# Hard drive keeps disappearing



## SVXX (Apr 14, 2009)

This problem began occurring this Sunday and I have no idea how it came about. Last week I used MalwareBytes to remove Trojan.Vundo.H (I don't think that has any special connection with this) and then my comp was as fresh as ever. Now my E drive keeps randomly disappearing/appearing when I start/restart my computer.

The data on it is intact, as when it appears everything works fine on it. I have used System Restore thrice, first two times to Sunday and then I tried to do it to 9th April(as further back as I could go) but it said Sys Restore failed. Each time I restored my system the drive came back. The drive doesn't come back as frequently as when I restart or start the computer instead of using Sys Restore. 
Apart from backing up my hard drive(obviously, and what are the best tools for that?), what am I supposed to do to curb this problem? Formatting is a last resort option, I'd like to know if there's anything else that can be done.
Plus, my computer loads slower than before. Before the BIOS choice screen, a cursor freezes up on the screen. Usually it just blinks once and everything happens quick.


----------



## blitzkreig (Mar 6, 2009)

Simple,
its a nasty virus.... do you use any antivirus?
If you do, run a complete scan.
coz' malwarebytes doesn't always seem to detect & remove all the threats


----------



## SVXX (Apr 14, 2009)

Ok I'll try a McAfee fullscan and inform you on how it goes. Thanks for the reply!


----------



## SVXX (Apr 14, 2009)

Checked with McAfee antivirus, nothing of note found. I got some Generic.dx and Generic!Artemis, but none of them are related to the harddrive problem. Plus, I removed them but this pattern of the hard drive disappearing every reboot and appearing every 2 reboots is still there.


----------



## blitzkreig (Mar 6, 2009)

could you please provide me with a hijack this log?
Im never happy with mcafee results for some reason


----------



## SVXX (Apr 14, 2009)

Uploaded a HijackThis log as you required.


----------



## blitzkreig (Mar 6, 2009)

I am getting a senior adviser to check your hi-jack this log,
IN the meanwhile, I would recommend using trend micro house call

http://housecall.trendmicro.com/


----------



## flavallee (May 12, 2002)

SVXX:

I've copied-and-pasted your log here for you. Don't post it as an attachment anymore because it can't be read that way.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:45 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\DNA\btdna.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
D:\Setups\SF Hack Tweak Pack\SF Tweak Hack Pack.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\Downloaded Program Files\PurpleBean.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: (no name) - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: (no name) - {053F9267-DC04-4294-A72C-58F732D338C0} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229274323500
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: opnnmLCV - opnnmLCV.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

---------------------------------------------------------------

You appear to have both *McAfee VirusScan* and *Kaspersky Antivirus* installed and running at the same time. Multiple antivirus programs will fight with each other, bog down a computer, and make it more susceptible to infection. One of them needs to go.

Get rid of *HP Smart Web Printing*. It's not needed and it's problematic.

What have you been downloading with *BitTorrent*? That's a likely source of getting infected.

---------------------------------------------------------------


----------



## blitzkreig (Mar 6, 2009)

McAfee and Kaspersky  :O
both together..a perfect recipe for disaster


----------



## SVXX (Apr 14, 2009)

Hmm no I uninstalled Kaspersky a long time ago...it wouldn't let me install McAfee otherwise .
The HP problem is a long one. I downloaded the wrong version of HP's printer software(that is, in the wrong language, Spanish) and then uninstalled it. After downloading the English version, it wouldn't install completely, getting stuck at 96%. It was quite weird, it never did install correctly. I tried uninstalling the Spanish version completely but it wouldn't budge.
Btw I tried Trend Micro's HouseCall Online scanner, and it showed me a couple of trojans I've never heard of, apart from Generic.dx. They were -:
TROJ_ZELDOM
TROJ_FORMATA.A
and some others. Also I'm quite careful with what I download from BT, and I rarely use it anyway. Will post further when the TM scan finishes.


----------



## flavallee (May 12, 2002)

Bad or partial uninstalls will leave a lot of files and registry entries behind that can cause problems.

Download and install *Revo Uninstaller 1.80* from here.

Run a scan with it and wait for the list of installed programs to appear.

Select a program that you want to uninstall and then click "Uninstall".

Use the default selection to get rid of registry entries.

When the registry strings appear, make sure to check only the ones in *bold* text.

After you're done uninstalling what you want, restart your computer.

Post a new HijackThis here, and also advise what you uninstalled so I can look for leftover entries in the log.

-------------------------------------------------------------------


----------



## blitzkreig (Mar 6, 2009)

U don't seem to have done a good job with the removal of kaspersky


----------



## SVXX (Apr 14, 2009)

I uninstalled HP Smart Web Printing and HPSsuply, as you asked me to remove unneeded programs using Revo. The TrendMicro scan was interrupted because I shut the browser by mistake! I've restarted that. Also I didn't find Kaspersky anywhere in the Revo list..wonder why it shows in HijackThis. Anyway, the new log is as follows-:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:12 AM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\RTHDCPL.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: pccmsi.lnk = C:\Documents and Settings\Piyush\Local Settings\Temp\Rar$EX39.172\setup.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229274323500
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: opnnmLCV - opnnmLCV.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9105 bytes
One more thing, my printer driver setup(the english version which I downloaded) still thinks that its installed(even after I removed every instance of HP via Revo). It isn't letting me install the driver.


----------



## SVXX (Apr 14, 2009)

The malwares I found with TM HouseCall :
CRYP_MEW-11 (I deleted the relevant file)
TROJ_FORMATA.A(8 infections)
TSPY_HATKEYS.C/Generic.dx (2 infections)
TROJ_ANKIT.B(2 infections)
Since I need to purchase a ticket for HouseCall to actually clean the files, I guess I'll delete them myself.


----------



## blitzkreig (Mar 6, 2009)

First of all, I feel you should change ur antivirus


----------



## SVXX (Apr 14, 2009)

Why's that? I have McAfee and Malware Bytes, what should I get??
And I deleted the files which contained the viruses.


----------



## blitzkreig (Mar 6, 2009)

Mcafee seems to be pretty harsh on the system resources and it doesn't seem to detect some threats, you saw that yourself when you scanned using trend micro housecall

anyways,
the decision is solely yours :up:


----------



## SVXX (Apr 14, 2009)

Well maybe so but could you kindly stop being so high headed and TELL me which antivirus to use? I'm not BOASTING around about McAfee, and if you can't help let others do so :\


----------



## flavallee (May 12, 2002)

SVXX:

Have you looked in the *C:\Program Files* folder to see if a *Kaspersky* folder still exists? If it does, delete it.

---------------------------------------------------------------

Click Start - Run, type in REGEDIT and then click OK. This will open the registry editor. Follow my instructions very carefully.

Click the + in:

HKEY_CURRENT_USER
Software

HKEY_LOCAL_MACHINE
Software

In the "software" sub-menu of both, look for a *Kaspersky* folder. If it's there, right-click directly on that Kaspersky folder, then click Delete - Yes.

After you're done, close the registry editor window and restart.

Post a new HijackThis log here.

------------------------------------------------------------------


----------



## SVXX (Apr 14, 2009)

Here you go, I removed all instances of Kaspersky from the registry as you asked me to-:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:40 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DNA\btdna.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: pccmsi.lnk = C:\Documents and Settings\Piyush\Local Settings\Temp\Rar$EX39.172\setup.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229274323500
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: opnnmLCV - opnnmLCV.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9069 bytes
The problem isn't any better, my E drive still disappears at random times after a reboot. Does this have to be a virus?


----------



## flavallee (May 12, 2002)

Run a HijackThis scan, place a checkmark in:

*O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)

O4 - Global Startup: pccmsi.lnk = C:\Documents and Settings\Piyush\Local Settings\Temp\Rar$EX39.172\setup.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)*

then click "Fix Checked".

(The O2 and O23 entries are associated with Kaspersky. The O4 entry is something suspicious running from a temp folder.)

Close HijackThis.

----------------------------------------------------------------

Go into:

*C:\Documents And Settings\(Username)\Local Settings\Temp*

and delete everything from inside that Temp folder. If a few files resist getting deleted, leave them alone and delete everything else.

Empty the Recycle Bin and then restart.

----------------------------------------------------------------

Post a new HijackThis log here.

----------------------------------------------------------------

Run a full scan with Malwarebytes Anti-Malware(after you first make sure it's up-to-date), then post its log here. I have a feeling that we may need to get this thread transferred to the "Malware Removal & HijackThis Logs" section.

----------------------------------------------------------------


----------



## SVXX (Apr 14, 2009)

The HijackThis log as requested:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:19 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229274323500
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: opnnmLCV - opnnmLCV.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8880 bytes
Will post the Malware Bytes log as soon as the scan finishes.
The Kaspersky service (O23 entry) didn't get deleted even though I placed a checkmark on it as well..


----------



## flavallee (May 12, 2002)

Yep, I see that. I had someone else have the same problem. I'm not sure from this point how to get rid of it.

---------------------------------------------------------------

And I forgot to tell you to allow Malwarebytes to fix whatever it finds before you post its log here.

----------------------------------------------------------------


----------



## blitzkreig (Mar 6, 2009)

*SVXX
*Listen im not being high headed, just told you what I feel. Left the decision to you. We try our best to help you out. I don't wish to argue out here.


----------



## SVXX (Apr 14, 2009)

The Malware Bytes log:
Malwarebytes' Anti-Malware 1.36
Database version: 2000
Windows 5.1.2600 Service Pack 3

4/18/2009 10:22:25 PM
mbam-log-2009-04-18 (22-22-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 239877
Time elapsed: 1 hour(s), 21 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Full Speed\uninstall.exe (Trojan.Agent) -> No action taken. (Now deleted)

I scanned E: when it reappeared as well. Not a sign of anything.


----------



## SVXX (Apr 14, 2009)

Ok...this virus or whatever it is, is worse than I thought. My comp hanged a bit and E disappeared right before my eyes. No reboots, nothing required.


----------



## flavallee (May 12, 2002)

Post a new HijackThis log here.

Something is going on with your computer that I don't have the expertise to deal with.

I'm going to report your thread to the "Malware Removal & HijackThis Logs" section and see if one of the experts there can assist you.

That section is overwhelmed with requests for help and only has a small number of experts to carry the load, so don't expect a reply in a matter of minutes or hours.

---------------------------------------------------------------


----------



## Triple6 (Dec 26, 2002)

What brand is the E: drive? You may want to test the drive with the manufacturer's diagnostics as it could be a hardware issue unrelated to the malware issues you are having. You may also want to reseat all the cable connections to the drive in case its a matter of a cable slightly loose.


----------



## SVXX (Apr 14, 2009)

HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:59 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229274323500
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - Winlogon Notify: opnnmLCV - opnnmLCV.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9707 bytes
Brand of E Drive as in? Its a SATA hard disk and it has the NT File System on it, if that's what you were asking for.
Aight I'll check the cables. But if it really is an internal hardware issue, why does the drive disappear in between sessions AND per reboot?
Also, I replaced McAfee with Trend Micro Internet Security and scanned. I found nothing of note except a few Generic.trojan or generic.dx and deleted them.

EDIT: Looks like there's more to it than I thought...Trend Micro automatically quarantined the following files while scanning last night when I was asleep from D:\System Volume Information:
A0238951.exe
A0238950.exe
A0238949.EXE
A0238947.exe
A0238946.exe
A0238945.dll
A0238944.scr
A0234329.exe to 324.exe
I never noticed carefully before but, *my DVD drive disappears alongwith my E drive..
*Found an A0.....exe file in my E:\System Volume Information as well(scanned it when drive came back) and deleted that file too.
How can trojan.generic and trojan.generic.adv possibly hide my drive?


----------



## gophersnake (Mar 5, 2006)

I recently had a hard drive become intermittent and eventually fail completely. If there were any viruses involved, AVG never found any trace of them and they haven't reappeared on the replacement drive.

In my case, the drive failed to boot one day. Next day I replaced the CMOS battery and the drive acted as good as new. A few weeks later it resumed failing to boot, but only *for an hour or two after a power-off shutdown*. It didn't seem to mind a warm restart, and it seemed to recover after a few hours (of cooling down?) Almost as soon as I got a replacement drive, the old drive stopped booting altogether; it only woke up one last time, long enough for me to copy most of the files off it.

The faulty drive was set up in CMOS as "AUTO." Whenever it wasn't booting, the CMOS seemed unable to identify its specs and geometry correctly.

I'm not fluent in XP so I hope you can translate from my 98SE-speak here:

After I was already running successfully on the new drive but still had the old one connected (in case it should wake up again and give me another shot at grabbing files from it), I noticed that System Information (Components | Problem Devices) was telling me that the IDE controller (to which both the good drive and the bad drive were connected) had a problem. As soon as I gave up on the bad drive and set it to"OFF" in CMOS, the SysInfo message changed: "There are no devices with problems on this machine".

SVXX, I assume you have something like SysInfo on your system, too. What does it say about your flaky drive, about the DVD drive that disappears along with it, and about the controller(s) for those drives?


----------



## SVXX (Apr 14, 2009)

Well my IDE controllers are working properly or so Device Manager says.
Whenever its not there, even CMOS/BIOS doesn't list the disk drive.
Funny thing is, both my E drive's disk and my DVD ROM drive are at LOCATION 0. Does that specify anything? And it says both are working fine.


----------



## gophersnake (Mar 5, 2006)

_Well my IDE controllers are working properly or so Device Manager says._

Is that so whether or not the E: drive and the DVD are "there"?

My Device Manager acts pretty stupid and has told me enough lies over the years that I've come to prefer System Information. The latter is found (on my 98SE system) under Start | Programs | Accessories | System Tools. In the past I've battled, say, modem problems where Device Manager keeps telling me my modem is working properly while something else (that deals more directly with the modem) is saying, "Modem? I don't see no stinkin' modem. Are you sure you even have one?"

_Whenever its not there, even CMOS/BIOS doesn't list the disk drive._

That sounds kind of like a flaky controller to me (the veteran of one controller driven a little crazy by a flaky drive). Whether it's a real hardware problem or a virus-caused one, and whether it originates in the controller, in one of the drives connected to it, or in CMOS/BIOS, I couldn't begin to guess. Are both of those drives on the same controller? My hard drives are on one (though my new second hard drive is currently unplugged), my CD-R and CD-RW are on another, my floppy is on a third, and my flash drives are on a USB device.

