Solved trojen help

whopper · 2010/12/24

ComboFix 10-12-24.01 - jamesZeRo 12/25/2010 8:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.511.235 [GMT 7:00]
Running from: c:\documents and settings\jamesZeRo\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2010-11-25 to 2010-12-25 )))))))))))))))))))))))))))))))
.

2010-12-24 04:47 . 2010-12-24 04:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-12-24 04:22 . 1999-05-21 14:10 129024 ----a-w- c:\windows\system32\ZipDll.dll
2010-12-24 04:22 . 1999-05-21 14:10 115712 ----a-w- c:\windows\system32\UnzDll.dll
2010-12-24 04:22 . 1997-02-17 09:23 53248 ----a-w- c:\windows\system32\UNRAR.DLL
2010-12-24 04:22 . 2010-12-24 04:23 -------- d-----w- c:\program files\EasyZip
2010-12-22 10:17 . 2005-12-21 03:16 470048 ----a-w- c:\windows\system32\drivers\ar5211.sys
2010-12-22 10:17 . 2005-12-21 03:16 470048 ----a-w- c:\windows\system32\ar5211.sys
2010-12-22 10:17 . 2005-12-30 01:15 36864 ----a-w- c:\windows\system32\acs.exe
2010-12-22 10:17 . 2010-12-22 10:17 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-12-22 10:17 . 2006-03-21 02:52 249856 ----a-w- c:\windows\system32\wgapi.dll
2010-12-22 10:17 . 2005-12-30 01:04 315392 ----a-w- c:\windows\system32\AegisI5.exe
2010-12-22 10:17 . 2005-12-30 01:04 1396835 ----a-w- c:\windows\system32\AegisE5.dll
2010-12-22 10:17 . 2005-12-30 01:15 385024 ----a-w- c:\windows\system32\athcfg11.dll
2010-12-22 10:17 . 2005-12-30 01:14 77824 ----a-w- c:\windows\system32\athcfg11res.dll
2010-12-22 10:17 . 2005-12-30 01:10 237568 ----a-w- c:\windows\system32\wcapi.dll
2010-12-22 10:17 . 2010-12-22 10:17 -------- d-----w- c:\program files\TP-LINK
2010-12-21 08:55 . 2010-12-21 08:55 -------- d-sh--w- c:\documents and settings\jamesZeRo\IECompatCache
2010-12-16 10:15 . 2010-12-16 10:15 -------- d-----w- c:\documents and settings\jamesZeRo\Application Data\Malwarebytes
2010-12-16 10:15 . 2010-12-16 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-16 10:15 . 2010-11-29 10:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 10:15 . 2010-12-16 10:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-16 10:15 . 2010-11-29 10:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 01:34 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
2010-12-16 01:34 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 01:33 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-05 07:27 . 2010-12-05 07:27 -------- d-----w- C:\Acrobat3
2010-12-05 07:27 . 1996-10-21 08:36 298496 ----a-w- c:\windows\uninst.exe
2010-12-05 07:26 . 1998-10-29 09:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-12-05 07:25 . 2010-12-05 07:25 -------- d-----w- c:\documents and settings\jamesZeRo\WINDOWS
2010-12-03 12:37 . 2010-12-03 12:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-12-01 12:52 . 2010-12-01 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-11-25 11:01 . 2010-12-23 11:56 12920 ----a-w- c:\windows\system32\apl001.sys
2010-11-25 11:01 . 2010-12-23 11:56 10872 ----a-w- c:\windows\system32\apf001.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-25 01:14 . 2010-12-25 01:18 159158 ----a-w- c:\windows\system32\CALC.zip
2010-11-18 18:12 . 2010-10-08 08:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-15 07:14 . 2010-11-15 07:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-06 00:26 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2002-12-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2002-12-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2002-12-31 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-12-31 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2002-12-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 11:11 . 2010-10-09 04:40 684031 ----a-w- c:\windows\unins000.exe
2010-10-26 13:25 . 2002-12-31 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-09 05:10 . 2010-10-09 05:10 70264 ----a-w- c:\windows\system32\sealt.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-12-21_08.16.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-08 08:43 . 2002-12-31 12:00 946448 c:\windows\system32\calc.old.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-04-07 2145000]
"TWCU "= "c:\program files\TP-LINK\TWCU\TWCU.exe" [2006-03-29 364544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, myxkbbyh.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"d:\\My Documents\\Downloads\\New Folder\\TalesRunner\\trgame.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
"d:\\My Documents\\Downloads\\PB\\PointBlank\\PointBlank.exe "=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe "=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [15/11/2553 14:14 691696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/4/2553 21:08 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/4/2553 21:09 95872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7/4/2553 21:08 810120]
R3 apf001;apf001;d:\my documents\Downloads\SEAL\Seal Online Plus\apf001.sys [26/8/2553 23:12 10872]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Tseal;Tseal;c:\windows\system32\sealt.sys [9/10/2553 12:10 70264]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-25 08:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath "= "c:\windows\system32\GameMon.des -service "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-12-25 08:29:05
ComboFix-quarantined-files.txt 2010-12-25 01:29
ComboFix2.txt 2010-12-21 08:19

Pre-Run: 27,915,816,960 bytes free
Post-Run: 27,995,365,376 bytes free

- - End Of File - - E8EF7E0126151D4587F1F5A44E521CA3

Thanks for the help.

broni · 2010/12/24

Very good

How is computer doing?

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

whopper · 2010/12/25

computer working fine. did scan showed nothing with est nod.

OTL logfile created on: 25/12/2010 18:06:13 - Run 1
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\jamesZeRo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041E | Country: Thailand | Language: THA | Date Format: d/M/yyyy

511.00 Mb Total Physical Memory | 154.00 Mb Available Physical Memory | 30.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.18 Gb Total Space | 25.95 Gb Free Space | 75.92% Space Free | Partition Type: NTFS
Drive D: | 39.06 Gb Total Space | 30.17 Gb Free Space | 77.24% Space Free | Partition Type: NTFS
Drive K: | 3.72 Gb Total Space | 0.87 Gb Free Space | 23.26% Space Free | Partition Type: FAT32

Computer Name: MICROSOF-BA939C | User Name: jamesZeRo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/25 17:25:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\OTL.exe
PRC - [2010/04/07 21:08:52 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2010/04/07 21:08:30 | 002,145,000 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2010/03/16 14:15:04 | 002,676,112 | ---- | M] (Maxthon International Ltd.) -- C:\Program Files\Maxthon\Maxthon.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/01/14 17:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/04/14 07:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/07 13:19:28 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2006/03/29 16:12:06 | 000,364,544 | ---- | M] () -- C:\Program Files\TP-LINK\TWCU\TWCU.exe
PRC - [2005/12/30 08:15:16 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe

========== Modules (SafeList) ==========

MOD - [2010/12/25 17:25:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\OTL.exe
MOD - [2010/08/23 23:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2006/09/07 13:18:58 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/07/21 02:46:00 | 003,641,832 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2010/04/07 21:13:20 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2010/04/07 21:08:52 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/01/14 17:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2005/12/30 08:15:16 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005/10/06 18:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\JAMESZ~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/11/15 14:14:40 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/10/09 12:10:58 | 000,070,264 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\sealt.sys -- (Tseal)
DRV - [2010/08/26 23:12:16 | 000,010,872 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\My Documents\Downloads\SEAL\Seal Online Plus\apf001.sys -- (apf001)
DRV - [2010/04/12 15:44:34 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2010/04/07 21:09:48 | 000,095,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2010/04/07 21:08:36 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/04/07 21:05:12 | 000,140,216 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/12/21 10:16:34 | 000,470,048 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2004/08/04 05:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/08/04 05:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/10/08 21:44:16 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/12/21 15:16:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [TWCU] C:\Program Files\TP-LINK\TWCU\TWCU.exe ()
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286532665281 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286532622609 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\jamesZeRo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\jamesZeRo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (myxkbbyh.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/10/08 15:47:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 30 Days ==========

[2010/12/25 17:25:23 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\OTL.exe
[2010/12/25 08:29:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/12/24 11:22:14 | 000,000,000 | ---D | C] -- C:\Program Files\EasyZip
[2010/12/22 17:17:47 | 000,470,048 | ---- | C] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\drivers\ar5211.sys
[2010/12/22 17:17:47 | 000,470,048 | ---- | C] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\ar5211.sys
[2010/12/22 17:17:37 | 000,385,024 | ---- | C] (Atheros) -- C:\WINDOWS\System32\athcfg11.dll
[2010/12/22 17:17:37 | 000,237,568 | ---- | C] (Atheros) -- C:\WINDOWS\System32\wcapi.dll
[2010/12/22 17:17:37 | 000,077,824 | ---- | C] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\athcfg11res.dll
[2010/12/22 17:17:35 | 000,000,000 | ---D | C] -- C:\Program Files\TP-LINK
[2010/12/21 15:55:41 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\jamesZeRo\IECompatCache
[2010/12/21 15:07:21 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/12/21 15:07:21 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/12/21 15:07:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/12/21 15:07:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/12/21 15:04:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/12/21 15:04:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/16 17:15:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jamesZeRo\Application Data\Malwarebytes
[2010/12/16 17:15:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/16 17:15:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/16 17:15:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/16 17:15:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/16 17:14:18 | 007,622,112 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\jamesZeRo\Desktop\mbam-setup.exe
[2010/12/16 17:04:56 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\TFC.exe
[2010/12/15 18:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jamesZeRo\Desktop\tdsskiller[1]
[2010/12/09 15:21:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/12/09 15:21:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2010/12/09 15:20:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2010/12/05 14:27:15 | 000,000,000 | ---D | C] -- C:\Acrobat3
[2010/12/05 14:27:04 | 000,298,496 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\uninst.exe
[2010/12/05 14:25:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jamesZeRo\WINDOWS
[2010/12/01 19:52:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PopCap Games

========== Files - Modified Within 30 Days ==========

[2010/12/25 17:25:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\OTL.exe
[2010/12/25 11:32:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/25 11:32:55 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/25 08:21:23 | 003,998,064 | R--- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\ComboFix.exe
[2010/12/25 08:14:41 | 000,159,158 | ---- | M] () -- C:\WINDOWS\System32\CALC.zip
[2010/12/25 08:14:41 | 000,159,158 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\CALC.zip
[2010/12/24 11:23:39 | 000,001,455 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\EasyZip.lnk
[2010/12/23 18:56:13 | 000,012,920 | ---- | M] () -- C:\WINDOWS\System32\apl001.sys
[2010/12/23 18:56:00 | 000,010,872 | ---- | M] () -- C:\WINDOWS\System32\apf001.sys
[2010/12/22 17:41:05 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/12/22 17:37:10 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\SystemLook.exe
[2010/12/22 17:17:35 | 000,000,489 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TP-LINK Wireless Client Utility.lnk
[2010/12/21 15:16:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/12/18 16:54:47 | 000,000,898 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Application Data\Microsoft\Internet Explorer\Quick Launch\Seal Online Plus.lnk
[2010/12/18 16:54:47 | 000,000,898 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Seal Online Plus.lnk
[2010/12/16 17:26:12 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\3m0w8qvw.exe
[2010/12/16 17:15:07 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/16 17:14:18 | 007,622,112 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\jamesZeRo\Desktop\mbam-setup.exe
[2010/12/16 17:04:56 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\TFC.exe
[2010/12/16 16:03:28 | 000,163,528 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/16 09:05:10 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/15 18:58:58 | 000,002,183 | ---- | M] () -- C:\WINDOWS\ACROREAD.INI
[2010/12/14 14:32:03 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/09 15:22:05 | 000,000,282 | RHS- | M] () -- C:\boot.ini
[2010/12/01 19:56:20 | 000,000,025 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/26 21:00:10 | 000,000,766 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\Delta Force Black Hawk Down - Team Sabre.lnk

========== Files Created - No Company Name ==========

[2010/12/25 08:18:08 | 000,159,158 | ---- | C] () -- C:\WINDOWS\System32\CALC.zip
[2010/12/25 08:14:41 | 000,159,158 | ---- | C] () -- C:\Documents and Settings\jamesZeRo\Desktop\CALC.zip
[2010/12/24 11:53:50 | 536,399,872 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/24 11:23:39 | 000,001,455 | ---- | C] () -- C:\Documents and Settings\jamesZeRo\Desktop\EasyZip.lnk
[2010/12/24 11:22:15 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ZipDll.dll
[2010/12/24 11:22:15 | 000,115,712 | ---- | C] () -- C:\WINDOWS\System32\UnzDll.dll
[2010/12/24 11:22:15 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\UNRAR.DLL
[2010/12/24 11:01:14 | 000,159,329 | ---- | C] () -- C:\Documents and Settings\jamesZeRo\Desktop\CALC.EX_
[2010/12/22 17:36:39 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\jamesZeRo\Desktop\SystemLook.exe
[2010/12/22 17:17:47 | 000,042,484 | ---- | C] () -- C:\WINDOWS\System32\net5211.inf
[2010/12/22 17:17:47 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\net5211.cat
[2010/12/22 17:17:44 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\acs.exe
[2010/12/22 17:17:38 | 000,315,392 | ---- | C] () -- C:\WINDOWS\System32\AegisI5.exe
[2010/12/22 17:17:38 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\wgapi.dll
[2010/12/22 17:17:35 | 000,000,489 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TP-LINK Wireless Client Utility.lnk
[2010/12/21 15:07:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/21 15:07:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/21 15:07:21 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/21 15:07:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/21 15:07:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/21 15:00:55 | 003,998,064 | R--- | C] () -- C:\Documents and Settings\jamesZeRo\Desktop\ComboFix.exe
[2010/12/16 17:26:11 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\jamesZeRo\Desktop\3m0w8qvw.exe
[2010/12/16 17:15:07 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/16 09:02:30 | 000,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/12/09 15:21:57 | 000,259,776 | RHS- | C] () -- C:\cmldr
[2010/12/05 14:27:18 | 000,002,183 | ---- | C] () -- C:\WINDOWS\ACROREAD.INI
[2010/12/01 19:56:18 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/11/27 15:09:27 | 000,000,898 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Seal Online Plus.lnk
[2010/11/26 21:00:10 | 000,000,766 | ---- | C] () -- C:\Documents and Settings\jamesZeRo\Desktop\Delta Force Black Hawk Down - Team Sabre.lnk
[2010/11/25 18:01:18 | 000,012,920 | ---- | C] () -- C:\WINDOWS\System32\apl001.sys
[2010/11/25 18:01:17 | 000,010,872 | ---- | C] () -- C:\WINDOWS\System32\apf001.sys
[2010/11/15 14:14:39 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/10/09 12:10:58 | 000,070,264 | ---- | C] () -- C:\WINDOWS\System32\sealt.sys
[2010/10/08 22:37:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/10/08 21:11:12 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2002/12/31 19:00:00 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\HMTCD.dll
[2002/12/31 19:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\CopyToSendTo.dll

========== LOP Check ==========

[2010/11/15 14:14:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/10/08 21:44:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/12/01 19:52:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/12/22 17:07:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/11/15 14:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jamesZeRo\Application Data\DAEMON Tools Lite
[2010/10/08 21:16:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jamesZeRo\Application Data\GetRightToGo
[2010/11/08 20:32:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jamesZeRo\Application Data\IObit
[2010/10/08 22:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jamesZeRo\Application Data\LocalLow
[2010/11/08 20:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jamesZeRo\Application Data\URSoft
[2010/12/05 21:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jamesZeRo\Application Data\uTorrent

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/10/08 15:47:50 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/12/09 15:22:05 | 000,000,282 | RHS- | M] () -- C:\boot.ini
[2002/12/31 19:00:00 | 000,259,776 | RHS- | M] () -- C:\cmldr
[2010/12/25 08:29:06 | 000,008,262 | ---- | M] () -- C:\ComboFix.txt
[2010/10/08 15:47:50 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/12/25 11:32:55 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/08 15:47:50 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/10/08 15:47:50 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2002/12/31 19:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/10/08 19:20:06 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/12/25 11:32:54 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2010/12/15 18:16:20 | 000,034,032 | ---- | M] () -- C:\TDSSKiller.2.4.11.0_15.12.2010_18.14.01_log.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/10/08 15:47:11 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 19:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 17:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2009/07/10 12:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/10/08 22:34:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/10/08 22:34:10 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/10/08 22:34:10 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/10/08 19:24:28 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/10/08 19:31:06 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\jamesZeRo\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2010/11/21 16:57:29 | 000,000,134 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Application Data\Microsoft\Internet Explorer\Quick Launch\PointBlank.url
[2010/10/08 16:09:23 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/12/16 17:26:12 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\3m0w8qvw.exe
[2010/12/25 08:21:23 | 003,998,064 | R--- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\ComboFix.exe
[2010/12/16 17:14:18 | 007,622,112 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\jamesZeRo\Desktop\mbam-setup.exe
[2010/12/25 17:25:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\OTL.exe
[2010/12/22 17:37:10 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Desktop\SystemLook.exe
[2010/12/16 17:04:56 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jamesZeRo\Desktop\TFC.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/10/08 19:31:06 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\jamesZeRo\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/12/25 17:23:24 | 000,163,840 | ---- | M] () -- C:\Documents and Settings\jamesZeRo\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2002/12/31 19:00:00 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/14 07:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2002/12/31 19:00:00 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 21:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/14 00:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/14 07:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2002/12/31 19:00:00 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2002/12/31 19:00:00 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2002/12/31 19:00:00 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2004/08/04 01:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/08/04 01:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 168 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51

< End of report >

whopper · 2010/12/25

OTL Extras logfile created on: 25/12/2010 18:06:13 - Run 1
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\jamesZeRo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041E | Country: Thailand | Language: THA | Date Format: d/M/yyyy

511.00 Mb Total Physical Memory | 154.00 Mb Available Physical Memory | 30.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.18 Gb Total Space | 25.95 Gb Free Space | 75.92% Space Free | Partition Type: NTFS
Drive D: | 39.06 Gb Total Space | 30.17 Gb Free Space | 77.24% Space Free | Partition Type: NTFS
Drive K: | 3.72 Gb Total Space | 0.87 Gb Free Space | 23.26% Space Free | Partition Type: FAT32

Computer Name: MICROSOF-BA939C | User Name: jamesZeRo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- File not found
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:?Torrent -- (BitTorrent, Inc.)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"D:\My Documents\Downloads\New Folder\TalesRunner\trgame.exe" = D:\My Documents\Downloads\New Folder\TalesRunner\trgame.exe:*:Enabled:TalesRunner -- (Rhaon Ent.)
"D:\My Documents\Downloads\PB\PointBlank\PointBlank.exe" = D:\My Documents\Downloads\PB\PointBlank\PointBlank.exe:*:EnabledointBlank -- (Zepetto)
"C:\Program Files\EA GAMES\Need for Speed Underground 2\speed2.exe" = C:\Program Files\EA GAMES\Need for Speed Underground 2\speed2.exe:*:Enabled:speed2 -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = TP-LINK Client Installation Program
"{2F306DA7-EBB0-40CC-B3C7-B94825D16CD3}_is1" = Seal Online Plus v.54
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4B35F00C-E63D-40DC-9839-DF15A33EAC46}" = Grand Theft Auto Vice City
"{58D16894-72C4-4605-B306-C447A119DE1A}" = ESET NOD32 Antivirus
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{7F34A21F-2DEB-4598-BB19-611D6BD24271}" = Managed DirectX (0901)
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{909F8EBC-EC7F-48FF-0085-475D818F0F31}" = Need for Speed Underground 2
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{ED5AACB5-F387-4DF0-961D-C2E5EA8702CF}" = Global Operations
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Acrobat Reader 3.0" = Adobe Acrobat Reader 3.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"EasyZip" = EasyZip
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Maxthon" = Maxthon Browser (remove only)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"PlayNCLauncher" = PlayNCLauncher
"PointBlankTH" = PointBlank
"PowerISO" = PowerISO
"TalesRunner" = TalesRunner 1.777_20100810
"Talesrunner Launcher_is1" = Talesrunner Launcher 1.0
"uTorrent" = µTorrent
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"YU2010_is1" = Your Uninstaller! 2010

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22/12/2010 9:03:47 | Computer Name = MICROSOF-BA939C | Source = Application Error | ID = 1000
Description = Faulting application so3d.exe, version 0.0.0.1, faulting module ,
version 0.0.0.0, fault address 0x00000000.

Error - 22/12/2010 9:14:44 | Computer Name = MICROSOF-BA939C | Source = Application Error | ID = 1000
Description = Faulting application trgame.exe, version 1.261.4.50, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 22/12/2010 9:20:28 | Computer Name = MICROSOF-BA939C | Source = Application Error | ID = 1000
Description = Faulting application trgame.exe, version 1.261.4.50, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 23/12/2010 6:29:39 | Computer Name = MICROSOF-BA939C | Source = ESENT | ID = 447
Description = wlcomm (3912) A bad page link (error -327) has been detected in a
B-Tree (ObjectId: 94, PgnoRoot: 228) of database C:\Documents and Settings\jamesZeRo\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{11d8f44a-3b9d-4c4f-aba8-886adf42367b}\DBStore\contacts.edb
(383 => 382, 490).

Error - 23/12/2010 7:15:04 | Computer Name = MICROSOF-BA939C | Source = Application Error | ID = 1000
Description = Faulting application so3d.exe, version 0.0.0.1, faulting module ,
version 0.0.0.0, fault address 0x00000000.

Error - 23/12/2010 7:50:42 | Computer Name = MICROSOF-BA939C | Source = Application Error | ID = 1000
Description = Faulting application so3d.exe, version 0.0.0.1, faulting module ,
version 0.0.0.0, fault address 0x00000000.

Error - 24/12/2010 1:11:43 | Computer Name = MICROSOF-BA939C | Source = ESENT | ID = 447
Description = wlcomm (2760) A bad page link (error -327) has been detected in a
B-Tree (ObjectId: 94, PgnoRoot: 228) of database C:\Documents and Settings\jamesZeRo\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{11d8f44a-3b9d-4c4f-aba8-886adf42367b}\DBStore\contacts.edb
(383 => 382, 490).

Error - 24/12/2010 7:12:52 | Computer Name = MICROSOF-BA939C | Source = ESENT | ID = 447
Description = wlcomm (3720) A bad page link (error -327) has been detected in a
B-Tree (ObjectId: 94, PgnoRoot: 228) of database C:\Documents and Settings\jamesZeRo\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{11d8f44a-3b9d-4c4f-aba8-886adf42367b}\DBStore\contacts.edb
(383 => 382, 490).

Error - 24/12/2010 9:24:48 | Computer Name = MICROSOF-BA939C | Source = Application Error | ID = 1000
Description = Faulting application so3d.exe, version 0.0.0.1, faulting module ,
version 0.0.0.0, fault address 0x00000000.

Error - 25/12/2010 6:23:00 | Computer Name = MICROSOF-BA939C | Source = ESENT | ID = 447
Description = wlcomm (1816) A bad page link (error -327) has been detected in a
B-Tree (ObjectId: 94, PgnoRoot: 228) of database C:\Documents and Settings\jamesZeRo\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{11d8f44a-3b9d-4c4f-aba8-886adf42367b}\DBStore\contacts.edb
(383 => 382, 490).

[ System Events ]
Error - 19/12/2010 1:08:12 | Computer Name = MICROSOF-BA939C | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 19/12/2010 1:12:08 | Computer Name = MICROSOF-BA939C | Source = Service Control Manager | ID = 7034
Description = The TP-LINK Configuration Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 19/12/2010 1:12:08 | Computer Name = MICROSOF-BA939C | Source = Service Control Manager | ID = 7034
Description = The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Error - 19/12/2010 1:17:16 | Computer Name = MICROSOF-BA939C | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 19/12/2010 1:17:29 | Computer Name = MICROSOF-BA939C | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 19/12/2010 1:17:31 | Computer Name = MICROSOF-BA939C | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 19/12/2010 1:17:48 | Computer Name = MICROSOF-BA939C | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 19/12/2010 1:43:47 | Computer Name = MICROSOF-BA939C | Source = Service Control Manager | ID = 7028
Description = The hcmrfa Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 19/12/2010 3:03:56 | Computer Name = MICROSOF-BA939C | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.3 for the Network Card with network
address 0019E06DF2F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 19/12/2010 22:34:28 | Computer Name = MICROSOF-BA939C | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.3 on
the Network Card with network address 0019E06DF2F0.

< End of report >

broni · 2010/12/25

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

==============================================================

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O29 - HKLM SecurityProviders - (myxkbbyh.dll) - File not found
@Alternate Data Stream - 168 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a BitDefender Online Scan

Disable your antivirus program.

Click Start Scanner button.

Click Start scan button

Allow browser plug-in to be installed when prompted.

Click I Agree to agree to the EULA.

Please refrain from using the computer until the scan is finished.

When the scan is finished, click on View log.

Notepad will open with scan results.

Save the report to your desktop and post its content in your next reply.

whopper · 2010/12/26

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders:myxkbbyh.dll deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: jamesZeRo
->Temp folder emptied: 9298625 bytes
->Temporary Internet Files folder emptied: 15221752 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 581 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: jamesZeRo
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Error: Unable to interpret <[Reboot> in the current context!

OTL by OldTimer - Version 3.2.18.0 log created on 12262010_133323

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

whopper · 2010/12/26

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET NOD32 Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 23
Out of date Java installed!
Adobe Flash Player 10.1.102.64
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

whopper · 2010/12/26

will have bit defender scan tomorrow

thanks again for all the help

broni · 2010/12/26

No problem

whopper · 2010/12/26

for some reason bit defender will not update the virus definitions. it fails.

do you want me to scan without an up date?. my anti virus is turned off

broni · 2010/12/26

Go ahead...

whopper · 2010/12/28

one more thing. I installed the windows recovery console and everytime I start windows I have 2 choices, windows xp or windows recovery console. How can I remove the windows recovery console option ?

BitDefender Online Scanner

Scan report generated at: Tue, Dec 28, 2010 - 13:38:04

Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;

Statistics

Time
01:32:12

Files
298548

Folders
3767

Boot Sectors
0

Archives
1427

Packed Files
15376

Results

Identified Viruses
2

Infected Files
3

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3

Engines Info

Virus Definitions
6506891

Engine build
AVCORE v2.1 Windows/i386 11.0.0.42 (Oct 18 2010)

Scan plugins
18

Archive plugins
44

Unpack plugins
10

E-mail plugins
6

System plugins
4

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Qoobox\Quarantine\C\WINDOWS\Temp\mkkmhr.sys.vir
Infected with: Trojan.Generic.5170923

C:\Qoobox\Quarantine\C\WINDOWS\Temp\mkkmhr.sys.vir
Deleted

D:\My Documents\Downloads\SEAL\Seal Online Plus\Avital\traydlg.dll
Infected with: Trojan.Generic.5252857

D:\My Documents\Downloads\SEAL\Seal Online Plus\Avital\traydlg.dll
Deleted

D:\System Volume Information\_restore{34996573-2E3E-4D3E-986B-75E8F27AABCD}\RP5\A0008598.dll
Infected with: Trojan.Generic.5252857

D:\System Volume Information\_restore{34996573-2E3E-4D3E-986B-75E8F27AABCD}\RP5\A0008598.dll
Deleted

whopper · 2010/12/28

a new issue. the computer seems to reboot at random. not constantly, just randomly.

thanks for the help !

broni · 2010/12/28

I installed the windows recovery console and everytime I start windows I have 2 choices, windows xp or windows recovery console. How can I remove the windows recovery console option ?
Click to expand...

You don't. Recovery console is an important troubleshooting tool.

================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

==============================================================

a new issue. the computer seems to reboot at random. not constantly, just randomly.
Click to expand...

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

whopper · 2010/12/28

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: jamesZeRo
->Temp folder emptied: 10166231 bytes
->Temporary Internet Files folder emptied: 4918967 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 581 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82184 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 15.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: jamesZeRo
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.18.0 log created on 12292010_120933

Files\Folders moved on Reboot...
C:\Documents and Settings\jamesZeRo\Local Settings\Temporary Internet Files\Content.IE5\NKZ3IYYC\96833-active-trojen-help-3[1].html moved successfully.
C:\Documents and Settings\jamesZeRo\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

broni · 2010/12/28

Good

Good luck in another forum, regarding your restart issue.....

whopper · 2010/12/28

thakns again for all the help Broni, the computer is working well.

Happy new year.

broni · 2010/12/28

Happy New Year to you too

Log in or Sign up

Solved trojen help

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

whopper Inactive Thread Starter

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved trojen help

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

whopper Inactive Thread Starter

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

broni Moderator Malware Analyst

whopper Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches