Can't get rid of AV Security Suite...

View previous topic View next topic Go down

Can't get rid of AV Security Suite...

Post by Immortalus on Mon 05 Jul 2010, 4:23 pm

So the other day, when I had turned on the computer I had the AV Security Suite virus on my computer. I've had viruses similar to it before, so I restarted my computer and ran rkill to stop the processes so I could run my antivirus programs. Rkill ran, but didn't stop AV Security Suite from running, so I started the computer up in safe mode and ran Malwarebytes as well as Avira. Malwarebytes got rid of 6 infections, and Avira an additional 7, but AV Security Suite is still there. Help? D:

Immortalus

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2010-07-05
Operating System : Windows XP

View user profile

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Sneakyone on Mon 05 Jul 2010, 5:27 pm

Hi, Welcome to GeekPolice.net!

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    nvstor32.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    ws2_32.dll
    proquota.exe
    imm32.dll
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    nvrd32.sys
    /md5stop
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time



Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Immortalus on Wed 07 Jul 2010, 2:51 am

OTL logfile created on: 7/5/2010 3:59:03 AM - Run 1
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\Lela han\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 723.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 202.75 Gb Free Space | 88.24% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LELA-FFB00CD876
Current User Name: Lela han
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/05 03:47:15 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lela han\Desktop\OTL.exe
PRC - [2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/07/05 03:47:15 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lela han\Desktop\OTL.exe
MOD - [2004/08/04 05:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 05:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/01 14:26:57 | 002,561,624 | ---- | M] () [Auto | Stopped] -- c:\Program Files\Common Files\Akamai\rswin_3725.dll -- (Akamai)
SRV - [2010/04/27 14:54:49 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/01/19 17:57:00 | 003,449,616 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/08/18 12:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva349.sys -- (XDva349)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva296.sys -- (XDva296)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\isadeep.sys -- (isadeep)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
DRV - [2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/01/15 20:17:58 | 004,652,544 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/04/16 22:16:26 | 005,760,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/04/13 21:33:34 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
DRV - [2005/01/07 18:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {51B19E62-1F34-462B-A9A1-533931A5DACF}:1.9.1
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\extensions\\{51B19E62-1F34-462B-A9A1-533931A5DACF}: C:\Documents and Settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF} [2010/04/14 00:02:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/29 02:59:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/27 11:29:27 | 000,000,000 | ---D | M]

[2010/01/30 22:52:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lela han\Application Data\Mozilla\Extensions
[2010/06/24 13:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lela han\Application Data\Mozilla\Firefox\Profiles\6zmlha81.default\extensions
[2010/07/01 23:34:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/19 15:09:47 | 000,002,191 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml

Hosts file not found
O2 - BHO: (C:\WINDOWS\system32\h8z5jc8.dll) - {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\System32\h8z5jc8.dll File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [jrejorii] C:\Documents and Settings\NetworkService\Local Settings\Application Data\atftixwrf\mlolbcotssd.exe ()
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Vfayenakoho] C:\WINDOWS\upucinep.DLL File not found
O4 - HKCU..\Run: [Aim] C:\Program Files\AIM\aim.exe (AOL Inc.)
O4 - HKCU..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\LELAHA~1\LOCALS~1\Temp\win.exe File not found
O4 - HKCU..\Run: [Jyopi] C:\WINDOWS\msogrsap.DLL File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Otaku Mascot.lnk = C:\Program Files\Accursed Toys\Otaku Mascot\Mascot.exe (Accursed Toys, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O22 - SharedTaskScheduler: {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - hs3t873tisghs837tgysu7 - C:\WINDOWS\System32\h8z5jc8.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Lela han\My Documents\My Pictures\Game Screenshots\Perfect World\4.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lela han\My Documents\My Pictures\Game Screenshots\Perfect World\4.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/30 22:15:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2c888342-1d99-11df-8d36-001aa09c95d6}\Shell - "" = AutoRun
O33 - MountPoints2\{2c888342-1d99-11df-8d36-001aa09c95d6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6199fe78-3ab7-11df-8d81-001aa09c95d6}\Shell - "" = AutoRun
O33 - MountPoints2\{6199fe78-3ab7-11df-8d81-001aa09c95d6}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/05 03:47:13 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lela han\Desktop\OTL.exe
[2010/07/02 20:50:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\atftixwrf
[2010/06/26 12:50:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Application Data\acccore
[2010/06/26 12:50:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\AOL
[2010/06/26 12:50:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\AIM
[2010/06/26 12:50:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/06/26 12:49:55 | 000,000,000 | ---D | C] -- C:\Program Files\AIM
[2010/06/26 12:49:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2010/06/26 12:49:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AOL
[2010/06/24 04:52:19 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/06/24 00:57:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DirectX
[2010/06/22 22:42:25 | 000,000,000 | ---D | C] -- C:\AeriaGames
[2010/06/21 01:19:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai
[2010/06/13 23:34:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\My Documents\Tales Runner
[2010/06/10 21:59:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2010/06/10 21:59:46 | 000,000,000 | ---D | C] -- C:\Nexon
[2010/06/10 21:05:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\aulmvd
[2010/06/07 14:39:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\PMB Files
[2010/06/07 14:39:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/06/06 23:14:10 | 000,000,000 | ---D | C] -- C:\Program Files\gpotato
[2010/06/01 20:50:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\My Documents\Direct X
[2010/05/31 22:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/31 21:47:26 | 000,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2010/05/31 21:47:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2010/05/31 21:43:54 | 000,000,000 | ---D | C] -- C:\GamepotUSA
[2010/05/31 02:42:44 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks
[2010/05/26 21:00:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/05/24 22:08:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\tngvawlkg
[2010/05/21 04:51:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Lela han\Application Data\SystemProc
[2010/05/19 15:09:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\Babylon
[2010/05/19 15:09:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Application Data\Babylon
[2010/05/19 15:09:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2010/05/12 18:55:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/12 18:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/05/11 18:54:27 | 000,079,256 | ---- | C] (OGPlanet) -- C:\WINDOWS\System32\npOGPPlugin.dll
[2010/05/11 18:54:26 | 000,271,768 | ---- | C] (OGPlanet) -- C:\WINDOWS\System32\OGPIEPlugin.ocx
[2010/05/11 18:54:07 | 000,000,000 | ---D | C] -- C:\Program Files\OGPlanet
[2010/05/10 21:13:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\vwrlrbdfo
[2010/05/05 21:09:49 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2
[2010/04/19 00:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\ffrtljjgr
[2010/04/18 01:14:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\qhnpakjqn
[2010/04/14 19:16:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/14 00:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}
[2010/04/13 14:54:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lela han\Application Data\Avira
[2010/04/07 14:39:08 | 000,000,000 | ---D | C] -- C:\Perfect World Entertainment
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2099/01/01 12:00:00 | 000,001,744 | -H-- | M] () -- C:\WINDOWS\System32\laparari
[2010/07/05 03:47:15 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lela han\Desktop\OTL.exe
[2010/07/05 03:03:01 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/05 01:05:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/05 01:04:23 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/05 01:04:21 | 004,980,736 | -H-- | M] () -- C:\Documents and Settings\Lela han\NTUSER.DAT
[2010/07/05 01:04:21 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Lela han\ntuser.ini
[2010/07/05 01:02:23 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/05 01:01:18 | 002,695,598 | -H-- | M] () -- C:\Documents and Settings\Lela han\Local Settings\Application Data\IconCache.db
[2010/07/04 23:22:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2CAE369E-F432-4CBA-9A9B-6017C9A83AEC}.job
[2010/07/04 20:10:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/02 21:13:23 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/02 04:54:53 | 000,038,958 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\RP Charas.rtf
[2010/07/01 21:12:01 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Lela han\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/07/01 21:10:07 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Lela han\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/26 12:50:03 | 000,000,456 | -H-- | M] () -- C:\IPH.PH
[2010/06/26 12:49:59 | 000,001,592 | ---- | M] () -- C:\Documents and Settings\Lela han\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
[2010/06/26 12:49:59 | 000,001,574 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/06/24 00:46:52 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Reborn! B-days.doc
