009-03-07 22:43
    d
    w c:\program files\PokerStars.NET
    2009-03-07 20:13
    d
    w c:\documents and settings\Owner\Application Data\LimeWire
    2009-03-07 10:16
    d--h--w c:\program files\InstallShield Installation Information
    2009-03-07 10:16
    d
    w c:\program files\Full Tilt Poker.Net
    2009-02-15 23:37
    d
    w c:\program files\Citrix
    2009-02-14 20:35
    d
    w c:\program files\Malwarebytes' Anti-Malware
    2009-02-13 22:04
    d
    w c:\program files\Bluebeam Software
    2009-02-13 22:04
    d
    w c:\documents and settings\All Users\Application Data\Bluebeam Software
    2009-02-13 21:53
    d
    w c:\documents and settings\All Users\Application Data\NOS
    2009-02-13 21:52
    d
    w c:\program files\NOS
    2009-02-12 06:08
    d
    w c:\program files\E-Z Contact Book
    2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-02-11 07:27
    d
    w c:\program files\GoldMine
    2009-02-11 07:27
    d
    w c:\program files\Common Files\Borland Shared
    2009-02-11 07:24 116 ----a-w C:\cp.bat
    2009-01-27 02:20
    d
    w c:\program files\Google
    2008-12-21 21:57 410,984 ----a-w c:\windows\system32\deploytk.dll
    2008-10-15 16:34 60,296 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2007-06-18 06:54 148 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
    2007-06-14 02:35 56,912 -c--a-w c:\documents and settings\Owner\g2mdlhlpx.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-05 68856]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784]
    "lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    PowerReg Scheduler.exe [2007-06-09 256000]
    realshed.exe [2008-10-23 39936]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\lxdccoms.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
    "c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
    R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-03-07 2560]
    R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
    R2 SWAutoLaunch;SWAutoLaunch;c:\program files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe [2007-03-12 65536]
    S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [2007-10-12 99248]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-13 33752]
    S3 pohci13F;pohci13F;\??\c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys [?]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\start.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{059c0eb3-e792-11dd-8106-00e0b891fc03}]
    \Shell\AutoRun\command - F:\podcastready.exe
    .
    Contents of the 'Scheduled Tasks' folder
    2005-11-26 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 12:00]
    2005-11-26 c:\windows\Tasks\ISP signup reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 12:00]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.ca/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
    DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
    DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://mlslink.mlxchange.com/Control/MLXClientUtils.cab
    DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://mlslink.mlxchange.com/4.3.07.83/Control/IRCSharc.cab
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-13 00:00:37
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91FA78BC-641E-4329-C41B32C9E0F96EA6}\{25E342AA-73A9-1FC4-4AC5C50BDBE96017}\{04863130-DE8E-7A09-D0B765EBFF2273E8}*]
    "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
    9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]
    "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
    fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98E28BE4-118A-EA39-3FE2FDF7E232D89B}\{DFE81EF0-16B2-5E63-9055890879FD5BFF}\{9E285E3F-FD34-EDAD-0EA00DDB13898C03}*]
    "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
    9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}\{38286259-1A12-EDE0-84E2CD6A1D76E8F7}\{2C2658AF-F73E-73C6-89D45D0D6FCCCFF2}*]
    "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
    fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \7B89AC59B91B61F6]
    "1"=hex:e2,7f,28,b3,f4,78,a8,90,a3,fe,4e,87,45,83,70,cb,36,b1,2e,f7,56,49,5f,
    1a
    "2"=hex:75,4f,d5,56,e6,9d,1a,13,c8,71,03,1e,73,6c,6e,62,58,a8,9a,49,4f,b9,cd,
    0f,5b,63,25,a5,82,25,ac,36
    "3"=hex:e2,7f,28,b3,f4,78,a8,90,a3,fe,4e,87,45,83,70,cb,f0,b4,6d,ee,bc,c7,ac,
    0b,c8,17,e0,ea,3a,b9,a9,b3,2b,85,23,84,db,a5,db,15,57,06,da,7a,f2,b6,f8,62,\
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \7B89AC59B91B61F6\89DB219AFDF6E45A5A7D271757B6BE1F]
    "1"=hex:59,c7,55,52,4b,4f,0d,fc,d0,27,18,c9,73,6d,43,7c,c5,27,a8,d9,b8,e2,7e,
    fd
    "2"=hex:14,ce,87,8d,79,74,ee,b2
    "3"=hex:81,20,8f,ab,28,6a,52,9c
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
    51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
    "7"=hex:e2,7f,28,b3,f4,78,a8,90,a3,fe,4e,87,45,83,70,cb,56,45,d4,09,32,3d,f1,
    bb,f7,48,93,b9,38,3c,15,e4,8d,f5,b4,8e,82,72,66,0b,c7,96,98,35,f9,2a,2c,db,\
    "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,ee,d2,fa,7b,a3,47,0c,
    f0,56,6c,46,7d,96,cf,aa,69,38,d2,9e,7a,b7,6c,08,3e,a5,ea,31,4a,cc,55,09,2c,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:70,56,26,33,e3,20,f8,ab
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:81,20,8f,ab,28,6a,52,9c
    "13"=hex:81,20,8f,ab,28,6a,52,9c
    "14"=hex:81,20,8f,ab,28,6a,52,9c
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:81,20,8f,ab,28,6a,52,9c
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    .
    Completion time: 2009-03-13 0:04:08
    ComboFix-quarantined-files.txt 2009-03-13 07:03:14
    Pre-Run: 16,281,677,824 bytes free
    Post-Run: 16,717,123,584 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    212 --- E O F --- 2008-05-28 16:01:15
  • wadetwadet
    edited March 2009
    info.txt logfile of random's system information tool 1.04 2008-11-25 12:34:25
    ======Uninstall list======
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    3DVIA player 4.1-->MsiExec.exe /X{4E868D3D-6EEB-4273-926C-2287236B5B79}
    Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}
    Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
    Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
    AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
    Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
    Civilization III-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}\setup.exe"
    Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
    Conexant AC-Link 2 Channel Audio-->CIAunwdm.exe
    FTP Commander-->C:\Program Files\FTP Commander\uninstall.exe
    Full Tilt Poker.Net-->"C:\Program Files\InstallShield Installation Information\{E07B7A31-E160-466D-A003-3BB7B8989D52}\setup.exe" -runfromtemp -l0x0009 -removeonly
    Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
    HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
    Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
    Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
    InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
    J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
    Java 2 Runtime Environment, SE v1.4.2_15-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142150}
    Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
    Lexmark 1300 Series-->C:\Program Files\Lexmark 1300 Series\Install\x86\Uninst.exe
    LimeWire 4.18.3-->"C:\Program Files\LimeWire\uninstall.exe"
    Lizardtech DjVu Control (autoinstall)-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DjVuLite.us.inf,DefaultUninstall,5
    Logitech QuickCam Driver Package-->"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.50.1145\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.50" /clone_wait /hide_progress
    Logitech QuickCam-->MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
    Logitech SetPoint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9
    Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
    Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
    Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
    Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
    Microsoft Money 2005-->C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
    Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
    Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
    Microsoft Picture It! Premium 10-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM
    Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
    Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
    MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
    MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
    MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
    Nero BurnRights-->C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
    Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    Pointstreak (remove only)-->"C:\Program Files\Pointstreak\uninstall.exe"
    PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net
    PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
    PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
    RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
    Recovery Software Suite Gateway-->MsiExec.exe /I{15377C3E-9655-400F-B441-E69F0A6BEAFE}
    Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
    Sierra Wireless EVDO Watcher-->MsiExec.exe /I{7AA79880-9581-45A5-B973-FE6D4293BCC0}
    Simply Accounting Payroll 2004 Evaluation Version-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAFAF1EC-0F81-11D8-AA00-00B0D0627A8E}\setup.exe" -l0x9
    Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_0360107B\HXFSETUP.EXE -U -IVEN_8086&DEV_24C6&SUBSYS_0360107B
    Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
    Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
    Texas Instruments PCIxx21/x515 drivers.-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8E50332B-772C-4AEA-BF56-94DE6A1D5F10} /l1033
    The Game Of Life-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"
    U.B. Funkeys-->C:\Program Files\U.B. Funkeys\uninstall.exe
    Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
    Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
    Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
    Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
    Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
    Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
    Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
    Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
    Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
    Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
    Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
    Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
    Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
    Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
    Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
    Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
    Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
    Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
    WebEx-->C:\WINDOWS\DOWNLO~1\atcliun.exe
    Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
    Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
    Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
    Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
    Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
    Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
    Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
    Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
    Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
    Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
    Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
    Zoo Tycoon 2-->"C:\Program Files\Microsoft Games\Zoo Tycoon 2\UNINSTAL.EXE" /runtemp /uninstall
    ======Hosts File======
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    ======Security center information======
    AV: AVG Anti-Virus Free (outdated)
    ======Environment variables======
    "ComSpec"=%SystemRoot%\system32\cmd.exe
    "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
    "windir"=%SystemRoot%
    "FP_NO_HOST_CHECK"=NO
    "OS"=Windows_NT
    "PROCESSOR_ARCHITECTURE"=x86
    "PROCESSOR_LEVEL"=6
    "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
    "PROCESSOR_REVISION"=0d08
    "NUMBER_OF_PROCESSORS"=1
    "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP"=%SystemRoot%\TEMP
    "TMP"=%SystemRoot%\TEMP
    EOF
  • KatanaKatana
    edited March 2009
    Step 1

    Submit a File For Analysis
    We need to have the files below Scanned by Uploading them/it to Virus Total

    Please visit Virustotal
    Copy/paste the the following file path into the window
    C:\WINDOWS\system32\taskmgrþ.exe
    Click Submit/Send File
    Please post back, to let me know the results.

    If Virustotal is too busy please try Jotti
    Step 2

    Kaspersky Online Scanner .
    Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
    NOTE:- This scan is best done from IE (Internet Explorer)
    NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
    Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

    Read the Requirements and limitations before you click Accept.
    Once the database has downloaded, click My Computer in the left pane
    Now go and put the kettle on !
    When the scan has completed, click Save Report As...
    Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
    Step 3

    Custom CFScript
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Registry::
REGLOCKDEL::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91FA78BC-641E-4329-C41B32C9E0F96EA6}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98E28BE4-118A-EA39-3FE2FDF7E232D89B}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}]
ADS::
    • Save this as CFScript.txt and place it on your desktop.


      CFScriptb.gif


    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper

    Step 4

    Logs/Information to Post in Reply
    Please post the following logs/Information in your reply
    • Virus Total Results
    • Kaspersky Log
    • Combofix Log


    Additional Notes



    Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Adobe Reader is a large program and uses unnecessary space.
    If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

    There is a newer version of Adobe Acrobat Reader available.
    • Please go to this link Adobe Acrobat Reader Download Link
    • Click Download
    • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
    • Click the Continue button
    • Click Run, and click Run again
    • Next click the Install Now button and follow the on screen prompts





    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Please download Java Runtime Environment (JRE) . ( don't install it yet )
    Now download JavaRa and unzip it to your desktop.

    ***Please close any instances of Internet Explorer (or other web browser) before continuing!***

    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.


    Now install the Java Runtime Environment (JRE) package you downloaded
    (it comes with a toolbar pre-selected, so make sure you uncheck the box)

    You can delete JavaRa (zip and exe)
  • wadetwadet
    edited March 2009
    the result of the virustotal scan was 0
  • wadetwadet
    edited March 2009
    KASPERSKY ONLINE SCANNER 7 REPORT
    Saturday, March 14, 2009
    Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Saturday, March 14, 2009 05:59:20
    Records in database: 1898987
    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes
    Scan area - My Computer:
    C:\
    D:\
    E:\
    Scan statistics:
    Files scanned: 65523
    Threat name: 4
    Infected objects: 8
    Suspicious objects: 2
    Duration of the scan: 10:50:13

    File name / Threat name / Threats count
    realshed.exe\realshed.exe/realshed.exe\realshed.exe Infected: Trojan.Win32.StartPage.del 1
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\realshed.exe//UPX/C:\Documents and Settings\Owner\Start Menu\Programs\Startup\realshed.exe//UPX Infected: Trojan.Win32.StartPage.del 1
    C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{8923BA97-C8A1-42A5-B59A-4E68A282AAF9}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.Win32.Zbot.egs 1
    C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\face off hockey 2004 incl keygen by REVENGE.zip Infected: P2P-Worm.Win32.Nugg.an 2
    C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\face off hockey 2004 setup including serial by TMG.zip Infected: P2P-Worm.Win32.Nugg.an 2
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\realshed.exe Infected: Trojan.Win32.StartPage.del 1
    The selected area was scanned.
  • wadetwadet
    edited March 2009
    ComboFix 09-03-12.01 - Owner 2009-03-14 10:36:35.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.551 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    * Created a new restore point
    .
    ((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
    .
    2009-03-10 00:32 . 2009-03-10 00:33 <DIR> d
    c:\windows\ERUNT
    2009-03-10 00:28 . 2009-03-10 00:52 <DIR> d
    C:\SDFix
    2009-03-07 17:39 . 2009-03-07 17:39 <DIR> d
    c:\program files\Medley Games
    2009-03-07 17:38 . 2009-03-07 17:38 120,832 --a
    c:\windows\lcmmfu.cpl
    2009-03-07 17:38 . 2009-03-07 17:38 45,056 --a
    c:\windows\mmfs.dll
    2009-03-07 17:38 . 2009-03-07 17:38 2,560 --a
    c:\windows\Runservice.exe
    2009-03-07 17:38 . 2009-03-13 00:34 889 --ahs---- c:\windows\system32\mmf.sys
    2009-03-07 17:19 . 2009-03-07 17:19 <DIR> d
    c:\program files\400 Software Studios
    2009-03-07 17:19 . 2002-09-02 01:38 603,136 --a
    c:\windows\system32\qrpt50.bpl
    2009-03-07 17:19 . 2000-01-24 05:01 264,192 --a
    c:\windows\system32\midas.dll
    2009-03-07 17:19 . 2000-08-07 05:01 84,480 --a
    c:\windows\system32\bcbie50.bpl
    2009-03-07 02:46 . 2000-01-24 05:01 300,032 --a
    c:\windows\system32\VCLBDE50.BPL
    2009-03-07 02:45 . 2000-01-24 05:01 558,080 --a
    c:\windows\system32\VCLDB50.BPL
    2009-03-07 02:43 . 2000-08-07 06:01 1,497,088 --a
    c:\windows\system32\cc3250mt.dll
    2009-03-07 02:42 . 2000-01-31 06:00 25,600 --a
    c:\windows\system32\borlndmm.dll
    2009-03-07 02:39 . 2000-01-31 05:00 147,456 --a
    c:\windows\system32\BCBSMP50.BPL
    2009-03-07 02:21 . 2000-01-24 06:01 248,832 --a
    c:\windows\system32\VCLX50.BPL
    2009-03-01 12:52 . 1999-01-20 06:01 210,032 --a
    c:\windows\system32\DBCLIENT.DLL
    2009-03-01 12:52 . 2009-03-07 17:45 13,030 --a
    C:\PDOXUSRS.NET
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-14 17:33 120,298 ----a-w c:\windows\system32\taskmgrþ.exe
    2009-03-13 20:46
    d
    w c:\program files\Lx_cats
    2009-03-12 01:08
    d
    w c:\program files\trend micro
    2009-03-09 05:06
    d
    w c:\documents and settings\All Users\Application Data\avg8
    2009-03-08 00:17
    d
    w c:\program files\FTP Commander
    2009-03-07 22:43
    d
    w c:\program files\PokerStars.NET
    2009-03-07 20:13
    d
    w c:\documents and settings\Owner\Application Data\LimeWire
    2009-03-07 10:16
    d--h--w c:\program files\InstallShield Installation Information
    2009-03-07 10:16
    d
    w c:\program files\Full Tilt Poker.Net
    2009-02-15 23:37
    d
    w c:\program files\Citrix
    2009-02-14 20:35
    d
    w c:\program files\Malwarebytes' Anti-Malware
    2009-02-13 22:04
    d
    w c:\program files\Bluebeam Software
    2009-02-13 22:04
    d
    w c:\documents and settings\All Users\Application Data\Bluebeam Software
    2009-02-13 21:53
    d
    w c:\documents and settings\All Users\Application Data\NOS
    2009-02-13 21:52
    d
    w c:\program files\NOS
    2009-02-12 06:08
    d
    w c:\program files\E-Z Contact Book
    2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-02-11 07:27
    d
    w c:\program files\GoldMine
    2009-02-11 07:27
    d
    w c:\program files\Common Files\Borland Shared
    2009-02-11 07:24 116 ----a-w C:\cp.bat
    2009-01-27 02:20
    d
    w c:\program files\Google
    2008-12-21 21:57 410,984 ----a-w c:\windows\system32\deploytk.dll
    2008-10-15 16:34 60,296 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2007-06-18 06:54 148 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
    2007-06-14 02:35 56,912 -c--a-w c:\documents and settings\Owner\g2mdlhlpx.exe
    .
    ((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-03-13"]SnapShot@2009-03-13[/EMAIL]_ 0.00.57.20 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-03-13 07:34:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6c0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-05 68856]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784]
    "lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 c:\windows\KHALMNPR.Exe]
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    PowerReg Scheduler.exe [2007-06-09 256000]
    realshed.exe [2008-10-23 39936]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\lxdccoms.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
    "c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
    "c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=
    R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-03-07 2560]
    R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
    R2 SWAutoLaunch;SWAutoLaunch;c:\program files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe [2007-03-12 65536]
    S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [2007-10-12 99248]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-13 33752]
    S3 pohci13F;pohci13F;\??\c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pohci13F.sys [?]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\start.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{059c0eb3-e792-11dd-8106-00e0b891fc03}]
    \Shell\AutoRun\command - F:\podcastready.exe
    .
    Contents of the 'Scheduled Tasks' folder
    2005-11-26 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 12:00]
    2005-11-26 c:\windows\Tasks\ISP signup reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 12:00]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.ca/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
    DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
    DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://mlslink.mlxchange.com/Control/MLXClientUtils.cab
    DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://mlslink.mlxchange.com/4.3.07.83/Control/IRCSharc.cab
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-14 10:40:56
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91FA78BC-641E-4329-C41B32C9E0F96EA6}\{25E342AA-73A9-1FC4-4AC5C50BDBE96017}\{04863130-DE8E-7A09-D0B765EBFF2273E8}*]
    "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
    9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{92E364B2-3C99-8131-FA38C55A9DF469B6}\{ED083C7B-BB22-E038-94448FA9BD51D19E}\{5592BF6F-6CA4-ED79-1454C42B0B348E21}*]
    "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
    fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{98E28BE4-118A-EA39-3FE2FDF7E232D89B}\{DFE81EF0-16B2-5E63-9055890879FD5BFF}\{9E285E3F-FD34-EDAD-0EA00DDB13898C03}*]
    "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
    9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DCB42C02-2C7E-50EC-E2B5A792F7765BFB}\{38286259-1A12-EDE0-84E2CD6A1D76E8F7}\{2C2658AF-F73E-73C6-89D45D0D6FCCCFF2}*]
    "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
    fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \7B89AC59B91B61F6]
    "1"=hex:e2,7f,28,b3,f4,78,a8,90,a3,fe,4e,87,45,83,70,cb,36,b1,2e,f7,56,49,5f,
    1a
    "2"=hex:75,4f,d5,56,e6,9d,1a,13,c8,71,03,1e,73,6c,6e,62,58,a8,9a,49,4f,b9,cd,
    0f,5b,63,25,a5,82,25,ac,36
    "3"=hex:e2,7f,28,b3,f4,78,a8,90,a3,fe,4e,87,45,83,70,cb,f0,b4,6d,ee,bc,c7,ac,
    0b,c8,17,e0,ea,3a,b9,a9,b3,2b,85,23,84,db,a5,db,15,57,06,da,7a,f2,b6,f8,62,\
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \7B89AC59B91B61F6\89DB219AFDF6E45A5A7D271757B6BE1F]
    "1"=hex:59,c7,55,52,4b,4f,0d,fc,d0,27,18,c9,73,6d,43,7c,c5,27,a8,d9,b8,e2,7e,
    fd
    "2"=hex:14,ce,87,8d,79,74,ee,b2
    "3"=hex:81,20,8f,ab,28,6a,52,9c
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
    51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
    "7"=hex:e2,7f,28,b3,f4,78,a8,90,a3,fe,4e,87,45,83,70,cb,56,45,d4,09,32,3d,f1,
    bb,f7,48,93,b9,38,3c,15,e4,8d,f5,b4,8e,82,72,66,0b,c7,96,98,35,f9,2a,2c,db,\
    "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,ee,d2,fa,7b,a3,47,0c,
    f0,56,6c,46,7d,96,cf,aa,69,38,d2,9e,7a,b7,6c,08,3e,a5,ea,31,4a,cc,55,09,2c,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:70,56,26,33,e3,20,f8,ab
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:81,20,8f,ab,28,6a,52,9c
    "13"=hex:81,20,8f,ab,28,6a,52,9c
    "14"=hex:81,20,8f,ab,28,6a,52,9c
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:81,20,8f,ab,28,6a,52,9c
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    .
    Completion time: 2009-03-14 10:44:25
    ComboFix-quarantined-files.txt 2009-03-14 17:43:40
    ComboFix2.txt 2009-03-13 07:04:09
    Pre-Run: 16,480,223,232 bytes free
    Post-Run: 16,677,040,128 bytes free
    198 --- E O F --- 2008-05-28 16:01:15
  • KatanaKatana
    edited March 2009
    Do you know where these files came from ?

    face off hockey 2004 incl keygen by REVENGE.zip
    face off hockey 2004 setup including serial by TMG.zip
  • wadetwadet
    edited March 2009
    those were the files that caused the problem, that I got from my friend
  • KatanaKatana
    edited March 2009
    Installed a program from a friend and it must have been infected
    ~
    those were the files that caused the problem, that I got from my friend

    So you decided to keep them ?

    I don't provide help for those using any form of cracked software or Operating Systems.

    In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
    The distribution and use of cracked copies is illegal in almost every developed country.
    They are also one of the biggest causes of infection.

    This applies to Cracks, Keygens and Warez

    In the future I strongly suggest you stay away from using cracks and/or Keygens.



    Please delete RSIT.exe and C:\RSIT (entire folder)
    You can also delete any logs we have produced, and empty your Recycle bin.


    Uninstall Combofix
    • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
    • (XP) Click START then RUN
    • (Vista) Click START, type RUN into the search box, then click Enter
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
      • CF_Cleanup.png





    I recommend that you delete the Keygen files also.
This discussion has been closed.