_Funny thing is, both my E drive's disk and my DVD ROM drive are at LOCATION 0. Does that specify anything?_

I don't know. I haven't seen "location"-anything in any of the System Information or Device Manager information that I've looked at.


----------



## SVXX (Apr 14, 2009)

The IDE controller which controls the E and DVD drives disappear as blissfully as do the drives. And Device Manager says everything is fine. Sounds like Russian propaganda to me..lol.
How am I supposed to fix this when I don't know how the problem is originating? I have to identify the cause before I can seal the effect..
Double click on the respective drive/controller to see how it is functioning(whether fine or it has a problem). It shows Location as well.


----------



## gophersnake (Mar 5, 2006)

If I were having this problem (and if I were on my own, without all these experts still waiting in the wings to be heard from) I'd try disabling (from CMOS) first one drive, then the other, then both at once, then the controller, till I found out when the flakiness did and didn't occur.

I guess I'd also consider running HJT when the drives were "missing", again when they were working, and perhaps again when I had a few things disabled in CMOS, and comparing the logs line by line just to see what, if anything, looked different.

Me, I'm nuts about documentation so I'd be keeping a detailed list, maybe even a table: with the drives working, CMOS says this, SysInfo says that, Device Manager (if I even care) says the other thing. With the drives flaked out, CMOS says this, SysInfo says that... etc.

Do those "LOCATION 0" things, whatever they are, change as the drives cut in and out? If not, they may not have anything to do with the problem.


----------



## SVXX (Apr 14, 2009)

When the drives dont show, its as if there is no location 0 at all. I can't see the drive's location if the drive isn't showing either.
I've used Belarc system advisor and compared the two situations. When the drive doesn't show, Belarc doesn't even list the disk. And everything else is the same. Its the same for Device Manager. All I've got left is to try HJT in both situations.


----------



## Triple6 (Dec 26, 2002)

Belarc shoudl tell you what the model number of the drive is, you shoudl also be able to tell from Device Manager or by looking at the physical drive. Have you tried to reseat the cable connections to the drive thats disappearing on both the drive side and the motherboard side of the cable?


----------



## Cookiegal (Aug 27, 2003)

Those items being detected are in System Restore so each time you do a system restore you're in effect restoring malware. This type of problem with drives disappearing is often related to malware.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## SVXX (Apr 14, 2009)

The ComboFix log as requested-:
ComboFix 09-04-19.05 - Piyush 04/19/2009 22:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1419 [GMT 5.5:30]
Running from: d:\setups\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Storm3.exe
c:\windows\IE4 Error Log.txt
c:\windows\regedit.com
c:\windows\system32\AutoRun.inf
c:\windows\system32\command.pif
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\taskmgr.com
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\Tasks\kbfkamyf.job
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-19 11:02 . 2009-04-19 11:02 -------- d-----w c:\windows\system32\Service
2009-04-19 04:35 . 2009-04-19 04:35 -------- d-----w c:\documents and settings\Piyush\DoctorWeb
2009-04-18 19:46 . 2009-04-18 19:46 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Trend Micro
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\windows\LocalSSL
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-18 19:41 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-18 19:40 . 2009-04-19 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-18 19:21 . 2009-04-18 19:21 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-04-18 19:21 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-18 19:21 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-18 19:21 . 2009-03-03 09:08 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-18 09:09 . 2009-03-09 09:57 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-04-18 09:09 . 2009-03-16 08:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-04-18 09:09 . 2009-03-16 08:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-04-18 03:34 . 2009-04-18 03:34 -------- d-----w c:\program files\VS Revo Group
2009-04-18 03:22 . 2009-04-18 03:23 -------- d-----w c:\program files\Guitar FX BOX 2.6
2009-04-18 03:19 . 2009-04-18 09:22 -------- d-----w c:\documents and settings\Piyush\Application Data\Audacity
2009-04-17 10:07 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 10:07 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 10:07 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 10:07 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 10:07 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 10:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 10:07 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 10:07 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 10:07 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 09:44 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 09:44 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 09:44 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 09:40 . 2009-04-18 07:17 -------- d-----w c:\documents and settings\Piyush\.housecall6.6
2009-04-15 16:24 . 2009-04-15 16:24 -------- d-----w c:\program files\EqPlot
2009-04-15 16:15 . 2009-04-15 16:15 -------- d-----w c:\program files\Microsoft
2009-04-14 11:57 . 2009-04-14 15:25 -------- d-----w C:\Dev-Cpp
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Locktime
2009-04-13 16:02 . 2009-04-13 16:02 -------- d-----w c:\program files\Belarc
2009-04-13 16:02 . 2008-02-27 08:19 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-----w c:\program files\Common Files\ReGet Shared
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-sh--w C:\found.000
2009-04-10 18:21 . 2009-04-19 10:59 -------- d-----w c:\program files\FlashGet
2009-04-10 18:07 . 2009-04-10 18:20 -------- d-----w c:\documents and settings\Piyush\Application Data\Free Download Manager
2009-04-10 12:20 . 2009-04-10 12:23 -------- d-----w c:\documents and settings\Piyush\Application Data\ReGet Software
2009-04-10 12:16 . 2009-04-10 12:16 57 ----a-w c:\windows\english.lng
2009-04-10 12:16 . 2009-04-13 15:40 -------- d-----w c:\program files\ReGet Software
2009-04-10 11:19 . 2009-04-10 11:19 -------- d-----w c:\documents and settings\Piyush\Application Data\McAfee
2009-04-10 05:56 . 2009-04-10 05:56 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\Piyush\Application Data\Locktime
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\Locktime
2009-04-07 08:31 . 2009-04-07 08:31 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-07 06:22 . 2009-04-18 19:21 -------- d-----w C:\Downloads
2009-04-05 16:19 . 2009-04-05 16:19 -------- d-----w c:\documents and settings\Piyush\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 16:18 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 16:18 . 2009-04-05 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-15 16:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:48 . 2009-04-15 14:20 -------- d-----w c:\program files\PSK
2009-04-05 15:48 . 2009-04-05 15:48 -------- d-----w c:\windows\system32\XPToolsLicenseComponent
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\program files\SiteAdvisor
2009-04-04 14:11 . 2009-03-25 05:36 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-04 14:11 . 2009-03-25 05:36 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-04 14:11 . 2009-03-25 05:36 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 14:07 . 2009-03-25 05:35 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-04 12:35 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\drivers\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 05:19 23600 ----a-w c:\windows\system32\drivers\drhard.sys
2009-04-02 17:54 . 2009-04-02 17:54 -------- d-----w c:\program files\Dr.Hardware 2009 english
2009-03-31 06:11 . 2009-03-31 06:12 -------- d-----w c:\documents and settings\Piyush\Application Data\Software Informer
2009-03-31 06:11 . 2009-03-31 06:11 -------- d-----w c:\program files\Software Informer
2009-03-31 06:11 . 2009-04-13 15:40 -------- d-----w c:\program files\Free Download Manager
2009-03-31 05:56 . 2009-03-31 05:57 -------- d-----w c:\program files\Another Matrix Screen Saver
2009-03-30 06:44 . 2009-03-30 06:44 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-30 06:44 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Piyush\Application Data\Azureus
2009-03-30 06:42 . 2009-03-30 06:42 -------- d-----w c:\program files\Vuze
2009-03-30 06:16 . 2009-04-04 13:34 -------- d-----w c:\program files\Common Files\Panda Software
2009-03-29 14:39 . 2009-04-04 13:31 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Panda Software
2009-03-29 14:39 . 2009-03-29 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\sentinel
2009-03-29 14:38 . 2009-04-04 13:32 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Panda Software
2009-03-29 13:32 . 2009-03-29 13:21 203 ----a-w C:\bootini.uns
2009-03-29 13:23 . 2009-03-29 13:32 10 ----a-w C:\23990098.$$$
2009-03-29 13:23 . 2009-03-29 13:32 -------- d-----w C:\PUB
2009-03-29 13:20 . 2009-03-29 13:20 -------- d-----w c:\windows\system32\FLCSS.EXE
2009-03-26 07:49 . 2009-03-26 07:49 -------- d-----w c:\program files\Alcohol Soft
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 17:01 . 2008-08-16 18:32 -------- d-----w c:\program files\DNA
2009-04-19 17:01 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\DNA
2009-04-18 20:55 . 2008-08-17 03:28 -------- d-----w c:\program files\SpeederXP
2009-04-18 20:46 . 2008-09-12 02:27 -------- d-----w c:\program files\FM PLAYER
2009-04-18 19:41 . 2008-08-17 03:28 -------- d-----w c:\program files\Trend Micro
2009-04-18 03:48 . 2008-08-17 03:26 -------- d-----w c:\program files\Opera
2009-04-17 11:51 . 2008-11-16 05:03 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-15 16:27 . 2008-12-14 17:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 15:28 . 2008-09-02 15:52 -------- d-----w c:\documents and settings\Piyush\Application Data\Dev-Cpp
2009-04-14 15:28 . 2009-02-11 17:13 -------- d-----w c:\documents and settings\Piyush\Application Data\Skype
2009-04-14 15:28 . 2008-10-24 10:09 699 ----a-w c:\documents and settings\All Users\Application Data\sfsettingslogin.dll
2009-04-14 15:28 . 2009-02-11 17:14 -------- d-----w c:\documents and settings\Piyush\Application Data\skypePM
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-s---w c:\program files\Xfire
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-----w c:\documents and settings\Piyush\Application Data\Xfire
2009-04-07 08:33 . 2008-08-09 13:18 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 13:34 . 2008-08-11 05:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 06:19 . 2008-09-16 04:43 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-29 13:32 . 2009-03-29 13:21 -------- d-----w c:\program files\Common Files\MicroWorld
2009-03-29 13:21 . 2009-03-29 13:21 13016 ----a-w c:\windows\winsbak.reg
2009-03-29 13:21 . 2009-03-29 13:21 124774 ----a-w c:\windows\winsbak2.reg
2009-03-26 22:42 . 2008-08-15 04:47 -------- d-----w c:\program files\CEDP Stealer 6.0 for Messenger
2009-03-26 07:47 . 2008-09-13 19:16 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-25 05:36 . 2009-01-16 14:34 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 03:15 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\BitTorrent
2009-03-18 09:15 . 2009-03-18 09:15 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-15 09:28 . 2009-03-15 09:28 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 11:46 . 2009-03-07 11:46 216 ----a-w C:\temp.txt
2009-03-07 11:46 . 2009-03-07 11:46 -------- d-----w c:\program files\Xilisoft
2009-03-07 06:51 . 2008-08-11 07:33 68648 ----a-w c:\documents and settings\Piyush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 15:27 . 2009-03-06 15:27 145 ----a-w C:\Shortcut to CD Drive.lnk
2009-03-06 14:22 . 2004-08-03 19:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:30 . 2009-03-03 12:30 -------- d-----w c:\program files\IconPhile
2009-03-03 12:25 . 2009-03-03 12:25 -------- d-----w c:\program files\ExeIcon
2009-03-03 00:18 . 2004-08-03 19:26 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 12:11 . 2008-08-17 03:28 -------- d-----w c:\program files\Total Video Converter
2009-02-26 09:00 . 2008-10-12 14:17 -------- d--h--w c:\documents and settings\Piyush\Application Data\ijjigame
2009-02-26 06:29 . 2008-09-16 04:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 06:28 . 2008-11-15 17:21 -------- d-----w c:\program files\AGEIA Technologies
2009-02-26 05:51 . 2009-02-26 05:51 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-02-25 07:42 . 2008-10-02 10:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-02-21 08:08 . 2009-02-21 08:08 230 ----a-w C:\config.xml
2009-02-21 07:43 . 2009-02-21 07:43 -------- d-----w c:\program files\Microsoft Research
2009-02-20 18:09 . 2004-08-03 19:26 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 10:20 . 2008-08-11 05:58 17508864 ----a-w c:\windows\RTHDCPL.EXE
2009-02-14 16:58 . 2009-02-14 16:58 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-09 12:10 . 2004-08-03 19:26 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-03 19:26 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-03 19:26 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-03 19:26 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-03 17:47 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 09:04 . 2009-02-26 06:35 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2009-02-09 07:48 . 2008-08-11 07:20 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-02-06 11:11 . 2004-08-03 19:26 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 17:48 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-10-04 19:16 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 05:24 . 2008-08-09 12:55 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-03 19:59 . 2004-08-03 19:26 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-21 10:24 . 2008-08-11 05:58 1206816 ----a-w c:\windows\RtlUpd.exe
2008-10-24 08:54 . 2008-10-24 08:54 3 ----a-w c:\documents and settings\All Users\Application Data\NOD.dll
2008-09-12 03:27 . 2008-09-12 03:27 151608 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-15 16:22 . 2008-11-15 16:23 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111520081116\index.dat
2008-11-13 08:06 . 2008-11-07 14:20 5307936 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-13 08:06 . 2008-11-07 14:20 409632 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 140288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-03-17 203928]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-20 1994800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 07:02 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\Y'z Toolbar.lnk
backup=c:\windows\pss\Y'z Toolbar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
"Stormser"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Data\\You got it...games!\\Road Rash 2000\\ROADRASH.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Need For Speed Underground\\Speed.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\ijji\\ENGLISH\\u_sf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1337:TCP"= 1337:TCP:BYOND port
"62986:TCP"= 62986:TCP:*isabled:SolidNetworkManager
"62986:UDP"= 62986:UDP:*isabled:SolidNetworkManager
"3799:TCP"= 3799:TCP:*isabled:SolidNetworkManager
"3799:UDP"= 3799:UDP:*isabled:SolidNetworkManager
"20027:TCP"= 20027:TCP:SolidNetworkManager
"20027:UDP"= 20027:UDP:SolidNetworkManager
"39407:TCP"= 39407:TCP:*isabled:SolidNetworkManager
"39407:UDP"= 39407:UDP:*isabled:SolidNetworkManager
"27015:UDP"= 27015:UDP:L4D
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver; [x]
R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 drhard;drhard;c:\windows\system32\DRIVERS\DRHARD.SYS [2005-12-01 23600]
R3 DRIVER1111;DRIVER1111; [x]
R3 jgameenp;jgameenp; [x]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
R4 Stormser;Stormser; [x]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]


----------



## SVXX (Apr 14, 2009)

-- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MBAMService
*Deregistered* - MDM
*Deregistered* - Messenger
*Deregistered* - MWAgent
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - nTuneService
*Deregistered* - NVSvc
*Deregistered* - NWCWorkstation
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PnkBstrA
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TMBMServer
*Deregistered* - TmPfw
*Deregistered* - TmProxy
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e48779ea-7913-11dd-b318-001cc068b2be}]
\Shell\AutoRun\command - wscript.exe NewVirusRemoval.vbs
\Shell\open\Command - wscript.exe NewVirusRemoval.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 03:39]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
Notify-opnnmLCV - opnnmLCV.dll

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\extensions\[email protected]\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NPF]
"ImagePath"="system32\drivers\npf.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namnajnnedgnbkpdomkakeeejjla"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,
6c,69,6e,69,65,65,00,00
"macnclaieechbbpibeadmgbiag"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,6c,
69,6e,69,65,65,00,74
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1416)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(512)
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\CursorXP\CurXP0.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWAGENT.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\rundll32.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-04-19 22:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 17:06

Pre-Run: 11,041,456,128 bytes free
Post-Run: 12,711,915,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
466 --- E O F --- 2009-04-17 12:36

I haven't done that as of yet, Triple6, but I will do it as soon as possible!
NOTE : *This ComboFix log was generated when the drives in question were not there, i.e., had disappeared.*


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Now search for this file and if you find it, delete it:

*NewVirusRemoval.vbs*

Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\23990098.$$$
c:\windows\system32\FLCSS.EXE

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\temp.txt

Driver::
Stormser
DRIVER1111
jgameenp

DirLook::
c:\windows\system32\Service
c:\program files\Microsoft
C:\PUB

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e48779ea-7913-11dd-b318-001cc068b2be}]
RegLockDel::
[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}*]
[-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NPF]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## SVXX (Apr 14, 2009)

File: 23990098.$$$
Status: 
OK
MD5: 920fbafa2a98bbd1f5abd0ef53ddc256
Packers detected: 
-
Scanner results
Scan taken on 20 Apr 2009 09:51:38 (GMT)
A-Squared 
Found nothing
AntiVir 
Found nothing
ArcaVir 
Found nothing
Avast 
Found nothing
AVG Antivirus 
Found nothing
BitDefender 
Found nothing
ClamAV 
Found nothing
CPsecure 
Found nothing
Dr.Web 
Found nothing
F-Prot Antivirus 
Found nothing
F-Secure Anti-Virus 
Found nothing
Ikarus 
Found nothing
Kaspersky Anti-Virus 
Found nothing
NOD32 
Found nothing
Norman Virus Control 
Found nothing
Panda Antivirus 
Found nothing
Quick Heal 
Found nothing
Sophos Antivirus 
Found nothing
VirusBuster 
Found nothing
VBA32 
Found nothing

FLCSS.exe is just an empty folder, not a file. I couldn't upload it to the jotti server. Will put ComboFix and HJT logs in next post.


----------



## SVXX (Apr 14, 2009)

ComboFix 09-04-20.07 - Piyush 04/20/2009 15:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1303 [GMT 5.5:30]
Running from: d:\setups\Combo-Fix.exe
Command switches used :: d:\setups\CFScript.txt
* Created a new restore point

FILE ::
C:\temp.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER1111
-------\Legacy_JGAMEENP
-------\Legacy_STORMSER
-------\Service_DRIVER1111
-------\Service_jgameenp
-------\Service_Stormser

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 11:02 . 2009-04-19 11:02 -------- d-----w c:\windows\system32\Service
2009-04-19 04:35 . 2009-04-19 04:35 -------- d-----w c:\documents and settings\Piyush\DoctorWeb
2009-04-18 19:46 . 2009-04-18 19:46 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Trend Micro
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\windows\LocalSSL
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-18 19:41 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-18 19:40 . 2009-04-19 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-18 19:21 . 2009-04-18 19:21 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-04-18 19:21 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-18 19:21 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-18 19:21 . 2009-03-03 09:08 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-18 09:09 . 2009-03-09 09:57 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-04-18 09:09 . 2009-03-16 08:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-04-18 09:09 . 2009-03-16 08:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-04-18 03:34 . 2009-04-18 03:34 -------- d-----w c:\program files\VS Revo Group
2009-04-18 03:22 . 2009-04-18 03:23 -------- d-----w c:\program files\Guitar FX BOX 2.6
2009-04-18 03:19 . 2009-04-18 09:22 -------- d-----w c:\documents and settings\Piyush\Application Data\Audacity
2009-04-17 10:07 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 10:07 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 10:07 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 10:07 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 10:07 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 10:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 10:07 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 10:07 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 10:07 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 09:44 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 09:44 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 09:44 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 09:40 . 2009-04-18 07:17 -------- d-----w c:\documents and settings\Piyush\.housecall6.6
2009-04-15 16:24 . 2009-04-15 16:24 -------- d-----w c:\program files\EqPlot
2009-04-15 16:15 . 2009-04-15 16:15 -------- d-----w c:\program files\Microsoft
2009-04-14 11:57 . 2009-04-14 15:25 -------- d-----w C:\Dev-Cpp
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Locktime
2009-04-13 16:02 . 2009-04-13 16:02 -------- d-----w c:\program files\Belarc
2009-04-13 16:02 . 2008-02-27 08:19 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-----w c:\program files\Common Files\ReGet Shared
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-sh--w C:\found.000
2009-04-10 18:21 . 2009-04-20 10:11 -------- d-----w c:\program files\FlashGet
2009-04-10 18:07 . 2009-04-10 18:20 -------- d-----w c:\documents and settings\Piyush\Application Data\Free Download Manager
2009-04-10 12:20 . 2009-04-10 12:23 -------- d-----w c:\documents and settings\Piyush\Application Data\ReGet Software
2009-04-10 12:16 . 2009-04-10 12:16 57 ----a-w c:\windows\english.lng
2009-04-10 12:16 . 2009-04-13 15:40 -------- d-----w c:\program files\ReGet Software
2009-04-10 11:19 . 2009-04-10 11:19 -------- d-----w c:\documents and settings\Piyush\Application Data\McAfee
2009-04-10 05:56 . 2009-04-10 05:56 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\Piyush\Application Data\Locktime
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\Locktime
2009-04-07 08:31 . 2009-04-07 08:31 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-07 06:22 . 2009-04-18 19:21 -------- d-----w C:\Downloads
2009-04-05 16:19 . 2009-04-05 16:19 -------- d-----w c:\documents and settings\Piyush\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 16:18 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 16:18 . 2009-04-05 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-15 16:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:48 . 2009-04-15 14:20 -------- d-----w c:\program files\PSK
2009-04-05 15:48 . 2009-04-05 15:48 -------- d-----w c:\windows\system32\XPToolsLicenseComponent
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\program files\SiteAdvisor
2009-04-04 14:11 . 2009-03-25 05:36 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-04 14:11 . 2009-03-25 05:36 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-04 14:11 . 2009-03-25 05:36 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 14:07 . 2009-03-25 05:35 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-04 12:35 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\drivers\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 05:19 23600 ----a-w c:\windows\system32\drivers\drhard.sys
2009-04-02 17:54 . 2009-04-02 17:54 -------- d-----w c:\program files\Dr.Hardware 2009 english
2009-03-31 06:11 . 2009-03-31 06:12 -------- d-----w c:\documents and settings\Piyush\Application Data\Software Informer
2009-03-31 06:11 . 2009-03-31 06:11 -------- d-----w c:\program files\Software Informer
2009-03-31 06:11 . 2009-04-13 15:40 -------- d-----w c:\program files\Free Download Manager
2009-03-31 05:56 . 2009-03-31 05:57 -------- d-----w c:\program files\Another Matrix Screen Saver
2009-03-30 06:44 . 2009-03-30 06:44 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-30 06:44 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Piyush\Application Data\Azureus
2009-03-30 06:42 . 2009-03-30 06:42 -------- d-----w c:\program files\Vuze
2009-03-30 06:16 . 2009-04-04 13:34 -------- d-----w c:\program files\Common Files\Panda Software
2009-03-29 14:39 . 2009-04-04 13:31 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Panda Software
2009-03-29 14:39 . 2009-03-29 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\sentinel
2009-03-29 14:38 . 2009-04-04 13:32 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Panda Software
2009-03-29 13:32 . 2009-03-29 13:21 203 ----a-w C:\bootini.uns
2009-03-29 13:23 . 2009-03-29 13:32 10 ----a-w C:\23990098.$$$
2009-03-29 13:23 . 2009-03-29 13:32 -------- d-----w C:\PUB
2009-03-29 13:20 . 2009-03-29 13:20 -------- d-----w c:\windows\system32\FLCSS.EXE
2009-03-26 07:49 . 2009-03-26 07:49 -------- d-----w c:\program files\Alcohol Soft
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 10:11 . 2008-08-16 18:32 -------- d-----w c:\program files\DNA
2009-04-20 10:11 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\DNA
2009-04-18 20:55 . 2008-08-17 03:28 -------- d-----w c:\program files\SpeederXP
2009-04-18 20:46 . 2008-09-12 02:27 -------- d-----w c:\program files\FM PLAYER
2009-04-18 19:41 . 2008-08-17 03:28 -------- d-----w c:\program files\Trend Micro
2009-04-18 03:48 . 2008-08-17 03:26 -------- d-----w c:\program files\Opera
2009-04-17 11:51 . 2008-11-16 05:03 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-15 16:27 . 2008-12-14 17:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 15:28 . 2008-09-02 15:52 -------- d-----w c:\documents and settings\Piyush\Application Data\Dev-Cpp
2009-04-14 15:28 . 2009-02-11 17:13 -------- d-----w c:\documents and settings\Piyush\Application Data\Skype
2009-04-14 15:28 . 2008-10-24 10:09 699 ----a-w c:\documents and settings\All Users\Application Data\sfsettingslogin.dll
2009-04-14 15:28 . 2009-02-11 17:14 -------- d-----w c:\documents and settings\Piyush\Application Data\skypePM
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-s---w c:\program files\Xfire
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-----w c:\documents and settings\Piyush\Application Data\Xfire
2009-04-07 08:33 . 2008-08-09 13:18 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 13:34 . 2008-08-11 05:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 06:19 . 2008-09-16 04:43 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-29 13:32 . 2009-03-29 13:21 -------- d-----w c:\program files\Common Files\MicroWorld
2009-03-29 13:21 . 2009-03-29 13:21 13016 ----a-w c:\windows\winsbak.reg
2009-03-29 13:21 . 2009-03-29 13:21 124774 ----a-w c:\windows\winsbak2.reg
2009-03-26 22:42 . 2008-08-15 04:47 -------- d-----w c:\program files\CEDP Stealer 6.0 for Messenger
2009-03-26 07:47 . 2008-09-13 19:16 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-25 05:36 . 2009-01-16 14:34 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 03:15 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\BitTorrent
2009-03-18 09:15 . 2009-03-18 09:15 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-15 09:28 . 2009-03-15 09:28 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 11:46 . 2009-03-07 11:46 -------- d-----w c:\program files\Xilisoft
2009-03-07 06:51 . 2008-08-11 07:33 68648 ----a-w c:\documents and settings\Piyush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 15:27 . 2009-03-06 15:27 145 ----a-w C:\Shortcut to CD Drive.lnk
2009-03-06 14:22 . 2004-08-03 19:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:30 . 2009-03-03 12:30 -------- d-----w c:\program files\IconPhile
2009-03-03 12:25 . 2009-03-03 12:25 -------- d-----w c:\program files\ExeIcon
2009-03-03 00:18 . 2004-08-03 19:26 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 12:11 . 2008-08-17 03:28 -------- d-----w c:\program files\Total Video Converter
2009-02-26 09:00 . 2008-10-12 14:17 -------- d--h--w c:\documents and settings\Piyush\Application Data\ijjigame
2009-02-26 06:29 . 2008-09-16 04:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 06:28 . 2008-11-15 17:21 -------- d-----w c:\program files\AGEIA Technologies
2009-02-26 05:51 . 2009-02-26 05:51 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-02-25 07:42 . 2008-10-02 10:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-02-21 08:08 . 2009-02-21 08:08 230 ----a-w C:\config.xml
2009-02-21 07:43 . 2009-02-21 07:43 -------- d-----w c:\program files\Microsoft Research
2009-02-20 18:09 . 2004-08-03 19:26 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 10:20 . 2008-08-11 05:58 17508864 ----a-w c:\windows\RTHDCPL.EXE
2009-02-14 16:58 . 2009-02-14 16:58 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-09 12:10 . 2004-08-03 19:26 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-03 19:26 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-03 19:26 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-03 19:26 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-03 17:47 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 09:04 . 2009-02-26 06:35 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2009-02-09 07:48 . 2008-08-11 07:20 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-02-06 11:11 . 2004-08-03 19:26 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 17:48 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-10-04 19:16 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 05:24 . 2008-08-09 12:55 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-03 19:59 . 2004-08-03 19:26 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-21 10:24 . 2008-08-11 05:58 1206816 ----a-w c:\windows\RtlUpd.exe
2008-10-24 08:54 . 2008-10-24 08:54 3 ----a-w c:\documents and settings\All Users\Application Data\NOD.dll
2008-09-12 03:27 . 2008-09-12 03:27 151608 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-15 16:22 . 2008-11-15 16:23 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111520081116\index.dat
2008-11-13 08:06 . 2008-11-07 14:20 5307936 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-13 08:06 . 2008-11-07 14:20 409632 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\Microsoft ----

2009-04-15 16:16 . 2009-04-15 16:16 1752 ----a-w c:\program files\Microsoft\Microsoft Automatic Graph Layout\PidGen.InstallerActions.InstallState

---- Directory of C:\PUB ----

---- Directory of c:\windows\system32\Service ----

2009-04-19 11:02 . 2009-04-19 11:02 928 ----a-w c:\windows\system32\Service\19042009_TIS17_SfFniAU.log

((((((((((((((((((((((((((((( Sna[email protected]_17.00.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-20 09:36 . 2009-04-20 09:36 16384 c:\windows\Temp\Perflib_Perfdata_ffc.dat
+ 2009-04-20 10:05 . 2009-04-20 10:05 16384 c:\windows\Temp\Perflib_Perfdata_45c.dat
+ 2001-10-04 19:15 . 2009-04-20 10:12 72298 c:\windows\system32\perfc009.dat
- 2001-10-04 19:15 . 2009-04-19 11:03 72298 c:\windows\system32\perfc009.dat
+ 2001-10-04 19:15 . 2009-04-20 10:12 444418 c:\windows\system32\perfh009.dat
- 2001-10-04 19:15 . 2009-04-19 11:03 444418 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCAC5586-44D7-4c43-B64A-F042461A97D2}"= "c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll" [2009-02-12 144720]

[HKEY_CLASSES_ROOT\clsid\{ccac5586-44d7-4c43-b64a-f042461a97d2}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{F32F197E-126E-4af4-9117-1EAFA6B3E6F2}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 140288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-03-17 203928]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-20 1994800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-02-20 233472]
"WPDShServiceObj"= {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 07:02 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\Y'z Toolbar.lnk
backup=c:\windows\pss\Y'z Toolbar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
"Stormser"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Data\\You got it...games!\\Road Rash 2000\\ROADRASH.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Need For Speed Underground\\Speed.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\ijji\\ENGLISH\\u_sf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1337:TCP"= 1337:TCP:BYOND port
"62986:TCP"= 62986:TCP:*isabled:SolidNetworkManager
"62986:UDP"= 62986:UDP:*isabled:SolidNetworkManager
"3799:TCP"= 3799:TCP:*isabled:SolidNetworkManager
"3799:UDP"= 3799:UDP:*isabled:SolidNetworkManager
"20027:TCP"= 20027:TCP:SolidNetworkManager
"20027:UDP"= 20027:UDP:SolidNetworkManager
"39407:TCP"= 39407:TCP:*isabled:SolidNetworkManager
"39407:UDP"= 39407:UDP:*isabled:SolidNetworkManager
"27015:UDP"= 27015:UDP:L4D
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver; [x]
R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 drhard;drhard;c:\windows\system32\DRIVERS\DRHARD.SYS [2005-12-01 23600]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MBAMService
*Deregistered* - MDM
*Deregistered* - Messenger
*Deregistered* - MWAgent
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - nTuneService
*Deregistered* - NVSvc
*Deregistered* - NWCWorkstation
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PnkBstrA
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TMBMServer
*Deregistered* - TmPfw
*Deregistered* - TmProxy
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 03:39]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

.


----------



## SVXX (Apr 14, 2009)

------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
FF - ProfilePath - c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\extensions\[email protected]\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\DRIVER1111]
"ImagePath"="\??\c:\docume~1\Piyush\LOCALS~1\Temp\Rar$EX00.593\dbk32.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\jgameenp]
"ImagePath"="\??\c:\docume~1\Piyush\LOCALS~1\Temp\jgameenp.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Stormser]
"ImagePath"="c:\progra~1\RINGZS~1\STORMC~1\Stormser.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namnajnnedgnbkpdomkakeeejjla"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,
6c,69,6e,69,65,65,00,00
"macnclaieechbbpibeadmgbiag"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,6c,
69,6e,69,65,65,00,74
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1412)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWAGENT.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-20 15:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 10:15
ComboFix2.txt 2009-04-19 17:06

Pre-Run: 12,685,979,648 bytes free
Post-Run: 12,670,402,560 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
487 --- E O F --- 2009-04-17 12:36


----------



## SVXX (Apr 14, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:06 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229274323500
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9004 bytes


----------



## SVXX (Apr 14, 2009)

Well backing up and formatting is a last resort option I suppose. Let's see if there's any hope with cookiegal first.


----------



## Cookiegal (Aug 27, 2003)

I just noticed that you hadn't saved ComboFix to the dekstop. It must run from the desktop and may not have run correctly. Please move it there and then run another scan and post the new log.


----------



## SVXX (Apr 14, 2009)

ComboFix 09-04-20.07 - Piyush 04/20/2009 20:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1340 [GMT 5.5:30]
Running from: c:\documents and settings\Piyush\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-20 10:34 . 2009-04-20 10:34 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-20 10:34 . 2009-04-20 10:34 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-20 10:34 . 2009-04-20 10:34 475872 ----a-w c:\windows\system32\kdfinj.dll
2009-04-20 10:34 . 2009-04-20 10:34 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-20 10:34 . 2009-04-20 10:34 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-20 10:34 . 2009-04-20 10:34 -------- d-----w c:\windows\kdefense
2009-04-19 11:02 . 2009-04-20 10:11 -------- d-----w c:\windows\system32\Service
2009-04-19 04:35 . 2009-04-19 04:35 -------- d-----w c:\documents and settings\Piyush\DoctorWeb
2009-04-18 19:46 . 2009-04-18 19:46 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Trend Micro
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\windows\LocalSSL
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-18 19:41 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-18 19:40 . 2009-04-19 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-18 19:21 . 2009-04-18 19:21 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-04-18 19:21 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-18 19:21 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-18 19:21 . 2009-03-03 09:08 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-18 09:09 . 2009-03-09 09:57 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-04-18 09:09 . 2009-03-16 08:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-04-18 09:09 . 2009-03-16 08:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-04-18 03:34 . 2009-04-18 03:34 -------- d-----w c:\program files\VS Revo Group
2009-04-18 03:22 . 2009-04-18 03:23 -------- d-----w c:\program files\Guitar FX BOX 2.6
2009-04-18 03:19 . 2009-04-18 09:22 -------- d-----w c:\documents and settings\Piyush\Application Data\Audacity
2009-04-17 10:07 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 10:07 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 10:07 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 10:07 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 10:07 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 10:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 10:07 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 10:07 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 10:07 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 09:44 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 09:44 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 09:44 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 09:40 . 2009-04-18 07:17 -------- d-----w c:\documents and settings\Piyush\.housecall6.6
2009-04-15 16:24 . 2009-04-15 16:24 -------- d-----w c:\program files\EqPlot
2009-04-15 16:15 . 2009-04-15 16:15 -------- d-----w c:\program files\Microsoft
2009-04-14 11:57 . 2009-04-14 15:25 -------- d-----w C:\Dev-Cpp
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Locktime
2009-04-13 16:02 . 2009-04-13 16:02 -------- d-----w c:\program files\Belarc
2009-04-13 16:02 . 2008-02-27 08:19 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-----w c:\program files\Common Files\ReGet Shared
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-sh--w C:\found.000
2009-04-10 18:21 . 2009-04-20 14:58 -------- d-----w c:\program files\FlashGet
2009-04-10 18:07 . 2009-04-10 18:20 -------- d-----w c:\documents and settings\Piyush\Application Data\Free Download Manager
2009-04-10 12:20 . 2009-04-10 12:23 -------- d-----w c:\documents and settings\Piyush\Application Data\ReGet Software
2009-04-10 12:16 . 2009-04-10 12:16 57 ----a-w c:\windows\english.lng
2009-04-10 12:16 . 2009-04-13 15:40 -------- d-----w c:\program files\ReGet Software
2009-04-10 11:19 . 2009-04-10 11:19 -------- d-----w c:\documents and settings\Piyush\Application Data\McAfee
2009-04-10 05:56 . 2009-04-10 05:56 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\Piyush\Application Data\Locktime
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\Locktime
2009-04-07 08:31 . 2009-04-07 08:31 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-07 06:22 . 2009-04-18 19:21 -------- d-----w C:\Downloads
2009-04-05 16:19 . 2009-04-05 16:19 -------- d-----w c:\documents and settings\Piyush\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 16:18 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 16:18 . 2009-04-05 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-15 16:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:48 . 2009-04-15 14:20 -------- d-----w c:\program files\PSK
2009-04-05 15:48 . 2009-04-05 15:48 -------- d-----w c:\windows\system32\XPToolsLicenseComponent
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\program files\SiteAdvisor
2009-04-04 14:11 . 2009-03-25 05:36 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-04 14:11 . 2009-03-25 05:36 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-04 14:11 . 2009-03-25 05:36 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 14:07 . 2009-03-25 05:35 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-04 12:35 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\drivers\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 05:19 23600 ----a-w c:\windows\system32\drivers\drhard.sys
2009-04-02 17:54 . 2009-04-02 17:54 -------- d-----w c:\program files\Dr.Hardware 2009 english
2009-03-31 06:11 . 2009-03-31 06:12 -------- d-----w c:\documents and settings\Piyush\Application Data\Software Informer
2009-03-31 06:11 . 2009-03-31 06:11 -------- d-----w c:\program files\Software Informer
2009-03-31 06:11 . 2009-04-13 15:40 -------- d-----w c:\program files\Free Download Manager
2009-03-31 05:56 . 2009-03-31 05:57 -------- d-----w c:\program files\Another Matrix Screen Saver
2009-03-30 06:44 . 2009-03-30 06:44 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-30 06:44 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Piyush\Application Data\Azureus
2009-03-30 06:42 . 2009-03-30 06:42 -------- d-----w c:\program files\Vuze
2009-03-30 06:16 . 2009-04-04 13:34 -------- d-----w c:\program files\Common Files\Panda Software
2009-03-29 14:39 . 2009-04-04 13:31 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Panda Software
2009-03-29 14:39 . 2009-03-29 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\sentinel
2009-03-29 14:38 . 2009-04-04 13:32 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Panda Software
2009-03-29 13:32 . 2009-03-29 13:21 203 ----a-w C:\bootini.uns
2009-03-29 13:23 . 2009-03-29 13:32 10 ----a-w C:\23990098.$$$
2009-03-29 13:23 . 2009-03-29 13:32 -------- d-----w C:\PUB
2009-03-29 13:20 . 2009-03-29 13:20 -------- d-----w c:\windows\system32\FLCSS.EXE
2009-03-26 07:49 . 2009-03-26 07:49 -------- d-----w c:\program files\Alcohol Soft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 15:02 . 2008-08-16 18:32 -------- d-----w c:\program files\DNA
2009-04-20 15:02 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\DNA
2009-04-18 20:55 . 2008-08-17 03:28 -------- d-----w c:\program files\SpeederXP
2009-04-18 20:46 . 2008-09-12 02:27 -------- d-----w c:\program files\FM PLAYER
2009-04-18 19:41 . 2008-08-17 03:28 -------- d-----w c:\program files\Trend Micro
2009-04-18 03:48 . 2008-08-17 03:26 -------- d-----w c:\program files\Opera
2009-04-17 11:51 . 2008-11-16 05:03 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-15 16:27 . 2008-12-14 17:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 15:28 . 2008-09-02 15:52 -------- d-----w c:\documents and settings\Piyush\Application Data\Dev-Cpp
2009-04-14 15:28 . 2009-02-11 17:13 -------- d-----w c:\documents and settings\Piyush\Application Data\Skype
2009-04-14 15:28 . 2008-10-24 10:09 699 ----a-w c:\documents and settings\All Users\Application Data\sfsettingslogin.dll
2009-04-14 15:28 . 2009-02-11 17:14 -------- d-----w c:\documents and settings\Piyush\Application Data\skypePM
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-s---w c:\program files\Xfire
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-----w c:\documents and settings\Piyush\Application Data\Xfire
2009-04-07 08:33 . 2008-08-09 13:18 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 13:34 . 2008-08-11 05:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 06:19 . 2008-09-16 04:43 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-29 13:32 . 2009-03-29 13:21 -------- d-----w c:\program files\Common Files\MicroWorld
2009-03-29 13:21 . 2009-03-29 13:21 13016 ----a-w c:\windows\winsbak.reg
2009-03-29 13:21 . 2009-03-29 13:21 124774 ----a-w c:\windows\winsbak2.reg
2009-03-26 22:42 . 2008-08-15 04:47 -------- d-----w c:\program files\CEDP Stealer 6.0 for Messenger
2009-03-26 07:47 . 2008-09-13 19:16 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-25 05:36 . 2009-01-16 14:34 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 03:15 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\BitTorrent
2009-03-18 09:15 . 2009-03-18 09:15 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-15 09:28 . 2009-03-15 09:28 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 11:46 . 2009-03-07 11:46 -------- d-----w c:\program files\Xilisoft
2009-03-07 06:51 . 2008-08-11 07:33 68648 ----a-w c:\documents and settings\Piyush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 15:27 . 2009-03-06 15:27 145 ----a-w C:\Shortcut to CD Drive.lnk
2009-03-06 14:22 . 2004-08-03 19:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:30 . 2009-03-03 12:30 -------- d-----w c:\program files\IconPhile
2009-03-03 12:25 . 2009-03-03 12:25 -------- d-----w c:\program files\ExeIcon
2009-03-03 00:18 . 2004-08-03 19:26 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 12:11 . 2008-08-17 03:28 -------- d-----w c:\program files\Total Video Converter
2009-02-26 09:00 . 2008-10-12 14:17 -------- d--h--w c:\documents and settings\Piyush\Application Data\ijjigame
2009-02-26 06:29 . 2008-09-16 04:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 06:28 . 2008-11-15 17:21 -------- d-----w c:\program files\AGEIA Technologies
2009-02-26 05:51 . 2009-02-26 05:51 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-02-25 07:42 . 2008-10-02 10:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-02-21 08:08 . 2009-02-21 08:08 230 ----a-w C:\config.xml
2009-02-21 07:43 . 2009-02-21 07:43 -------- d-----w c:\program files\Microsoft Research
2009-02-20 18:09 . 2004-08-03 19:26 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 10:20 . 2008-08-11 05:58 17508864 ----a-w c:\windows\RTHDCPL.EXE
2009-02-14 16:58 . 2009-02-14 16:58 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-09 12:10 . 2004-08-03 19:26 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-03 19:26 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-03 19:26 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-03 19:26 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-03 17:47 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 09:04 . 2009-02-26 06:35 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2009-02-09 07:48 . 2008-08-11 07:20 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-02-06 11:11 . 2004-08-03 19:26 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 17:48 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-10-04 19:16 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 05:24 . 2008-08-09 12:55 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-03 19:59 . 2004-08-03 19:26 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-21 10:24 . 2008-08-11 05:58 1206816 ----a-w c:\windows\RtlUpd.exe
2008-10-24 08:54 . 2008-10-24 08:54 3 ----a-w c:\documents and settings\All Users\Application Data\NOD.dll
2008-09-12 03:27 . 2008-09-12 03:27 151608 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-15 16:22 . 2008-11-15 16:23 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111520081116\index.dat
2008-11-13 08:06 . 2008-11-07 14:20 5307936 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-13 08:06 . 2008-11-07 14:20 409632 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_17.00.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-20 11:34 . 2009-04-20 11:34 16384 c:\windows\Temp\Perflib_Perfdata_9c0.dat
+ 2001-10-04 19:15 . 2009-04-20 10:12 72298 c:\windows\system32\perfc009.dat
- 2001-10-04 19:15 . 2009-04-19 11:03 72298 c:\windows\system32\perfc009.dat
+ 2001-10-04 19:15 . 2009-04-20 10:12 444418 c:\windows\system32\perfh009.dat
- 2001-10-04 19:15 . 2009-04-19 11:03 444418 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 140288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-03-17 203928]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-20 1994800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 07:02 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\Y'z Toolbar.lnk
backup=c:\windows\pss\Y'z Toolbar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
"Stormser"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Data\\You got it...games!\\Road Rash 2000\\ROADRASH.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Need For Speed Underground\\Speed.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\ijji\\ENGLISH\\u_sf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1337:TCP"= 1337:TCP:BYOND port
"62986:TCP"= 62986:TCP:*isabled:SolidNetworkManager
"62986:UDP"= 62986:UDP:*isabled:SolidNetworkManager
"3799:TCP"= 3799:TCP:*isabled:SolidNetworkManager
"3799:UDP"= 3799:UDP:*isabled:SolidNetworkManager
"20027:TCP"= 20027:TCP:SolidNetworkManager
"20027:UDP"= 20027:UDP:SolidNetworkManager
"39407:TCP"= 39407:TCP:*isabled:SolidNetworkManager
"39407:UDP"= 39407:UDP:*isabled:SolidNetworkManager
"27015:UDP"= 27015:UDP:L4D
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver; [x]
R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 drhard;drhard;c:\windows\system32\DRIVERS\DRHARD.SYS [2005-12-01 23600]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]


----------



## SVXX (Apr 14, 2009)

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MBAMService
*Deregistered* - MDM
*Deregistered* - Messenger
*Deregistered* - MWAgent
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - nTuneService
*Deregistered* - NVSvc
*Deregistered* - NWCWorkstation
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PnkBstrA
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TMBMServer
*Deregistered* - TmPfw
*Deregistered* - TmProxy
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 03:39]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\extensions\[email protected]\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namnajnnedgnbkpdomkakeeejjla"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,
6c,69,6e,69,65,65,00,00
"macnclaieechbbpibeadmgbiag"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,6c,
69,6e,69,65,65,00,74
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1416)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(608)
c:\program files\FlashGet\fgmgr.dll
c:\program files\CursorXP\CurXP0.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWAGENT.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-04-20 20:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 15:10
ComboFix2.txt 2009-04-20 10:16
ComboFix3.txt 2009-04-19 17:06

Pre-Run: 12,408,270,848 bytes free
Post-Run: 12,387,102,720 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
442 --- E O F --- 2009-04-17 12:36


----------



## Cookiegal (Aug 27, 2003)

Rabee,

I've deleted your posts as you are not authorized for malware removal.

Please refer to the rules concerning HijackThis log analysis and malware removal.

http://www.techguy.org/rules.html

*Log Analysis/Malware Removal* - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield







next to their name and authorized malware removal trainees have a blue shield next to their







next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.

Please refrain from replying to security related matters on this forum until you have presented evidence to one of the moderators or admins here that proves you to be qualified to do so. If you are not yet qualified and interested in being trained, we will be glad to help you get enrolled at one of the free online training facilities. Just PM me or one of the other moderators that work Security and we'll point you in the right direction.

Thanks in advance for your cooperation.


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
Driver::
Stormser

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] 
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Stormser"=-

RegLockDel::
[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## SVXX (Apr 14, 2009)

ComboFix 09-04-21.A8 - Piyush 04/21/2009 22:11.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1392 [GMT 5.5:30]
Running from: c:\documents and settings\Piyush\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Piyush\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-20 10:34 . 2009-04-20 15:27 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-20 10:34 . 2009-04-20 15:27 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-20 10:34 . 2009-04-20 15:27 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-20 10:34 . 2009-04-20 15:27 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-20 10:34 . 2009-04-20 10:34 475872 ----a-w  c:\windows\system32\kdfinj.dll
2009-04-20 10:34 . 2009-04-20 10:34 -------- d-----w c:\windows\kdefense
2009-04-19 11:02 . 2009-04-20 10:11 -------- d-----w c:\windows\system32\Service
2009-04-19 04:35 . 2009-04-19 04:35 -------- d-----w c:\documents and settings\Piyush\DoctorWeb
2009-04-18 19:46 . 2009-04-18 19:46 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Trend Micro
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\windows\LocalSSL
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-18 19:41 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-18 19:40 . 2009-04-19 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-18 19:21 . 2009-04-18 19:21 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-04-18 19:21 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-18 19:21 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-18 19:21 . 2009-03-03 09:08 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-18 09:09 . 2009-03-09 09:57 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-04-18 09:09 . 2009-03-16 08:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-04-18 09:09 . 2009-03-16 08:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-04-18 03:34 . 2009-04-18 03:34 -------- d-----w c:\program files\VS Revo Group
2009-04-18 03:22 . 2009-04-18 03:23 -------- d-----w c:\program files\Guitar FX BOX 2.6
2009-04-18 03:19 . 2009-04-18 09:22 -------- d-----w c:\documents and settings\Piyush\Application Data\Audacity
2009-04-17 10:07 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 10:07 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 10:07 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 10:07 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 10:07 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 10:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 10:07 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 10:07 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 10:07 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 09:44 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 09:44 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 09:44 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 09:40 . 2009-04-18 07:17 -------- d-----w c:\documents and settings\Piyush\.housecall6.6
2009-04-15 16:24 . 2009-04-15 16:24 -------- d-----w c:\program files\EqPlot
2009-04-15 16:15 . 2009-04-15 16:15 -------- d-----w c:\program files\Microsoft
2009-04-14 11:57 . 2009-04-14 15:25 -------- d-----w C:\Dev-Cpp
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Locktime
2009-04-13 16:02 . 2009-04-13 16:02 -------- d-----w c:\program files\Belarc
2009-04-13 16:02 . 2008-02-27 08:19 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-----w c:\program files\Common Files\ReGet Shared
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-sh--w C:\found.000
2009-04-10 18:21 . 2009-04-21 16:48 -------- d-----w c:\program files\FlashGet
2009-04-10 18:07 . 2009-04-10 18:20 -------- d-----w c:\documents and settings\Piyush\Application Data\Free Download Manager
2009-04-10 12:20 . 2009-04-10 12:23 -------- d-----w c:\documents and settings\Piyush\Application Data\ReGet Software
2009-04-10 12:16 . 2009-04-10 12:16 57 ----a-w c:\windows\english.lng
2009-04-10 12:16 . 2009-04-13 15:40 -------- d-----w c:\program files\ReGet Software
2009-04-10 11:19 . 2009-04-10 11:19 -------- d-----w c:\documents and settings\Piyush\Application Data\McAfee
2009-04-10 05:56 . 2009-04-10 05:56 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\Piyush\Application Data\Locktime
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\Locktime
2009-04-07 08:31 . 2009-04-07 08:31 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-07 06:22 . 2009-04-18 19:21 -------- d-----w C:\Downloads
2009-04-05 16:19 . 2009-04-05 16:19 -------- d-----w c:\documents and settings\Piyush\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 16:18 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 16:18 . 2009-04-05 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-15 16:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:48 . 2009-04-15 14:20 -------- d-----w c:\program files\PSK
2009-04-05 15:48 . 2009-04-05 15:48 -------- d-----w c:\windows\system32\XPToolsLicenseComponent
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\program files\SiteAdvisor
2009-04-04 14:11 . 2009-03-25 05:36 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-04 14:11 . 2009-03-25 05:36 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-04 14:11 . 2009-03-25 05:36 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 14:07 . 2009-03-25 05:35 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-04 12:35 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\drivers\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 05:19 23600 ----a-w c:\windows\system32\drivers\drhard.sys
2009-04-02 17:54 . 2009-04-02 17:54 -------- d-----w c:\program files\Dr.Hardware 2009 english
2009-03-31 06:11 . 2009-03-31 06:12 -------- d-----w c:\documents and settings\Piyush\Application Data\Software Informer
2009-03-31 06:11 . 2009-03-31 06:11 -------- d-----w c:\program files\Software Informer
2009-03-31 06:11 . 2009-04-13 15:40 -------- d-----w c:\program files\Free Download Manager
2009-03-31 05:56 . 2009-03-31 05:57 -------- d-----w c:\program files\Another Matrix Screen Saver
2009-03-30 06:44 . 2009-03-30 06:44 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-30 06:44 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Piyush\Application Data\Azureus
2009-03-30 06:42 . 2009-03-30 06:42 -------- d-----w c:\program files\Vuze
2009-03-30 06:16 . 2009-04-04 13:34 -------- d-----w c:\program files\Common Files\Panda Software
2009-03-29 14:39 . 2009-04-04 13:31 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Panda Software
2009-03-29 14:39 . 2009-03-29 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\sentinel
2009-03-29 14:38 . 2009-04-04 13:32 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Panda Software
2009-03-29 13:32 . 2009-03-29 13:21 203 ----a-w C:\bootini.uns
2009-03-29 13:23 . 2009-03-29 13:32 10 ----a-w C:\23990098.$$$
2009-03-29 13:23 . 2009-03-29 13:32 -------- d-----w C:\PUB
2009-03-29 13:20 . 2009-03-29 13:20 -------- d-----w c:\windows\system32\FLCSS.EXE
2009-03-26 07:49 . 2009-03-26 07:49 -------- d-----w c:\program files\Alcohol Soft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 16:48 . 2008-08-16 18:32 -------- d-----w c:\program files\DNA
2009-04-21 16:48 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\DNA
2009-04-18 20:55 . 2008-08-17 03:28 -------- d-----w c:\program files\SpeederXP
2009-04-18 20:46 . 2008-09-12 02:27 -------- d-----w c:\program files\FM PLAYER
2009-04-18 19:41 . 2008-08-17 03:28 -------- d-----w c:\program files\Trend Micro
2009-04-18 03:48 . 2008-08-17 03:26 -------- d-----w c:\program files\Opera
2009-04-17 11:51 . 2008-11-16 05:03 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-15 16:27 . 2008-12-14 17:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 15:28 . 2008-09-02 15:52 -------- d-----w c:\documents and settings\Piyush\Application Data\Dev-Cpp
2009-04-14 15:28 . 2009-02-11 17:13 -------- d-----w c:\documents and settings\Piyush\Application Data\Skype
2009-04-14 15:28 . 2008-10-24 10:09 699 ----a-w c:\documents and settings\All Users\Application Data\sfsettingslogin.dll
2009-04-14 15:28 . 2009-02-11 17:14 -------- d-----w c:\documents and settings\Piyush\Application Data\skypePM
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-s---w c:\program files\Xfire
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-----w c:\documents and settings\Piyush\Application Data\Xfire
2009-04-07 08:33 . 2008-08-09 13:18 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 13:34 . 2008-08-11 05:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 06:19 . 2008-09-16 04:43 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-29 13:32 . 2009-03-29 13:21 -------- d-----w c:\program files\Common Files\MicroWorld
2009-03-29 13:21 . 2009-03-29 13:21 13016 ----a-w c:\windows\winsbak.reg
2009-03-29 13:21 . 2009-03-29 13:21 124774 ----a-w c:\windows\winsbak2.reg
2009-03-26 22:42 . 2008-08-15 04:47 -------- d-----w c:\program files\CEDP Stealer 6.0 for Messenger
2009-03-26 07:47 . 2008-09-13 19:16 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-25 05:36 . 2009-01-16 14:34 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 03:15 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\BitTorrent
2009-03-18 09:15 . 2009-03-18 09:15 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-15 09:28 . 2009-03-15 09:28 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 11:46 . 2009-03-07 11:46 -------- d-----w c:\program files\Xilisoft
2009-03-07 06:51 . 2008-08-11 07:33 68648 ----a-w c:\documents and settings\Piyush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 15:27 . 2009-03-06 15:27 145 ----a-w C:\Shortcut to CD Drive.lnk
2009-03-06 14:22 . 2004-08-03 19:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:30 . 2009-03-03 12:30 -------- d-----w c:\program files\IconPhile
2009-03-03 12:25 . 2009-03-03 12:25 -------- d-----w c:\program files\ExeIcon
2009-03-03 00:18 . 2004-08-03 19:26 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 12:11 . 2008-08-17 03:28 -------- d-----w c:\program files\Total Video Converter
2009-02-26 09:00 . 2008-10-12 14:17 -------- d--h--w c:\documents and settings\Piyush\Application Data\ijjigame
2009-02-26 06:29 . 2008-09-16 04:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 06:28 . 2008-11-15 17:21 -------- d-----w c:\program files\AGEIA Technologies
2009-02-26 05:51 . 2009-02-26 05:51 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-02-25 07:42 . 2008-10-02 10:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-02-21 08:08 . 2009-02-21 08:08 230 ----a-w C:\config.xml
2009-02-21 07:43 . 2009-02-21 07:43 -------- d-----w c:\program files\Microsoft Research
2009-02-20 18:09 . 2004-08-03 19:26 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 10:20 . 2008-08-11 05:58 17508864 ----a-w c:\windows\RTHDCPL.EXE
2009-02-14 16:58 . 2009-02-14 16:58 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-09 12:10 . 2004-08-03 19:26 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-03 19:26 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-03 19:26 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-03 19:26 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-03 17:47 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 09:04 . 2009-02-26 06:35 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2009-02-09 07:48 . 2008-08-11 07:20 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-02-06 11:11 . 2004-08-03 19:26 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 17:48 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-10-04 19:16 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 05:24 . 2008-08-09 12:55 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-03 19:59 . 2004-08-03 19:26 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-24 08:54 . 2008-10-24 08:54 3 ----a-w c:\documents and settings\All Users\Application Data\NOD.dll
2008-09-12 03:27 . 2008-09-12 03:27 151608 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-15 16:22 . 2008-11-15 16:23 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111520081116\index.dat
2008-11-13 08:06 . 2008-11-07 14:20 5307936 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-13 08:06 . 2008-11-07 14:20 409632 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_17.00.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 16:49 . 2009-04-21 16:49 16384 c:\windows\Temp\Perflib_Perfdata_ac0.dat
+ 2009-04-21 16:47 . 2009-04-21 16:47 16384 c:\windows\Temp\Perflib_Perfdata_364.dat
+ 2001-10-04 19:15 . 2009-04-21 15:53 72298 c:\windows\system32\perfc009.dat
- 2001-10-04 19:15 . 2009-04-19 11:03 72298 c:\windows\system32\perfc009.dat
+ 2001-10-04 19:15 . 2009-04-21 15:53 444418 c:\windows\system32\perfh009.dat
- 2001-10-04 19:15 . 2009-04-19 11:03 444418 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 140288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-03-17 203928]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-20 1994800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 07:02 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\Y'z Toolbar.lnk
backup=c:\windows\pss\Y'z Toolbar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Data\\You got it...games!\\Road Rash 2000\\ROADRASH.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Need For Speed Underground\\Speed.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\ijji\\ENGLISH\\u_sf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1337:TCP"= 1337:TCP:BYOND port
"62986:TCP"= 62986:TCP:*isabled:SolidNetworkManager
"62986:UDP"= 62986:UDP:*isabled:SolidNetworkManager
"3799:TCP"= 3799:TCP:*isabled:SolidNetworkManager
"3799:UDP"= 3799:UDP:*isabled:SolidNetworkManager
"20027:TCP"= 20027:TCP:SolidNetworkManager
"20027:UDP"= 20027:UDP:SolidNetworkManager
"39407:TCP"= 39407:TCP:*isabled:SolidNetworkManager
"39407:UDP"= 39407:UDP:*isabled:SolidNetworkManager
"27015:UDP"= 27015:UDP:L4D
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver; [x]
R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 drhard;drhard;c:\windows\system32\DRIVERS\DRHARD.SYS [2005-12-01 23600]
R3 dump_wmimmc;dump_wmimmc; [x]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]


----------



## SVXX (Apr 14, 2009)

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MBAMService
*Deregistered* - MDM
*Deregistered* - Messenger
*Deregistered* - MWAgent
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - nTuneService
*Deregistered* - NVSvc
*Deregistered* - NWCWorkstation
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PnkBstrA
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TMBMServer
*Deregistered* - TmPfw
*Deregistered* - TmProxy
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 03:39]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\extensions\[email protected]\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 22:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namnajnnedgnbkpdomkakeeejjla"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,
6c,69,6e,69,65,65,00,00
"macnclaieechbbpibeadmgbiag"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,6c,
69,6e,69,65,65,00,74
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1420)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2132)
c:\program files\CursorXP\CurXP0.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWAGENT.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
c:\program files\Trend Micro\TrendSecure\TSCFCmdrLauncher.exe
.
**************************************************************************
.
Completion time: 2009-04-21 22:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 16:53
ComboFix2.txt 2009-04-20 15:10
ComboFix3.txt 2009-04-20 10:16
ComboFix4.txt 2009-04-19 17:06

Pre-Run: 12,356,325,376 bytes free
Post-Run: 12,351,668,224 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
441 --- E O F --- 2009-04-17 12:36


----------



## SVXX (Apr 14, 2009)

Update : I downloaded the Windows Recovery Console and used CHKDSK on E:. It got stuck at 68% and said the drive has one or more unrecoverable problems.


----------



## Cookiegal (Aug 27, 2003)

Please post the entire chkdsk report.

I'm attaching a Fixsvxx.zip file. Save it to your desktop. Unzip it and double-click the Fixsvxx.reg file and allow it to enter into the registry.

Then reboot the computer and run a new scan with ComboFix and post the log please.


----------



## SVXX (Apr 14, 2009)

There's no detailed report for CHKDSK, all it said was that the drive had one or more unrecoverable problems. Also I replaced the boot sector on E: using FIXBOOT and its reduced the problem somewhat, I have no idea why. Didn't dare to try FIXMBR as it could damage my partition tables.
ComboFix 09-04-23.A3 - Piyush 04/23/2009 22:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1568 [GMT 5.5:30]
Running from: c:\documents and settings\Piyush\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-20 10:34 . 2009-04-20 15:27 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-20 10:34 . 2009-04-20 15:27 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-20 10:34 . 2009-04-20 15:27 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-20 10:34 . 2009-04-20 15:27 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-20 10:34 . 2009-04-20 10:34 475872 ----a-w c:\windows\system32\kdfinj.dll
2009-04-20 10:34 . 2009-04-20 10:34 -------- d-----w c:\windows\kdefense
2009-04-19 11:02 . 2009-04-20 10:11 -------- d-----w c:\windows\system32\Service
2009-04-19 04:35 . 2009-04-19 04:35 -------- d-----w c:\documents and settings\Piyush\DoctorWeb
2009-04-18 19:46 . 2009-04-18 19:46 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Trend Micro
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\windows\LocalSSL
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-18 19:41 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-18 19:40 . 2009-04-19 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-18 19:21 . 2009-04-18 19:21 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-04-18 19:21 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-18 19:21 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-18 19:21 . 2009-03-03 09:08 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-18 09:09 . 2009-03-09 09:57 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-04-18 09:09 . 2009-03-16 08:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-04-18 09:09 . 2009-03-16 08:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-04-18 03:34 . 2009-04-18 03:34 -------- d-----w c:\program files\VS Revo Group
2009-04-18 03:22 . 2009-04-18 03:23 -------- d-----w c:\program files\Guitar FX BOX 2.6
2009-04-18 03:19 . 2009-04-18 09:22 -------- d-----w c:\documents and settings\Piyush\Application Data\Audacity
2009-04-17 10:07 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 10:07 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 10:07 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 10:07 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 10:07 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 10:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 10:07 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 10:07 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 10:07 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 09:44 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 09:44 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 09:44 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 09:40 . 2009-04-18 07:17 -------- d-----w c:\documents and settings\Piyush\.housecall6.6
2009-04-15 16:24 . 2009-04-15 16:24 -------- d-----w c:\program files\EqPlot
2009-04-15 16:15 . 2009-04-15 16:15 -------- d-----w c:\program files\Microsoft
2009-04-14 11:57 . 2009-04-14 15:25 -------- d-----w C:\Dev-Cpp
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Locktime
2009-04-13 16:02 . 2009-04-13 16:02 -------- d-----w c:\program files\Belarc
2009-04-13 16:02 . 2008-02-27 08:19 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-----w c:\program files\Common Files\ReGet Shared
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-sh--w C:\found.000
2009-04-10 18:21 . 2009-04-23 17:08 -------- d-----w c:\program files\FlashGet
2009-04-10 18:07 . 2009-04-10 18:20 -------- d-----w c:\documents and settings\Piyush\Application Data\Free Download Manager
2009-04-10 12:20 . 2009-04-10 12:23 -------- d-----w c:\documents and settings\Piyush\Application Data\ReGet Software
2009-04-10 12:16 . 2009-04-10 12:16 57 ----a-w c:\windows\english.lng
2009-04-10 12:16 . 2009-04-13 15:40 -------- d-----w c:\program files\ReGet Software
2009-04-10 11:19 . 2009-04-10 11:19 -------- d-----w c:\documents and settings\Piyush\Application Data\McAfee
2009-04-10 05:56 . 2009-04-10 05:56 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\Piyush\Application Data\Locktime
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\Locktime
2009-04-07 08:31 . 2009-04-07 08:31 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-07 06:22 . 2009-04-18 19:21 -------- d-----w C:\Downloads
2009-04-05 16:19 . 2009-04-05 16:19 -------- d-----w c:\documents and settings\Piyush\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 16:18 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 16:18 . 2009-04-05 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-15 16:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:48 . 2009-04-15 14:20 -------- d-----w c:\program files\PSK
2009-04-05 15:48 . 2009-04-05 15:48 -------- d-----w c:\windows\system32\XPToolsLicenseComponent
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\program files\SiteAdvisor
2009-04-04 14:11 . 2009-03-25 05:36 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-04 14:11 . 2009-03-25 05:36 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-04 14:11 . 2009-03-25 05:36 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 14:07 . 2009-03-25 05:35 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-04 12:35 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\drivers\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 05:19 23600 ----a-w c:\windows\system32\drivers\drhard.sys
2009-04-02 17:54 . 2009-04-02 17:54 -------- d-----w c:\program files\Dr.Hardware 2009 english
2009-03-31 06:11 . 2009-03-31 06:12 -------- d-----w c:\documents and settings\Piyush\Application Data\Software Informer
2009-03-31 06:11 . 2009-03-31 06:11 -------- d-----w c:\program files\Software Informer
2009-03-31 06:11 . 2009-04-13 15:40 -------- d-----w c:\program files\Free Download Manager
2009-03-31 05:56 . 2009-03-31 05:57 -------- d-----w c:\program files\Another Matrix Screen Saver
2009-03-30 06:44 . 2009-03-30 06:44 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-30 06:44 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Piyush\Application Data\Azureus
2009-03-30 06:42 . 2009-03-30 06:42 -------- d-----w c:\program files\Vuze
2009-03-30 06:16 . 2009-04-04 13:34 -------- d-----w c:\program files\Common Files\Panda Software
2009-03-29 14:39 . 2009-04-04 13:31 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Panda Software
2009-03-29 14:39 . 2009-03-29 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\sentinel
2009-03-29 14:38 . 2009-04-04 13:32 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Panda Software
2009-03-29 13:32 . 2009-03-29 13:21 203 ----a-w C:\bootini.uns
2009-03-29 13:23 . 2009-03-29 13:32 10 ----a-w C:\23990098.$$$
2009-03-29 13:23 . 2009-03-29 13:32 -------- d-----w C:\PUB
2009-03-29 13:20 . 2009-03-29 13:20 -------- d-----w c:\windows\system32\FLCSS.EXE
2009-03-26 07:49 . 2009-03-26 07:49 -------- d-----w c:\program files\Alcohol Soft


----------



## SVXX (Apr 14, 2009)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 17:08 . 2008-08-16 18:32 -------- d-----w c:\program files\DNA
2009-04-23 17:08 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\DNA
2009-04-18 20:55 . 2008-08-17 03:28 -------- d-----w c:\program files\SpeederXP
2009-04-18 20:46 . 2008-09-12 02:27 -------- d-----w c:\program files\FM PLAYER
2009-04-18 19:41 . 2008-08-17 03:28 -------- d-----w c:\program files\Trend Micro
2009-04-18 03:48 . 2008-08-17 03:26 -------- d-----w c:\program files\Opera
2009-04-17 11:51 . 2008-11-16 05:03 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-15 16:27 . 2008-12-14 17:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 15:28 . 2008-09-02 15:52 -------- d-----w c:\documents and settings\Piyush\Application Data\Dev-Cpp
2009-04-14 15:28 . 2009-02-11 17:13 -------- d-----w c:\documents and settings\Piyush\Application Data\Skype
2009-04-14 15:28 . 2008-10-24 10:09 699 ----a-w c:\documents and settings\All Users\Application Data\sfsettingslogin.dll
2009-04-14 15:28 . 2009-02-11 17:14 -------- d-----w c:\documents and settings\Piyush\Application Data\skypePM
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-s---w c:\program files\Xfire
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-----w c:\documents and settings\Piyush\Application Data\Xfire
2009-04-07 08:33 . 2008-08-09 13:18 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 13:34 . 2008-08-11 05:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 06:19 . 2008-09-16 04:43 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-29 13:32 . 2009-03-29 13:21 -------- d-----w c:\program files\Common Files\MicroWorld
2009-03-29 13:21 . 2009-03-29 13:21 13016 ----a-w c:\windows\winsbak.reg
2009-03-29 13:21 . 2009-03-29 13:21 124774 ----a-w c:\windows\winsbak2.reg
2009-03-26 22:42 . 2008-08-15 04:47 -------- d-----w c:\program files\CEDP Stealer 6.0 for Messenger
2009-03-26 07:47 . 2008-09-13 19:16 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-25 05:36 . 2009-01-16 14:34 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 03:15 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\BitTorrent
2009-03-18 09:15 . 2009-03-18 09:15 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-15 09:28 . 2009-03-15 09:28 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 11:46 . 2009-03-07 11:46 -------- d-----w c:\program files\Xilisoft
2009-03-07 06:51 . 2008-08-11 07:33 68648 ----a-w c:\documents and settings\Piyush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 15:27 . 2009-03-06 15:27 145 ----a-w C:\Shortcut to CD Drive.lnk
2009-03-06 14:22 . 2004-08-03 19:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:30 . 2009-03-03 12:30 -------- d-----w c:\program files\IconPhile
2009-03-03 12:25 . 2009-03-03 12:25 -------- d-----w c:\program files\ExeIcon
2009-03-03 00:18 . 2004-08-03 19:26 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 12:11 . 2008-08-17 03:28 -------- d-----w c:\program files\Total Video Converter
2009-02-26 09:00 . 2008-10-12 14:17 -------- d--h--w c:\documents and settings\Piyush\Application Data\ijjigame
2009-02-26 06:29 . 2008-09-16 04:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 06:28 . 2008-11-15 17:21 -------- d-----w c:\program files\AGEIA Technologies
2009-02-26 05:51 . 2009-02-26 05:51 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-02-25 07:42 . 2008-10-02 10:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-02-21 08:08 . 2009-02-21 08:08 230 ----a-w C:\config.xml
2009-02-20 18:09 . 2004-08-03 19:26 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 10:20 . 2008-08-11 05:58 17508864 ----a-w c:\windows\RTHDCPL.EXE
2009-02-14 16:58 . 2009-02-14 16:58 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-09 12:10 . 2004-08-03 19:26 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-03 19:26 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-03 19:26 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-03 19:26 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-03 17:47 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 09:04 . 2009-02-26 06:35 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2009-02-09 07:48 . 2008-08-11 07:20 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-02-06 11:11 . 2004-08-03 19:26 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 17:48 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-10-04 19:16 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 05:24 . 2008-08-09 12:55 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-03 19:59 . 2004-08-03 19:26 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-24 08:54 . 2008-10-24 08:54 3 ----a-w c:\documents and settings\All Users\Application Data\NOD.dll
2008-09-12 03:27 . 2008-09-12 03:27 151608 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-15 16:22 . 2008-11-15 16:23 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111520081116\index.dat
2008-11-13 08:06 . 2008-11-07 14:20 5307936 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-13 08:06 . 2008-11-07 14:20 409632 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_17.00.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-23 17:08 . 2009-04-23 17:08 16384 c:\windows\Temp\Perflib_Perfdata_a68.dat
+ 2009-04-23 17:08 . 2009-04-23 17:08 16384 c:\windows\Temp\Perflib_Perfdata_854.dat
+ 2009-04-23 17:01 . 2009-04-23 17:01 16384 c:\windows\Temp\Perflib_Perfdata_830.dat
+ 2001-10-04 19:15 . 2009-04-23 17:05 72298 c:\windows\system32\perfc009.dat
- 2001-10-04 19:15 . 2009-04-19 11:03 72298 c:\windows\system32\perfc009.dat
+ 2008-08-09 12:43 . 2001-10-04 19:15 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2008-11-15 15:50 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-11-15 15:51 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
- 2001-10-04 19:15 . 2009-04-19 11:03 444418 c:\windows\system32\perfh009.dat
+ 2001-10-04 19:15 . 2009-04-23 17:05 444418 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 140288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-03-17 203928]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-20 1994800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 07:02 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\Y'z Toolbar.lnk
backup=c:\windows\pss\Y'z Toolbar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Data\\You got it...games!\\Road Rash 2000\\ROADRASH.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Need For Speed Underground\\Speed.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\ijji\\ENGLISH\\u_sf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1337:TCP"= 1337:TCP:BYOND port
"62986:TCP"= 62986:TCP:*isabled:SolidNetworkManager
"62986:UDP"= 62986:UDP:*isabled:SolidNetworkManager
"3799:TCP"= 3799:TCP:*isabled:SolidNetworkManager
"3799:UDP"= 3799:UDP:*isabled:SolidNetworkManager
"20027:TCP"= 20027:TCP:SolidNetworkManager
"20027:UDP"= 20027:UDP:SolidNetworkManager
"39407:TCP"= 39407:TCP:*isabled:SolidNetworkManager
"39407:UDP"= 39407:UDP:*isabled:SolidNetworkManager
"27015:UDP"= 27015:UDP:L4D
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver; [x]
R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 drhard;drhard;c:\windows\system32\DRIVERS\DRHARD.SYS [2005-12-01 23600]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MBAMService
*Deregistered* - MDM
*Deregistered* - Messenger
*Deregistered* - MWAgent
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - nTuneService
*Deregistered* - NVSvc
*Deregistered* - NWCWorkstation
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PnkBstrA
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TMBMServer
*Deregistered* - TmPfw
*Deregistered* - TmProxy
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 03:39]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\extensions\[email protected]\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 22:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namnajnnedgnbkpdomkakeeejjla"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,
6c,69,6e,69,65,65,00,00
"macnclaieechbbpibeadmgbiag"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,6c,
69,6e,69,65,65,00,74
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1412)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3732)
c:\program files\CursorXP\CurXP0.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWAGENT.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-23 22:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 17:14
ComboFix2.txt 2009-04-21 16:54
ComboFix3.txt 2009-04-20 15:10
ComboFix4.txt 2009-04-20 10:16
ComboFix5.txt 2009-04-23 17:04

Pre-Run: 12,442,329,088 bytes free
Post-Run: 12,432,560,128 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
440 --- E O F --- 2009-04-17 12:36


----------



## Cookiegal (Aug 27, 2003)

Please boot to safe mode and run the Fixsvxx.reg file again. Then boot back to Windows normally and run another scan with ComboFix and post the log.


----------



## SVXX (Apr 14, 2009)

As requested,
ComboFix 09-04-25.03 - Piyush 04/25/2009 8:44.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1429 [GMT 5.5:30]
Running from: c:\documents and settings\Piyush\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-20 10:34 . 2009-04-20 15:27 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-20 10:34 . 2009-04-20 15:27 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-20 10:34 . 2009-04-20 15:27 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-20 10:34 . 2009-04-20 15:27 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-20 10:34 . 2009-04-20 10:34 475872 ----a-w c:\windows\system32\kdfinj.dll
2009-04-20 10:34 . 2009-04-20 10:34 -------- d-----w c:\windows\kdefense
2009-04-19 11:02 . 2009-04-20 10:11 -------- d-----w c:\windows\system32\Service
2009-04-19 04:35 . 2009-04-19 04:35 -------- d-----w c:\documents and settings\Piyush\DoctorWeb
2009-04-18 19:46 . 2009-04-18 19:46 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Trend Micro
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\windows\LocalSSL
2009-04-18 19:42 . 2009-04-18 19:42 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-18 19:41 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-18 19:41 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-18 19:40 . 2009-04-19 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-18 19:21 . 2009-04-18 19:21 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-04-18 19:21 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-18 19:21 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-18 19:21 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-18 19:21 . 2009-03-03 09:08 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-18 09:09 . 2009-03-09 09:57 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-04-18 09:09 . 2009-03-09 09:57 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-04-18 09:09 . 2009-03-16 08:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-04-18 09:09 . 2009-03-16 08:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-04-18 09:09 . 2009-03-16 08:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-04-18 03:34 . 2009-04-18 03:34 -------- d-----w c:\program files\VS Revo Group
2009-04-18 03:22 . 2009-04-18 03:23 -------- d-----w c:\program files\Guitar FX BOX 2.6
2009-04-18 03:19 . 2009-04-18 09:22  -------- d-----w c:\documents and settings\Piyush\Application Data\Audacity
2009-04-17 10:07 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 10:07 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 10:07 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 10:07 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 10:07 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 10:07 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 10:07 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 10:07 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 10:07 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 09:44 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 09:44 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 09:44 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 09:40 . 2009-04-18 07:17 -------- d-----w c:\documents and settings\Piyush\.housecall6.6
2009-04-15 16:24 . 2009-04-15 16:24 -------- d-----w c:\program files\EqPlot
2009-04-15 16:15 . 2009-04-15 16:15 -------- d-----w c:\program files\Microsoft
2009-04-14 11:57 . 2009-04-14 15:25 -------- d-----w C:\Dev-Cpp
2009-04-13 18:05 . 2009-04-13 18:05 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Locktime
2009-04-13 16:02 . 2009-04-13 16:02 -------- d-----w c:\program files\Belarc
2009-04-13 16:02 . 2008-02-27 08:19 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-----w c:\program files\Common Files\ReGet Shared
2009-04-13 15:43 . 2009-04-13 15:43 -------- d-sh--w C:\found.000
2009-04-10 18:21 . 2009-04-25 03:01 -------- d-----w c:\program files\FlashGet
2009-04-10 18:07 . 2009-04-10 18:20 -------- d-----w c:\documents and settings\Piyush\Application Data\Free Download Manager
2009-04-10 12:20 . 2009-04-10 12:23 -------- d-----w c:\documents and settings\Piyush\Application Data\ReGet Software
2009-04-10 12:16 . 2009-04-10 12:16 57 ----a-w c:\windows\english.lng
2009-04-10 12:16 . 2009-04-13 15:40 -------- d-----w c:\program files\ReGet Software
2009-04-10 11:19 . 2009-04-10 11:19 -------- d-----w c:\documents and settings\Piyush\Application Data\McAfee
2009-04-10 05:56 . 2009-04-10 05:56 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\Piyush\Application Data\Locktime
2009-04-10 04:15 . 2009-04-10 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\Locktime
2009-04-07 08:31 . 2009-04-07 08:31 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-07 06:22 . 2009-04-18 19:21 -------- d-----w C:\Downloads
2009-04-05 16:19 . 2009-04-05 16:19 -------- d-----w c:\documents and settings\Piyush\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 16:18 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 16:18 . 2009-04-05 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 16:18 . 2009-04-15 16:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:48 . 2009-04-15 14:20 -------- d-----w c:\program files\PSK
2009-04-05 15:48 . 2009-04-05 15:48 -------- d-----w c:\windows\system32\XPToolsLicenseComponent
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-04 14:14 . 2009-04-04 14:14 -------- d-----w c:\program files\SiteAdvisor
2009-04-04 14:11 . 2009-03-25 05:36 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-04 14:11 . 2009-03-25 05:36 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-04 14:11 . 2009-03-25 05:36 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 14:07 . 2009-03-25 05:35 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-04 12:35 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\drivers\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 09:08 20651 ----a-w c:\windows\system32\DRHARD.VXD
2009-04-02 17:54 . 2005-12-01 05:19 23600 ----a-w c:\windows\system32\drivers\drhard.sys
2009-04-02 17:54 . 2009-04-02 17:54 -------- d-----w c:\program files\Dr.Hardware 2009 english
2009-03-31 06:11 . 2009-03-31 06:12 -------- d-----w c:\documents and settings\Piyush\Application Data\Software Informer
2009-03-31 06:11 . 2009-03-31 06:11 -------- d-----w c:\program files\Software Informer
2009-03-31 06:11 . 2009-04-13 15:40 -------- d-----w c:\program files\Free Download Manager
2009-03-31 05:56 . 2009-03-31 05:57 -------- d-----w c:\program files\Another Matrix Screen Saver
2009-03-30 06:44 . 2009-03-30 06:44 -------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2009-03-30 06:44 . 2009-04-03 02:45 -------- d-----w c:\documents and settings\Piyush\Application Data\Azureus
2009-03-30 06:42 . 2009-03-30 06:42 -------- d-----w c:\program files\Vuze
2009-03-30 06:16 . 2009-04-04 13:34 -------- d-----w c:\program files\Common Files\Panda Software
2009-03-29 14:39 . 2009-04-04 13:31 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Panda Software
2009-03-29 14:39 . 2009-03-29 14:39 -------- d-----w c:\documents and settings\All Users\Application Data\sentinel
2009-03-29 14:38 . 2009-04-04 13:32 -------- d-----w c:\documents and settings\Piyush\Local Settings\Application Data\Panda Software
2009-03-29 13:32 . 2009-03-29 13:21 203 ----a-w C:\bootini.uns
2009-03-29 13:23 . 2009-03-29 13:32 10 ----a-w C:\23990098.$$$
2009-03-29 13:23 . 2009-03-29 13:32 -------- d-----w C:\PUB
2009-03-29 13:20 . 2009-03-29 13:20 -------- d-----w c:\windows\system32\FLCSS.EXE
2009-03-26 07:49 . 2009-03-26 07:49 -------- d-----w c:\program files\Alcohol Soft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 03:19 . 2008-08-16 18:32 -------- d-----w c:\program files\DNA
2009-04-25 03:19 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\DNA
2009-04-18 20:55 . 2008-08-17 03:28 -------- d-----w c:\program files\SpeederXP
2009-04-18 20:46 . 2008-09-12 02:27 -------- d-----w c:\program files\FM PLAYER
2009-04-18 19:41 . 2008-08-17 03:28 -------- d-----w c:\program files\Trend Micro
2009-04-18 03:48 . 2008-08-17 03:26 -------- d-----w c:\program files\Opera
2009-04-17 11:51 . 2008-11-16 05:03 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-15 16:27 . 2008-12-14 17:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 15:28 . 2008-09-02 15:52 -------- d-----w c:\documents and settings\Piyush\Application Data\Dev-Cpp
2009-04-14 15:28 . 2009-02-11 17:13 -------- d-----w c:\documents and settings\Piyush\Application Data\Skype
2009-04-14 15:28 . 2008-10-24 10:09 699 ----a-w c:\documents and settings\All Users\Application Data\sfsettingslogin.dll
2009-04-14 15:28 . 2009-02-11 17:14 -------- d-----w c:\documents and settings\Piyush\Application Data\skypePM
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-s---w c:\program files\Xfire
2009-04-13 15:43 . 2008-10-12 17:44 -------- d-----w c:\documents and settings\Piyush\Application Data\Xfire
2009-04-07 08:33 . 2008-08-09 13:18 -------- d-----w c:\program files\Common Files\Adobe
2009-04-04 13:34 . 2008-08-11 05:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-31 06:19 . 2008-09-16 04:43 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-03-29 13:32 . 2009-03-29 13:21 -------- d-----w c:\program files\Common Files\MicroWorld
2009-03-29 13:21 . 2009-03-29 13:21 13016 ----a-w c:\windows\winsbak.reg
2009-03-29 13:21 . 2009-03-29 13:21 124774 ----a-w c:\windows\winsbak2.reg
2009-03-26 22:42 . 2008-08-15 04:47 -------- d-----w c:\program files\CEDP Stealer 6.0 for Messenger
2009-03-26 07:47 . 2008-09-13 19:16 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-25 05:36 . 2009-01-16 14:34 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 03:15 . 2008-08-16 18:32 -------- d-----w c:\documents and settings\Piyush\Application Data\BitTorrent
2009-03-18 09:15 . 2009-03-18 09:15 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-15 09:28 . 2009-03-15 09:28 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 11:46 . 2009-03-07 11:46 -------- d-----w c:\program files\Xilisoft
2009-03-07 06:51 . 2008-08-11 07:33 68648 ----a-w c:\documents and settings\Piyush\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 15:27 . 2009-03-06 15:27 145 ----a-w C:\Shortcut to CD Drive.lnk
2009-03-06 14:22 . 2004-08-03 19:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 12:30 . 2009-03-03 12:30 -------- d-----w c:\program files\IconPhile
2009-03-03 12:25 . 2009-03-03 12:25 -------- d-----w c:\program files\ExeIcon
2009-03-03 00:18 . 2004-08-03 19:26 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 12:11 . 2008-08-17 03:28 -------- d-----w c:\program files\Total Video Converter
2009-02-26 09:00 . 2008-10-12 14:17 -------- d--h--w c:\documents and settings\Piyush\Application Data\ijjigame
2009-02-26 06:29 . 2008-09-16 04:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-26 06:28 . 2008-11-15 17:21 -------- d-----w c:\program files\AGEIA Technologies
2009-02-26 05:51 . 2009-02-26 05:51 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-02-25 07:42 . 2008-10-02 10:06 -------- d-----w c:\program files\Windows Live Safety Center
2009-02-21 08:08 . 2009-02-21 08:08 230 ----a-w C:\config.xml
2009-02-20 18:09 . 2004-08-03 19:26 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-17 10:20 . 2008-08-11 05:58 17508864 ----a-w c:\windows\RTHDCPL.EXE
2009-02-14 16:58 . 2009-02-14 16:58 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-09 12:10 . 2004-08-03 19:26 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-03 19:26 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-03 19:26 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-03 19:26 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-03 17:47 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 09:04 . 2009-02-26 06:35 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2009-02-09 07:48 . 2008-08-11 07:20 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-02-06 11:11 . 2004-08-03 19:26 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 17:48 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-10-04 19:16 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-05 05:24 . 2008-08-09 12:55 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-03 19:59 . 2004-08-03 19:26 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-24 08:54 . 2008-10-24 08:54 3 ----a-w c:\documents and settings\All Users\Application Data\NOD.dll
2008-09-12 03:27 . 2008-09-12 03:27 151608 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-15 16:22 . 2008-11-15 16:23 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111520081116\index.dat
2008-11-13 08:06 . 2008-11-07 14:20 5307936 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-13 08:06 . 2008-11-07 14:20 409632 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_17.00.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-25 03:20 . 2009-04-25 03:20 16384 c:\windows\temp\Perflib_Perfdata_ecc.dat
+ 2009-04-25 03:17 . 2009-04-25 03:17 16384 c:\windows\temp\Perflib_Perfdata_318.dat
+ 2001-10-04 19:15 . 2009-04-25 03:21 72094 c:\windows\system32\perfc009.dat
+ 2008-08-09 12:43 . 2001-10-04 19:15 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2008-11-15 15:50 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-11-15 15:51 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
+ 2001-10-04 19:15 . 2009-04-25 03:21 444088 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 140288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-03-17 203928]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-20 1994800]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-18 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 07:02 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk]
path=c:\documents and settings\Piyush\Start Menu\Programs\Startup\Y'z Toolbar.lnk
backup=c:\windows\pss\Y'z Toolbar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Data\\You got it...games!\\Road Rash 2000\\ROADRASH.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Need For Speed Underground\\Speed.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\ijji\\ENGLISH\\u_sf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1337:TCP"= 1337:TCP:BYOND port
"62986:TCP"= 62986:TCP:*isabled:SolidNetworkManager
"62986:UDP"= 62986:UDP:*isabled:SolidNetworkManager
"3799:TCP"= 3799:TCP:*isabled:SolidNetworkManager
"3799:UDP"= 3799:UDP:*isabled:SolidNetworkManager
"20027:TCP"= 20027:TCP:SolidNetworkManager
"20027:UDP"= 20027:UDP:SolidNetworkManager
"39407:TCP"= 39407:TCP:*isabled:SolidNetworkManager
"39407:UDP"= 39407:UDP:*isabled:SolidNetworkManager
"27015:UDP"= 27015:UDP:L4D
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver; [x]
R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 drhard;drhard;c:\windows\system32\DRIVERS\DRHARD.SYS [2005-12-01 23600]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]


----------



## SVXX (Apr 14, 2009)

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MBAMService
*Deregistered* - MDM
*Deregistered* - Messenger
*Deregistered* - MWAgent
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - nTuneService
*Deregistered* - NVSvc
*Deregistered* - NWCWorkstation
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PnkBstrA
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - Security Activity Dashboard Service
*Deregistered* - SENS
*Deregistered* - SfCtlCom
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TMBMServer
*Deregistered* - TmPfw
*Deregistered* - TmProxy
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 03:39]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\Piyush\Application Data\Mozilla\Firefox\Profiles\92uqqgmk.default\extensions\[email protected]\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 08:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wbem\Performance\WmiApRpl_new.ini

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1844237615-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namnajnnedgnbkpdomkakeeejjla"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,
6c,69,6e,69,65,65,00,00
"macnclaieechbbpibeadmgbiag"=hex:6a,61,61,68,64,6f,64,66,6d,6f,63,6b,67,69,6c,
69,6e,69,65,65,00,74
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1420)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2280)
c:\program files\CursorXP\CurXP0.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWAGENT.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\platformdependent\ProToolbarComm.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-04-25 8:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 03:25
ComboFix2.txt 2009-04-25 03:06
ComboFix3.txt 2009-04-23 17:14
ComboFix4.txt 2009-04-21 16:54
ComboFix5.txt 2009-04-25 03:14

Pre-Run: 12,907,147,264 bytes free
Post-Run: 12,886,249,472 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
442 --- E O F --- 2009-04-17 12:36


----------



## SVXX (Apr 14, 2009)

The problem has reduced, but it has in no way gone. My drives come back more frequently per reboot, but they go just as frequently.


----------



## Cookiegal (Aug 27, 2003)

Download *OTScanIt2.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt2* on your desktop.

Close any open browsers.
Open the *OTScanit2* folder and double-click on *OTScanit2.exe* to start the program.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
In the *Processes * group click *ALL* 
In the * Services * group click *Safe List* 
In the *Drivers* group click *Safe List* 
In the *Registry * group click *ALL*
In the *Rootkit Search* group select *YES* 
In the *Files Age* drop down box click *60 days* 
Make sure *Use White List *and *Include All Unicode Names *boxes are checked
 In the Files Created and Files Modified groups select *Whitelist/File age *
in the *Additional scans sections* please press select * Everything *and make sure Safe List box is checked
Now on the toolbar at the top select "Scan all users" then click the *Run Scan* button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Use the * Reply* button and *attach the notepad file here*. I will review it when it comes in. 

It will be much too big so you will need to zip the file before it will be able to be uploaded.


----------



## SVXX (Apr 14, 2009)

The scanfile is about 549 KB and the site limits txt files to 500...and my E drive wasn't present at the time of the scan.
I'm uploading it to Fileden and posting the link to it instead :
http://www.fileden.com/files/2007/6/14/1177796/OTScanIt.Txt


----------



## Cookiegal (Aug 27, 2003)

Please zip the report and attach it here.


----------



## SVXX (Apr 14, 2009)

The attachment as requested.


----------



## Cookiegal (Aug 27, 2003)

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill Explorer]
[Win32 Services - Safe List]
YY -> (AVP) Kaspersky Anti-Virus [Win32_Own | Auto | Stopped] -> 
[Registry - All]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< App Paths [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
YN -> install.exe -> Reg Error: Value error. [Reg Error: Value error.]
< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YN -> C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk -> %SystemRoot%\BRICOP~1\CRYSTA~1\YZTOOL~1\YZTOOL~1.EXE
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> HP Software Update hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe
YN -> Load hkey=HKCU key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> E:\TCWIN45\PIPELINE\remind.exe
YN -> LogMeIn GUI hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\LogMeIn\x86\LogMeInSystray.exe
[Files/Folders - Created Within 60 Days]
NY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 60 Days]
NY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[CatchMe Rootkit Scan by GMER]
NY -> C:\Documents and Settings\All Users\Application Data\TEMP:5684A312 150 bytes -> 
[Alternate Data Streams]
NY -> @Alternate Data Stream - 150 bytes -> %AllUsersProfile%\Application Data\TEMP:5684A312
[Extra Registry Entries]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F325B3F7-D85B-6834-2EED-CC2A2D4B1C61}
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## SVXX (Apr 14, 2009)

Process Explorer.EXE killed successfully!
[Win32 Services - Safe List]
Service AVP stopped successfully!
Service AVP deleted successfully!
File not found.
[Registry - All]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\ not found.
[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\install.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Piyush^Start Menu^Programs^Startup^Y'z Toolbar.lnk\ deleted successfully.
File C:\WINDOWS\pss\'z Toolbar.lnk not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load hkey=HKCU key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ not found.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogMeIn GUI hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
[Files/Folders - Created Within 60 Days]
[Files/Folders - Modified Within 60 Days]
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5684A312 deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Piyush\Local Settings\temp\TMFBE_2948\unif0000 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Piyush\Local Settings\temp\etilqs_lnbOOR2NOaKSLPxsFgKF scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Piyush\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_dbc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.14.0 fix logfile created on 04272009_065342

Files moved on Reboot...
File C:\Documents and Settings\Piyush\Local Settings\temp\TMFBE_2948\unif0000 not found!
File C:\Documents and Settings\Piyush\Local Settings\temp\etilqs_lnbOOR2NOaKSLPxsFgKF not found!
File C:\WINDOWS\temp\Perflib_Perfdata_b8.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_dbc.dat moved successfully.

Registry entries deleted on Reboot...


----------



## SVXX (Apr 14, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:49 AM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229274323500
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9124 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank 
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)*

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 13*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 13 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. *Do NOT use the Sun Download Manager.*
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with *Java Runtime Environment, JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

reboot and let me know how things are now.


----------



## SVXX (Apr 14, 2009)

Well they aren't any different. I've got update 13 but the problem is still there.


----------



## Cookiegal (Aug 27, 2003)

Can you give me a summary of what the problems are please.


----------



## SVXX (Apr 14, 2009)

Well an indicator that my hard drive and DVD drive are not going to turn up appears when the comp is booting. It stops at the cursor blinking screen(with everything else black), the cursor freezes for about 3-4 minutes. Then booting resumes, the XP logo appears, and the comp starts a bit slower than usual.
Also, during power failures, my drives disappear. They may disappear for no reason as well in between computer sessions.


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## SVXX (Apr 14, 2009)

The MsiInstaller error was under Application, and I believe it has to do with my HP Deskjet Setup file getting stuck at 96% and not installing beyond that. It gives a fatal error.

Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 11905
Date: 4/30/2009
Time: 6:33:58 PM
User: ABC\Piyush
Computer: ABC
Description:
Product: SolutionCenter -- Error 1905. Module C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx failed to unregister. HRESULT -2147220472. Contact your support personnel.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 42 43 44 36 43 44 31 {BCD6CD1
0008: 41 2d 30 44 42 45 2d 34 A-0DBE-4
0010: 31 32 45 2d 39 46 32 35 12E-9F25
0018: 2d 33 42 35 30 30 44 31 -3B500D1
0020: 45 36 42 41 31 7d E6BA1}

System:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 5/1/2009
Time: 8:40,51,54:00 PM 
User: ABC\Piyush
Computer: ABC
Description:
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service hpqcxs08 with arguments "" in order to run the server:
{1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 5/1/2009
Time: 8:39:41 PM
User: N/A
Computer: ABC
Description:
The following boot-start or system-start driver(s) failed to load: 
kl1
klbg

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
There were various other instances of the above error on the same day, about 4 of them. More DCOM errors follow that.

Event Type: Error
Event Source: sptd
Event Category: None
Event ID: 4
Date: 4/30/2009
Time: 10:12:04 PM
User: N/A
Computer: ABC
Description:
Driver detected an internal error in its data structures for .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 52 00 ......R.
0008: 00 00 00 00 04 00 04 c0 .......À
0010: 88 00 00 00 ff ff ff ff ...ÿÿÿÿ
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: atapi
Event Category: None
Event ID: 9
Date: 4/30/2009
Time: 10:11:54 PM
User: N/A
Computer: ABC
Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0f 00 50 00 01 00 a4 00 ..P...¤.
0008: 00 00 00 00 09 00 04 c0 .......À
0010: 00 01 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 00 00 00 00 00 00 ........
0030: 00 00 00 00 07 00 00 00 ........
0038: 40 00 00 0e 00 00 00 00 @.......
0040: 00 00 06 12 48 00 00 00 ....H...
0048: 00 00 00 00 04 00 00 00 ........
0050: 30 97 71 ba a0 04 8e 8a 0qº .
0058: 00 00 00 00 a8 a9 6f 8a ....¨©o
0060: 01 00 00 00 00 00 00 00 ........
0068: 12 00 00 00 24 00 00 00 ....$...
0070: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: PlugPlayManager
Event Category: None
Event ID: 12
Date: 4/30/2009
Time: 7:14:20 PM
User: N/A
Computer: ABC
Description:
The device 'ST3120022A' (IDE\DiskST3120022A______________________________8.54____\4a3432534a323259202020202020202020202020) disappeared from the system without first being prepared for removal.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 .... 
Thats my hard drive!!


----------



## Cookiegal (Aug 27, 2003)

This is not my area of expertise so I'm going to ask someone else to assist here.


----------



## SVXX (Apr 14, 2009)

Well thanks for all your help then! Awaiting my next helper.


----------



## Rollin' Rog (Dec 9, 2000)

Your boot drive is the "c:" drive and I take the errant drive is "e:" ?

If this is an external drive and the error (plugplaymanager) suggests that it is, the first thing I would do is make sure the cable connecting it is secure. Replace it if you can.

If it is an installed drive, which apparently can generate this with Sata or Raid drives, you need to check the cable

See "anonymous" here >>

http://www.eventid.net/display.asp?eventid=12&eventno=2984&source=PlugPlayManager&phase=1

I hope you don't have a bad motherboard, but that is also a possibility here.


----------



## SVXX (Apr 14, 2009)

It's an installed hard drive..I can't check the cables until I find my + type screwdriver lol...I'll get back to you on that. Is there anything else I can do?
And yes, C: is my boot drive and E: is my errant drive.


----------



## Triple6 (Dec 26, 2002)

Also looks like you are having an issue with Flash. May want to uninstall Flash and update it it to the latest version from Adobe's website. The Flash uninstall tool is here: http://kb2.adobe.com/cps/141/tn_14157.html

For the drive I suggest as mentioned earlier as well is to check tehy cables, maybe try another SATA port or another SATA cable.


----------