[2010/06/22 22:45:46 | 000,001,576 | ---- | M] () -- C:\Documents and Settings\Lela han\Desktop\Grand Fantasia.lnk
[2010/06/18 21:27:35 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Silly Phobias.doc
[2010/06/18 15:30:19 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Chaos War Schedule.doc
[2010/06/10 22:07:36 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MapleStory.url
[2010/06/07 19:27:31 | 000,000,818 | ---- | M] () -- C:\Documents and Settings\Lela han\Desktop\TalesRunner.lnk
[2010/06/07 14:36:54 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Sdijipiqowa.dat
[2010/06/07 14:36:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Shirapona.bin
[2010/06/06 23:11:59 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Tales Runner Key.doc
[2010/06/05 00:42:29 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Al Qaeda is a terrible organization that has killed hundreds.doc
[2010/05/31 22:19:50 | 000,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/31 22:19:50 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/31 22:19:50 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/31 02:31:53 | 000,003,321 | -HS- | M] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922P.manifest
[2010/05/31 02:31:53 | 000,000,013 | -HS- | M] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922C.manifest
[2010/05/31 02:31:53 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922S.manifest
[2010/05/31 02:31:53 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922O.manifest
[2010/05/30 20:43:14 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Song of Storms.doc
[2010/05/26 02:09:16 | 000,000,624 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/24 16:54:46 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Tinierme.doc
[2010/05/12 18:56:11 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/09 12:59:39 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Hair color.doc
[2010/05/04 19:38:57 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Wii games.doc
[2010/05/03 16:13:21 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Brawler Card.doc
[2010/04/18 14:33:48 | 000,000,602 | ---- | M] () -- C:\Documents and Settings\Lela han\Desktop\rkill.lnk
[2010/04/18 14:33:16 | 000,024,275 | ---- | M] () -- C:\Documents and Settings\Lela han\nah_log.dat
[2010/04/18 11:58:32 | 000,002,954 | ---- | M] () -- C:\WINDOWS\iyohodop.dll
[2010/04/18 09:36:23 | 000,002,954 | ---- | M] () -- C:\WINDOWS\eboxubac.dll
[2010/04/16 20:25:24 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\i.doc
[2010/04/16 20:25:01 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Solia cake recipe.doc
[2010/04/14 00:24:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/08 02:56:57 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Lela han\My Documents\Lela Han.doc
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,001,744 | -H-- | C] () -- C:\WINDOWS\System32\laparari
[2010/06/26 12:49:59 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\Lela han\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
[2010/06/26 12:49:59 | 000,001,574 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/06/26 12:49:41 | 000,000,456 | -H-- | C] () -- C:\IPH.PH
[2010/06/22 22:45:46 | 000,001,576 | ---- | C] () -- C:\Documents and Settings\Lela han\Desktop\Grand Fantasia.lnk
[2010/06/18 15:30:18 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Chaos War Schedule.doc
[2010/06/10 22:07:36 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MapleStory.url
[2010/06/07 19:27:31 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\Lela han\Desktop\TalesRunner.lnk
[2010/06/06 23:11:58 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Tales Runner Key.doc
[2010/06/02 21:17:02 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Al Qaeda is a terrible organization that has killed hundreds.doc
[2010/05/30 20:43:13 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Song of Storms.doc
[2010/05/24 02:16:11 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Tinierme.doc
[2010/05/21 04:51:46 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922P.manifest
[2010/05/21 04:51:46 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922C.manifest
[2010/05/21 04:51:46 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922S.manifest
[2010/05/21 04:51:46 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Lela han\Application Data\02000000795987b9922O.manifest
[2010/05/12 18:56:11 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/12 18:56:11 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/09 12:59:39 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Hair color.doc
[2010/05/04 19:38:56 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Wii games.doc
[2010/05/03 15:58:05 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Reborn! B-days.doc
[2010/04/18 14:33:48 | 000,000,602 | ---- | C] () -- C:\Documents and Settings\Lela han\Desktop\rkill.lnk
[2010/04/18 11:58:22 | 000,002,954 | ---- | C] () -- C:\WINDOWS\iyohodop.dll
[2010/04/18 09:36:23 | 000,002,954 | ---- | C] () -- C:\WINDOWS\eboxubac.dll
[2010/04/18 09:36:04 | 000,024,275 | ---- | C] () -- C:\Documents and Settings\Lela han\nah_log.dat
[2010/04/16 20:25:23 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\i.doc
[2010/04/16 20:25:00 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Solia cake recipe.doc
[2010/04/14 00:02:27 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Sdijipiqowa.dat
[2010/04/14 00:02:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Shirapona.bin
[2010/04/08 02:56:57 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Lela han\My Documents\Lela Han.doc
[2010/02/02 10:30:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/30 22:21:37 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2006/02/09 15:29:54 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\VSHP1020.DLL
[2004/08/04 05:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/06/26 12:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/05/19 15:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2010/06/10 21:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2010/06/10 21:59:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/06/03 20:38:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/06/26 12:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lela han\Application Data\acccore
[2010/05/19 15:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lela han\Application Data\Babylon
[2010/04/07 05:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lela han\Application Data\GetRightToGo
[2010/05/30 18:40:42 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Lela han\Application Data\SystemProc
[2010/07/04 23:22:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2CAE369E-F432-4CBA-9A9B-6017C9A83AEC}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< c:\$recycle.bin\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-05-13 19:03:59


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: AUTOCHK.EXE >
[2008/04/13 19:12:12 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\autochk.exe
[2004/08/04 05:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\WINDOWS\system32\autochk.exe
[2004/08/04 05:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=B3415B9D6026F65E43089ABED096C38C -- C:\WINDOWS\system32\dllcache\autochk.exe

< MD5 for: BEEP.SYS >
[2004/08/04 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\dllcache\beep.sys
[2004/08/04 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: IASTOR.SYS >
[2007/07/12 16:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: IMM32.DLL >
[2008/04/13 19:11:54 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=0DA85218E92526972A821587E6A8BF8F -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\imm32.dll
[2004/08/04 05:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=87CA7CE6469577F059297B9D6556D66D -- C:\WINDOWS\system32\dllcache\imm32.dll
[2004/08/04 05:00:00 | 000,110,080 | ---- | M] (Microsoft Corporation) MD5=87CA7CE6469577F059297B9D6556D66D -- C:\WINDOWS\system32\imm32.dll

< MD5 for: KERNEL32.DLL >
[2009/03/21 08:54:07 | 000,989,184 | ---- | M] (Microsoft Corporation) MD5=80202858D245FF07DAA1739C57A3E19B -- C:\WINDOWS\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[2004/08/04 05:00:00 | 000,983,552 | ---- | M] (Microsoft Corporation) MD5=888190E31455FAD793312F8D087146EB -- C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll
[2009/03/21 09:18:57 | 000,986,112 | ---- | M] (Microsoft Corporation) MD5=B6ACAED7588295129791E0E6A2B0FADE -- C:\WINDOWS\system32\dllcache\kernel32.dll
[2009/03/21 09:18:57 | 000,986,112 | ---- | M] (Microsoft Corporation) MD5=B6ACAED7588295129791E0E6A2B0FADE -- C:\WINDOWS\system32\kernel32.dll
[2009/03/21 09:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[2008/04/13 19:11:56 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\kernel32.dll
[2009/03/21 08:59:23 | 000,991,744 | ---- | M] (Microsoft Corporation) MD5=DA11D9D6ECBDF0F93436A4B7C13F7BEC -- C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll

< MD5 for: MSWSOCK.DLL >
[2008/06/20 12:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 12:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=097722F235A1FB698BF9234E01B52637 -- C:\WINDOWS\system32\mswsock.dll
[2008/06/20 12:36:11 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=1DFCA7713EA5A70D5D93B436AEA0317A -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[2004/08/04 05:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=4E74AF063C3271FBEA20DD940CFD1184 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
[2008/06/20 12:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[2008/04/13 19:12:01 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mswsock.dll
[2008/06/20 12:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

< MD5 for: NDIS.SYS >
[2008/04/13 14:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys
[2004/08/04 05:00:00 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\system32\dllcache\ndis.sys
[2004/08/04 05:00:00 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\system32\drivers\ndis.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NTFS.SYS >
[2008/04/13 14:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntfs.sys
[2004/08/04 05:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\WINDOWS\system32\dllcache\ntfs.sys
[2004/08/04 05:00:00 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\WINDOWS\system32\drivers\ntfs.sys

< MD5 for: NTMSSVC.DLL >
[2008/04/13 19:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntmssvc.dll
[2004/08/04 05:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=B62F29C00AC55A761B2E45877D85EA0F -- C:\WINDOWS\system32\dllcache\ntmssvc.dll
[2004/08/04 05:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=B62F29C00AC55A761B2E45877D85EA0F -- C:\WINDOWS\system32\ntmssvc.dll

< MD5 for: NVATA.SYS >
[2006/10/18 17:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/10/18 16:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: PROQUOTA.EXE >
[2004/08/04 05:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\system32\dllcache\proquota.exe
[2004/08/04 05:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\system32\proquota.exe
[2008/04/13 19:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\proquota.exe

< MD5 for: QMGR.DLL >
[2004/08/04 05:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\system32\dllcache\qmgr.dll
[2004/08/04 05:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\system32\qmgr.dll
[2008/04/13 19:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\qmgr.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

< MD5 for: SFCFILES.DLL >
[2004/08/04 05:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\system32\dllcache\sfcfiles.dll
[2004/08/04 05:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\system32\sfcfiles.dll
[2008/04/13 19:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll

< MD5 for: SPOOLSV.EXE >
[2004/08/04 05:00:00 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=7435B108B935E42EA92CA94F59C8E717 -- C:\WINDOWS\system32\dllcache\spoolsv.exe
[2004/08/04 05:00:00 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=7435B108B935E42EA92CA94F59C8E717 -- C:\WINDOWS\system32\spoolsv.exe
[2008/04/13 19:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe

< MD5 for: SRSVC.DLL >
[2008/04/13 19:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\srsvc.dll
[2004/08/04 05:00:00 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\system32\dllcache\srsvc.dll
[2004/08/04 05:00:00 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\system32\srsvc.dll

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[2004/08/04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2004/08/04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: TERMSRV.DLL >
[2004/08/04 05:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=B60C877D16D9C880B952FDA04ADF16E6 -- C:\WINDOWS\system32\dllcache\termsrv.dll
[2004/08/04 05:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=B60C877D16D9C880B952FDA04ADF16E6 -- C:\WINDOWS\system32\termsrv.dll
[2008/04/13 19:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\termsrv.dll

< MD5 for: USERINIT.EXE >
[2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe

< MD5 for: WS2_32.DLL >
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ws2_32.dll
[2004/08/04 05:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\system32\dllcache\ws2_32.dll
[2004/08/04 05:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\system32\ws2_32.dll

< MD5 for: XMLPROV.DLL >
[2008/04/13 19:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\xmlprov.dll
[2004/08/04 05:00:00 | 000,129,536 | ---- | M] (Microsoft Corporation) MD5=EEF46DAB68229A14DA3D8E73C99E2959 -- C:\WINDOWS\system32\dllcache\xmlprov.dll
[2004/08/04 05:00:00 | 000,129,536 | ---- | M] (Microsoft Corporation) MD5=EEF46DAB68229A14DA3D8E73C99E2959 -- C:\WINDOWS\system32\xmlprov.dll

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEB15613
< End of report >

Immortalus

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2010-07-05
Operating System : Windows XP

View user profile

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Immortalus on Wed 07 Jul 2010, 2:52 am

OTL Extras logfile created on: 7/5/2010 3:47:55 AM - Run 1
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\Lela han\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 747.00 Mb Available Physical Memory | 74.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 202.75 Gb Free Space | 88.24% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LELA-FFB00CD876
Current User Name: Lela han
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56873:TCP" = 56873:TCP:*:Enabled:Pando Media Booster
"56873:UDP" = 56873:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"56873:TCP" = 56873:TCP:*:Enabled:Pando Media Booster
"56873:UDP" = 56873:UDP:*:Enabled:Pando Media Booster
"1036:TCP" = 1036:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Ntreev\Grand Chase\main.exe" = C:\Ntreev\Grand Chase\main.exe:*:Enabled:GrandChase -- ()
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)
"C:\GamepotUSA\FantasyEarthZero\FEzero.exe" = C:\GamepotUSA\FantasyEarthZero\FEzero.exe:*:Enabled:Fantasy Earth Zero -- File not found
"C:\Program Files\Avira\AntiVir Desktop\avcenter.exe" = C:\Program Files\Avira\AntiVir Desktop\avcenter.exe:*:Enabled:Start AntiVir -- (Avira GmbH)
"C:\Documents and Settings\Lela han\My Documents\Downloads\FantasyEarthZeroDownloader_2010-04-14.exe" = C:\Documents and Settings\Lela han\My Documents\Downloads\FantasyEarthZeroDownloader_2010-04-14.exe:*:Enabled:FantasyEarthZeroDownloader_2010-04-14 -- ()
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B662C580-A3AF-11D4-A71C-0050BAAA39DD}" = Otaku Mascot
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"Akamai" = Akamai NetSession Interface
"Audacity_is1" = Audacity 1.2.6
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Grand Chase" = Grand Chase
"Grand Fantasia" = Grand Fantasia
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapleStory" = MapleStory
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"OGPlanet Game Launcher US" = OGPlanet Game Launcher
"SoftwareUpdUtility" = Download Updater (AOL LLC)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/1/2010 11:46:03 PM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 7/1/2010 11:46:03 PM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 7/2/2010 1:46:41 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 7/2/2010 3:47:10 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 7/2/2010 3:47:11 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 7/2/2010 5:47:54 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 7/5/2010 2:08:43 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 7/5/2010 2:08:44 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 7/5/2010 4:09:54 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: A connection with the server could not be established

Error - 7/5/2010 4:09:54 AM | Computer Name = LELA-FFB00CD876 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

[ System Events ]
Error - 7/5/2010 1:33:20 AM | Computer Name = LELA-FFB00CD876 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/5/2010 2:01:22 AM | Computer Name = LELA-FFB00CD876 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/5/2010 2:01:22 AM | Computer Name = LELA-FFB00CD876 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/5/2010 2:02:38 AM | Computer Name = LELA-FFB00CD876 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/5/2010 2:02:38 AM | Computer Name = LELA-FFB00CD876 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/5/2010 2:05:50 AM | Computer Name = LELA-FFB00CD876 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/5/2010 2:05:50 AM | Computer Name = LELA-FFB00CD876 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/5/2010 2:05:53 AM | Computer Name = LELA-FFB00CD876 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/5/2010 2:07:15 AM | Computer Name = LELA-FFB00CD876 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avgio avipbb Fips intelppm ssmdrv

Error - 7/5/2010 4:47:10 AM | Computer Name = LELA-FFB00CD876 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

Immortalus

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2010-07-05
Operating System : Windows XP

View user profile

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Sneakyone on Wed 07 Jul 2010, 3:18 am

Hi,

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
    O4 - HKLM..\Run: [jrejorii] C:\Documents and Settings\NetworkService\Local Settings\Application Data\atftixwrf\mlolbcotssd.exe ()
    O4 - HKLM..\Run: [Vfayenakoho] C:\WINDOWS\upucinep.DLL File not found
    O4 - HKCU..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\LELAHA~1\LOCALS~1\Temp\win.exe File not found
    O4 - HKCU..\Run: [Jyopi] C:\WINDOWS\msogrsap.DLL File not found
    O22 - SharedTaskScheduler: {A3BA40A2-74F1-52BD-F434-00B15A2C8953} - hs3t873tisghs837tgysu7 - C:\WINDOWS\System32\h8z5jc8.dll File not found

    :Files
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\atftixwrf
    C:\Documents and Settings\Lela han\Local Settings\Application Data\aulmvd
    C:\Documents and Settings\Lela han\Local Settings\Application Data\tngvawlkg
    C:\Documents and Settings\Lela han\Local Settings\Application Data\vwrlrbdfo
    C:\Documents and Settings\Lela han\Local Settings\Application Data\ffrtljjgr
    C:\Documents and Settings\Lela han\Local Settings\Application Data\qhnpakjqn
    C:\WINDOWS\System32\laparari
    C:\WINDOWS\iyohodop.dll
    C:\WINDOWS\eboxubac.dll
    C:\WINDOWS\Sdijipiqowa.dat
    C:\WINDOWS\Shirapona.bin

    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If this fix becomes unresponsive, please move on to ComboFix.

=========

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Immortalus on Wed 07 Jul 2010, 9:48 am

Hi. Um. I'm sort of confused. If the fix ran properly, do I still have to run ComboFix? And I can't seem to find the fix log?

Immortalus

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2010-07-05
Operating System : Windows XP

View user profile

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Sneakyone on Wed 07 Jul 2010, 9:54 am

Hi,

Don't worry about the OTL fix log, please run ComboFix and post that log here.

Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Immortalus on Thu 08 Jul 2010, 5:08 pm

ComboFix 10-07-07.01 - Lela han 07/08/2010 0:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1013.682 [GMT -5:00]
Running from: c:\documents and settings\Lela han\Desktop\commy.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Lela han\Application Data\02000000795987b9922C.manifest
c:\documents and settings\Lela han\Application Data\02000000795987b9922O.manifest
c:\documents and settings\Lela han\Application Data\02000000795987b9922P.manifest
c:\documents and settings\Lela han\Application Data\02000000795987b9922S.manifest
c:\documents and settings\Lela han\Application Data\SystemProc
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\chrome.manifest
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\chrome\content\_cfg.js
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\chrome\content\overlay.xul
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\install.rdf
c:\documents and settings\Lela han\nah_log.dat

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-06 22:22 . 2010-07-06 22:22 -------- d-----w- C:\_OTL
2010-07-03 02:18 . 2010-07-03 02:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\Lela han\Application Data\acccore
2010-06-26 17:50 . 2010-06-26 17:57 -------- d-----w- c:\documents and settings\Lela han\Local Settings\Application Data\AIM
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\Lela han\Local Settings\Application Data\AOL
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\AIM
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\Common Files\AOL
2010-06-24 09:52 . 2010-06-24 18:06 -------- d-----w- c:\program files\NOS
2010-06-24 05:57 . 2010-06-24 05:57 -------- d-----w- c:\program files\Common Files\DirectX
2010-06-23 03:42 . 2010-06-23 03:42 -------- d-----w- C:\AeriaGames
2010-06-21 06:19 . 2010-07-08 06:00 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-11 02:59 . 2010-06-11 02:59 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-06-11 02:59 . 2010-06-11 02:59 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-06-11 02:59 . 2010-06-11 02:59 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-06-11 02:59 . 2010-06-11 02:59 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-06-11 02:59 . 2010-06-11 02:59 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-06-11 02:59 . 2010-06-11 02:59 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-06-11 02:59 . 2010-06-11 02:59 -------- d-----w- C:\Nexon
2010-06-11 02:59 . 2010-06-11 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 08:03 . 2010-05-12 23:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 18:07 . 2010-02-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-11 02:59 . 2010-06-07 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-06-07 04:23 . 2010-01-31 03:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 04:14 . 2010-06-07 04:14 -------- d-----w- c:\program files\gpotato
2010-06-04 01:38 . 2010-06-01 03:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-31 07:42 . 2010-05-31 07:42 -------- d-----w- c:\program files\Pando Networks
2010-05-31 07:41 . 2010-05-11 23:54 -------- d-----w- c:\program files\OGPlanet
2010-05-19 20:09 . 2010-05-19 20:09 -------- d-----w- c:\documents and settings\Lela han\Application Data\Babylon
2010-05-19 20:09 . 2010-05-19 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-05-12 23:56 . 2010-05-12 23:56 552 ----a-w- c:\windows\system32\d3d8caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-31 39408]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Otaku Mascot.lnk - c:\program files\Accursed Toys\Otaku Mascot\Mascot.exe [2010-2-4 720896]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=
"c:\\Documents and Settings\\Lela han\\My Documents\\Downloads\\FantasyEarthZeroDownloader_2010-04-14.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56873:TCP"= 56873:TCP:Pando Media Booster
"56873:UDP"= 56873:UDP:Pando Media Booster
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 12:31 AM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 10:49 PM 135664]
S3 isadeep;isadeep;\??\c:\windows\system32\isadeep.sys --> c:\windows\system32\isadeep.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 03:49]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 03:49]

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{2CAE369E-F432-4CBA-9A9B-6017C9A83AEC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Lela han\Application Data\Mozilla\Firefox\Profiles\6zmlha81.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-08 01:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-07-08 01:02:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 06:02

Pre-Run: 219,263,918,080 bytes free
Post-Run: 219,190,239,232 bytes free

- - End Of File - - ACCDBC082B10802C9BB2C3742A4A208F

Immortalus

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2010-07-05
Operating System : Windows XP

View user profile

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Sneakyone on Thu 08 Jul 2010, 5:30 pm

Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:


    KillAll::

    File::
    c:\windows\system32\isadeep.sys

    Driver::
    isadeep

    Reboot::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Immortalus on Thu 08 Jul 2010, 11:54 pm

ComboFix 10-07-07.01 - Lela han 07/08/2010 7:33.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1013.615 [GMT -5:00]
Running from: c:\documents and settings\Lela han\Desktop\commy.exe
Command switches used :: c:\documents and settings\Lela han\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\isadeep.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISADEEP
-------\Service_isadeep


((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 05:50 . 2010-07-08 06:02 -------- d-----w- C:\commy
2010-07-06 22:22 . 2010-07-06 22:22 -------- d-----w- C:\_OTL
2010-07-03 02:18 . 2010-07-03 02:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\Lela han\Application Data\acccore
2010-06-26 17:50 . 2010-06-26 17:57 -------- d-----w- c:\documents and settings\Lela han\Local Settings\Application Data\AIM
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\Lela han\Local Settings\Application Data\AOL
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\AIM
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\Common Files\AOL
2010-06-24 09:52 . 2010-06-24 18:06 -------- d-----w- c:\program files\NOS
2010-06-24 05:57 . 2010-06-24 05:57 -------- d-----w- c:\program files\Common Files\DirectX
2010-06-23 03:42 . 2010-06-23 03:42 -------- d-----w- C:\AeriaGames
2010-06-21 06:19 . 2010-07-08 12:39 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-11 02:59 . 2010-06-11 02:59 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-06-11 02:59 . 2010-06-11 02:59 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-06-11 02:59 . 2010-06-11 02:59 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-06-11 02:59 . 2010-06-11 02:59 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-06-11 02:59 . 2010-06-11 02:59 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-06-11 02:59 . 2010-06-11 02:59 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-06-11 02:59 . 2010-06-11 02:59 -------- d-----w- C:\Nexon
2010-06-11 02:59 . 2010-06-11 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 08:03 . 2010-05-12 23:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 18:07 . 2010-02-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-11 02:59 . 2010-06-07 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-06-07 04:23 . 2010-01-31 03:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 04:14 . 2010-06-07 04:14 -------- d-----w- c:\program files\gpotato
2010-06-04 01:38 . 2010-06-01 03:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-31 07:42 . 2010-05-31 07:42 -------- d-----w- c:\program files\Pando Networks
2010-05-31 07:41 . 2010-05-11 23:54 -------- d-----w- c:\program files\OGPlanet
2010-05-19 20:09 . 2010-05-19 20:09 -------- d-----w- c:\documents and settings\Lela han\Application Data\Babylon
2010-05-19 20:09 . 2010-05-19 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-05-12 23:56 . 2010-05-12 23:56 552 ----a-w- c:\windows\system32\d3d8caps.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-08 12:38 . 2010-07-08 12:38 16384 c:\windows\Temp\Perflib_Perfdata_578.dat
+ 2010-07-08 12:38 . 2010-07-08 12:38 16384 c:\windows\Temp\Perflib_Perfdata_440.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-31 39408]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Otaku Mascot.lnk - c:\program files\Accursed Toys\Otaku Mascot\Mascot.exe [2010-2-4 720896]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=
"c:\\Documents and Settings\\Lela han\\My Documents\\Downloads\\FantasyEarthZeroDownloader_2010-04-14.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56873:TCP"= 56873:TCP:Pando Media Booster
"56873:UDP"= 56873:UDP:Pando Media Booster
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 12:31 AM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 10:49 PM 135664]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 03:49]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 03:49]

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{2CAE369E-F432-4CBA-9A9B-6017C9A83AEC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Lela han\Application Data\Mozilla\Firefox\Profiles\6zmlha81.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-08 07:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-07-08 07:41:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 12:41
ComboFix2.txt 2010-07-08 06:02

Pre-Run: 219,177,381,888 bytes free
Post-Run: 219,165,765,632 bytes free

- - End Of File - - 197CC2D0B85FB9B1942FE0246EFEB389

Immortalus

Newbie Surfer
Newbie Surfer

Posts : 6
Joined : 2010-07-05
Operating System : Windows XP

View user profile

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Sneakyone on Fri 09 Jul 2010, 4:38 am

Hi,

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Can't get rid of AV Security Suite...

Post by Sponsored content Today at 1:08 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum