[Closed] Java Trojan keeps Cropping Up

By aaronb1232
Mar 5, 2011
Topic Status:
Not open for further replies.
  1. Hey all,

    For the last ~2 weeks now, every 5 days MSE comes up with something in its scan or pops up a message about a Java Trojan/Trojan Downloader found on the system. When I initially saw this, I did full scans with both MSE and MBAM almost daily, and didn't find anything. However, something would manage to crop up that was Java related.

    Something to note: These infected files were always found in my Java AppData folder (C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\ random folders/files from here on...). I'm thinking they're linked together, but whenever I delete one, it seems to download itself back on. I haven't had any issues yet; my web browsers haven't been redirecting themselves, and I haven't gotten any spamming windows or anything like that; there's virtually no sign that anything's wrong other than the messages that my scanners are detecting them. However, as they're Trojans, they're obvious security concerns for me.

    Here are the infected files and their locations that MSE detected over the past 2 weeks:

    TrojanDownloader:Java/OpenConnection.KR
    Found in: containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\458317b9-7212efc1
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\458317b9-7212efc1->RequiredJavaComponent.class

    Exploit:Java/CVE-2010-0840.BF
    Found in: containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\126cbbd9-54edaafd
    containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\2107de3c-487ee999
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\126cbbd9-54edaafd->folder/Ump_45.class
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\2107de3c-487ee999->folder/Ump_45.class

    Exploit:Java/CVE-2010-0840.BH
    Found in: containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\49e03e00-34e2a4ca
    containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\4a14144e-52409202
    containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\2a769347-4eacf6c1
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\49e03e00-34e2a4ca->glass/boing.class
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\4a14144e-52409202->glass/boing.class
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\2a769347-4eacf6c1->glass/boing.class

    Rogue:Win32/FakeSpypro
    Found in: containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\455b1452-51f143bf
    containerfile:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\37cf23b0-46089767
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\455b1452-51f143bf->[Obfuscator.JM]->(UPX)
    file:C:\Users\Aaron\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\37cf23b0-46089767->[Obfuscator.JM]->(UPX)


    I did a full scan with MBAM today, and in the middle of it, MSE found another infected file. Here are the logs:

    1. MBAM Quick Scan:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5966

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    3/5/2011 12:51:40 PM
    mbam-log-2011-03-05 (12-51-40).txt

    Scan type: Quick scan
    Objects scanned: 169396
    Time elapsed: 2 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    2. MBAM Full Scan run earlier today:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5964

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    3/5/2011 12:21:46 PM
    mbam-log-2011-03-05 (12-21-46).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 513568
    Time elapsed: 1 hour(s), 28 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    3. GMER log:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-05 13:04:36
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000065 ST350032 rev.SD04
    Running: n9jnvpgs.exe; Driver: C:\Users\Aaron\AppData\Local\Temp\aglcrpog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    4. DDS log:

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Aaron at 13:09:51.86 on Sat 03/05/2011
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2444 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Program Files\Tablet\Pen\Pen_TouchService.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\svchost.exe -k Akamai
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\PnkBstrA.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Tablet\Pen\Pen_Tablet.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Steam\Steam.exe
    c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Tablet\Pen\Pen_Tablet.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Users\Aaron\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    Trusted Zone: line6.net
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\aaron\appdata\roaming\mozilla\firefox\profiles\cwzufi5z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.homestarrunner.com/
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
    R1 MpKsl7a76086f;MpKsl7a76086f;c:\programdata\microsoft\microsoft antimalware\definition updates\{9365418c-ec8b-42c6-9aa8-f8f4be2dc150}\MpKsl7a76086f.sys [2011-3-5 28752]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-12-18 176128]
    R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2010-11-17 4869488]
    R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2010-11-17 416112]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-12-18 6650368]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-12-18 231936]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-12-18 102416]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2010-3-9 571264]
    S3 SaiKF622;SaiKF622;c:\windows\system32\drivers\SaiKF622.sys [2009-6-2 113664]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-11-17 16240]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-18 1343400]
    .
    =============== Created Last 30 ================
    .
    2011-03-05 18:07:24 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{9365418c-ec8b-42c6-9aa8-f8f4be2dc150}\MpKsl7a76086f.sys
    2011-03-05 18:07:18 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{9365418c-ec8b-42c6-9aa8-f8f4be2dc150}\mpengine.dll
    2011-03-04 14:58:44 -------- d-----w- c:\program files\Microsoft XNA
    2011-03-04 14:51:23 -------- d-----w- c:\users\aaron\appdata\local\BIT.TRIP RUNNER
    2011-03-01 06:08:28 -------- d-----w- C:\The Neverhood + patch (English)
    2011-03-01 05:31:23 -------- d-----w- C:\Neverhood Win7 Color Fix
    2011-03-01 05:30:18 -------- d-----w- c:\program files\DreamWorks Interactive
    2011-02-28 01:42:26 -------- d-----w- c:\users\aaron\appdata\roaming\Malwarebytes
    2011-02-28 01:42:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-28 01:42:20 -------- d-----w- c:\progra~2\Malwarebytes
    2011-02-28 01:42:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 01:42:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-26 08:03:07 -------- d-----w- c:\program files\Savage XR
    2011-02-23 06:41:38 276992 ----a-w- c:\windows\system32\wcncsvc.dll
    2011-02-22 22:32:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-22 22:32:57 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-21 22:05:15 -------- d-----w- c:\progra~2\Nexon
    2011-02-21 20:01:20 -------- d-----w- c:\program files\BandiMPEG1
    2011-02-21 19:57:43 -------- d-----w- c:\progra~2\NexonUS
    2011-02-21 19:57:32 -------- d-----w- c:\program files\Nexon
    2011-02-21 19:11:13 -------- d-----w- c:\program files\Vindictus
    2011-02-21 19:10:55 -------- d-----w- c:\users\aaron\appdata\local\PMB Files
    2011-02-21 19:10:54 -------- d-----w- c:\progra~2\PMB Files
    2011-02-21 19:10:49 -------- d-----w- c:\program files\Pando Networks
    2011-02-15 18:02:30 -------- d-----w- c:\program files\MyDefrag v4.3.1
    2011-02-15 02:06:09 -------- d-----w- c:\windows\system32\URTTEMP
    2011-02-15 02:01:44 669184 ----a-w- c:\windows\system32\pbsvc.exe
    2011-02-12 00:46:22 -------- d-----w- c:\windows\pss
    2011-02-11 20:04:28 -------- d-----w- c:\progra~2\Nero
    2011-02-11 19:59:27 -------- d-----w- c:\program files\Astonsoft
    2011-02-11 00:00:03 289552 ----a-w- c:\windows\system32\temp.001
    2011-02-11 00:00:03 28672 ----a-w- c:\windows\system32\temp.000
    2011-02-11 00:00:03 -------- d-----w- c:\windows\MVUNINST
    2011-02-11 00:00:03 -------- d-----w- c:\program files\Memorex exPressit Label Design Studio
    2011-02-10 23:22:51 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-6\markup.dll
    2011-02-10 17:19:00 -------- d-----w- c:\users\aaron\appdata\local\MicroVision Applications
    2011-02-10 17:18:50 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2011-02-10 17:18:50 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2011-02-10 17:18:49 -------- d-----w- c:\program files\common files\SureThing Shared
    2011-02-04 12:58:15 -------- d-----w- C:\UbuntuUSB
    2011-02-04 12:38:07 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-7\markup.dll
    2011-02-04 10:33:23 -------- d-----w- c:\program files\WinSCP
    .
    ==================== Find3M ====================
    .
    2011-03-04 14:51:10 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-03-04 14:51:10 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-03-01 16:45:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-15 02:02:17 22328 ----a-w- c:\users\aaron\appdata\roaming\PnkBstrK.sys
    2011-02-15 02:02:03 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-02-15 02:01:46 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-01-15 20:16:02 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-01-15 20:11:14 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
    2010-12-21 05:38:24 73728 ----a-w- c:\windows\system32\wscsvc.dll
    2010-12-21 05:38:24 51200 ----a-w- c:\windows\system32\wscapi.dll
    2010-12-21 05:38:22 981504 ----a-w- c:\windows\system32\wininet.dll
    2010-12-21 05:38:22 350720 ----a-w- c:\windows\system32\winhttp.dll
    2010-12-21 05:38:21 204800 ----a-w- c:\windows\system32\WebClnt.dll
    2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll
    2010-12-21 05:38:16 14336 ----a-w- c:\windows\system32\slwga.dll
    2010-12-21 05:36:17 1389568 ----a-w- c:\windows\system32\msxml6.dll
    2010-12-21 05:36:16 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2010-12-21 05:34:12 80384 ----a-w- c:\windows\system32\davclnt.dll
    2010-12-21 02:22:53 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
    2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
    2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-12-14 17:27:46 111960 ----a-w- c:\windows\dxsdkuninst.exe
    2009-11-20 02:08:02 3749224 ----a-w- c:\program files\common files\adlmint_libFNP.dll
    2009-11-20 02:08:02 2941288 ----a-w- c:\program files\common files\adlmint.dll
    .
    ============= FINISH: 13:10:03.09 ===============


    5. DDS Attach log:


    !.
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/17/2010 2:13:27 PM
    System Uptime: 3/5/2011 1:05:47 PM (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | M2N-SLI DELUXE
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6400+ | Socket AM2 | 3214/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 255.457 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: NVIDIA nForce Networking Controller
    Device ID: PCI\VEN_10DE&DEV_0373&SUBSYS_82391043&REV_A3\3&2411E6FE&1&48
    Manufacturer: NVIDIA
    Name: NVIDIA nForce Networking Controller #2
    PNP Device ID: PCI\VEN_10DE&DEV_0373&SUBSYS_82391043&REV_A3\3&2411E6FE&1&48
    Service: NVENETFD
    .
    ==== System Restore Points ===================
    .
    RP211: 3/3/2011 3:16:35 PM - Windows Update
    RP212: 3/4/2011 8:17:20 AM - Windows Update
    RP213: 3/4/2011 9:58:30 AM - Installed Microsoft XNA Framework Redistributable 4.0
    RP214: 3/5/2011 10:44:31 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    µTorrent
    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe After Effects CS4 Third Party Content
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe Creative Suite 4 Master Collection
    Adobe CS4 American English Speech Analysis Models
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Dreamweaver CS4
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe Encore CS4 Codecs
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Encoder CS4 Additional Exporter
    Adobe Media Encoder CS4 Dolby
    Adobe Media Encoder CS4 Exporter
    Adobe Media Encoder CS4 Importer
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Premiere Pro CS4
    Adobe Premiere Pro CS4 Functional Content
    Adobe Premiere Pro CS4 Third Party Content
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe Soundbooth CS4 Codecs
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Akamai NetSession Interface
    Amazon MP3 Downloader 1.0.10
    AMD Drag and Drop Transcoding
    And Yet It Moves
    Apple Application Support
    Apple Software Update
    ASIO4ALL
    Ask Toolbar
    Assassin's Creed II
    ATI Catalyst Install Manager
    ATI Catalyst Registration
    Audacity 1.2.6
    Autodesk Backburner 2011.0.0
    Autodesk DirectConnect 2010 R1
    Autodesk MatchMover 2011 32-bit
    Autodesk Maya 2011 32-bit
    Autodesk Maya 2011 English Documentation 32-bit
    B.U.T.T.O.N.
    Back to the Future: Ep 2 - Get Tannen!
    Bamboo
    Bandisoft MPEG-1 Decoder
    Battlefield: Bad Company 2
    BIT.TRIP RUNNER
    Blender (remove only)
    BufferChm
    Burnout Paradise: The Ultimate Box
    Call of Duty: Black Ops
    Call of Duty: Black Ops - Multiplayer
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    ccc-core-static
    ccc-utility
    CCC Help English
    Champions Online
    Composite 2011
    Connect
    Counter-Strike: Source
    Crysis 2 Demo
    Crysis Warhead
    Crysis Wars
    Crystal Reports Basic for Visual Studio 2008
    Destinations
    Deus Ex: Game of the Year Edition
    Deus Ex: Invisible War
    DeviceDiscovery
    DjVu Solo 3.1
    Dystopia
    FileZilla Client 3.3.5.1
    FL Studio 9
    Foxit Reader
    Garry's Mod
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
    Gish
    GoldenEye: Source - HalfLife 2 Mod
    GOMTV Streamer
    GPBaseService2
    Half-Life 2: Deathmatch
    Hardcore
    Heroes of Newerth
    Hitman: Codename 47
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971091)
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB973674)
    HP Imaging Device Functions 14.0
    HP Photosmart Plus B209a-m All-in-One Driver 14.0 Rel. 6
    HP Solution Center 14.0
    HPProductAssistant
    IL Download Manager
    Java Auto Updater
    Java(TM) 6 Update 24
    Jolly Rover
    kuler
    LAME v3.98.3 for Audacity
    Lara Croft and the Guardian of Light
    Left 4 Dead 2
    Line 6 Uninstaller
    Lost Horizon
    Machinarium
    Magicka - Demo
    Malwarebytes' Anti-Malware
    Memorex exPressit Label Design Studio
    Microsoft .NET Compact Framework 2.0 SP2
    Microsoft .NET Compact Framework 3.5
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Device Emulator version 3.0 - ENU
    Microsoft DirectX SDK (June 2010)
    Microsoft Document Explorer 2008
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
    Microsoft Office Visual Web Developer 2007
    Microsoft Office Visual Web Developer MUI (English) 2007
    Microsoft PowerPoint Viewer
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Compact 3.5 Design Tools ENU
    Microsoft SQL Server Compact 3.5 ENU
    Microsoft SQL Server Compact 3.5 for Devices ENU
    Microsoft SQL Server Database Publishing Wizard 1.2
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft Visual Studio 2008 Professional Edition - ENU
    Microsoft Visual Studio Web Authoring Component
    Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
    Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
    Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
    Microsoft Windows SDK for Visual Studio 2008 Tools
    Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
    Microsoft XNA Framework Redistributable 4.0
    Mirror's Edge
    Monday Night Combat
    Mount and Blade: Warband
    Mozilla Firefox (3.6.15)
    MSDN Library for Visual Studio 2008 - ENU
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Mumble and Murmur
    MyDefrag v4.3.1
    Network
    Nexon Game Manager
    Notepad++
    NVIDIA PhysX
    On the Rain-Slick Precipice of Darkness, Episode One
    On the Rain-Slick Precipice of Darkness, Episode Two
    OpenAL
    OpenOffice.org 3.2
    Pando Media Booster
    PDF Settings CS4
    Photoshop Camera Raw
    Pirates, Vikings, & Knights II
    Pixel Bender Toolkit
    PoiZone
    Poker Night at the Inventory
    Portal
    PowerISO
    Prince of Persia: The Two Thrones
    Project S
    PS_AIO_06_B209a-m_SW_Min
    PunkBuster Services
    Python 2.5.4
    QuickTime
    Recettear: An Item Shop's Tale
    Revenge of the Titans HIB (remove only)
    Savage: The Battle For Newerth (Version: 1.0RC3)
    Sawer
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Serious Sam HD: The Second Encounter
    SolutionCenter
    Star Wars Galactic Battlegrounds: Saga
    Star Wars Jedi Knight: Dark Forces II
    StarCraft II
    Status
    Steam
    Suite Shared Configuration CS4
    Super Meat Boy
    Swords and Soldiers HD
    Synergy
    System Protocol One Demo
    Team Fortress 2
    The Ball
    The Misadventures of P.B. Winterbottom
    The Neverhood
    Toolbox
    TortoiseSVN 1.6.12.20536 (32 bit)
    Toxic Biohazard
    TrayApp
    Unigine Heaven Benchmark v2.1
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Visual Studio 2008 Professional Edition - ENU (KB972221)
    VC Runtimes MSI
    Ventrilo Client
    Vindictus
    Vista Shortcut Manager
    Visual Studio 2005 Tools for Office Second Edition Runtime
    Visual Studio Tools for the Office system 3.0 Runtime
    Viva Piñata
    Viva Pinata
    VLC media player 1.1.5
    Warhammer® 40,000®: Dawn of War® II – Retribution™ Beta
    Warhammer® 40,000™: Dawn of War® II
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    Winamp
    Winamp Detector Plug-in
    Windows Live ID Sign-in Assistant
    Windows Mobile 5.0 SDK R2 for Pocket PC
    Windows Mobile 5.0 SDK R2 for Smartphone
    WinRAR archiver
    WinSCP 4.2.9
    WMV9/VC-1 Video Playback
    YouTube Downloader 2.6.5
    Zombie Panic Source
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/5/2011 12:40:54 PM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    3/5/2011 1:01:41 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    3/5/2011 1:01:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    3/5/2011 1:01:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    3/5/2011 1:01:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    3/5/2011 1:01:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    3/5/2011 1:01:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/5/2011 1:01:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr tdx Wanarpv6 WfpLwf
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/5/2011 1:01:24 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    3/3/2011 2:01:52 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    3/3/2011 10:28:32 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
    3/1/2011 12:06:13 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    2/28/2011 10:32:50 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer DANI-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3516BA6F-BE82-4218-9B69-D4D1160D25. The master browser is stopping or an election is being forced.
    2/27/2011 10:11:19 PM, Error: Service Control Manager [7038] - The upnphost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    2/27/2011 10:11:19 PM, Error: Service Control Manager [7000] - The UPnP Device Host service failed to start due to the following error: The service did not start due to a logon failure.
    2/27/2011 10:11:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
    .
    ==== End Of File ===========================


    Thanks much for any help. It's greatly appreciated.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    I see you've been a TechSpot member for a while- but it looks like this may be your first visit for malware. I can start you off handling the Java exploits:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
    ==================================
    That is only specific for the Java exploits however, so we need to check the rest of the system. Please go ahead and run the following while I review these logs:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    I see there have been quite a few errors in the Event Viewer in the past week. Can you tell me please if you have made any changes in the Startup Type of any of the Services?

    Important
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Please note: I am helping other members also, all of whom have started several days ago and I tend to be slightly less active on the weekend. Do not be impatient if I do not get right back to you.
  3. aaronb1232

    aaronb1232 Newcomer, in training Topic Starter Posts: 18

    The Event Viewer messages from today are likely from when I tried to run GMER. When I ran the exe, nothing seemed to happen at all. I tried restarting so I could go into Safe Mode, but when I hit restart from the Start Menu, the menu and the start button just disappeared, and when I went to run Firefox, it didn't respond. I thought the OS was fubar'd at that point, so I hit the reset button on the case, and then booted into Safe Mode. Then I could run GMER fine.

    The only startup services I've changed are:
    1. About a month ago when a similar (possibly-related?) infected file was found, I went into the start up services to see if anything looked fishy. Sure enough, at the bottom there was one entry checked that had no title of any sort, and looked very sketchy. So I unchecked this; it no longer appears in the startup list if I check again, and no issues have arose from this unchecking.
    2. I unchecked the Adobe Update service as I was tired of getting constant window spam from Adobe about updating their products.

    Right now I'm running the ESET Online Scanner. It hasn't found anything yet, but afterwards I'll run ComboFix and post a log of both.

    Thanks much for your help!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Okay. post logs when finished.
  5. aaronb1232

    aaronb1232 Newcomer, in training Topic Starter Posts: 18

    Hey there,

    I got one file from the ESET scan, a file for one of my eBooks for Game Development. I've gotten this before from other scanners in the past, but I always thought it was just a false-positive. Just to be safe, I got rid of it.

    Here's the ESET Online Scanner Log:
    C:\Users\Aaron\Documents\Game.Design.eBooks.Pack\Programming\Programming AI by Example Source Code.rar probably a variant of Win32/Adware.BHO.KZXQAKS application


    As for ComboFix, I can't get the thing to finish correctly. When I run it, it runs through correctly and scans up through Stage 50 or whatever. Then it says it's preparing a log file. Shortly after this, I get a message that reads like this:

    The following usage of the path operator in batch-parameter
    substitution is invalid: *NXG.vir


    For valid formats type CALL /? or FOR /?
    The syntax of the command is incorrect.

    Note: That *NXG.vir may not be completely accurate--I may have missed a few characters within, but it is consistent, so I can reproduce that error again if you want.

    It doesn't matter if i rename the file, or boot up in Safe Mode. I get this error everytime and have to restart because none of the programs will boot up afterwards.

    Any ideas?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    For the Eset entry:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Users\Aaron\Documents\Game.Design.eBooks.Pack\Programming\Programming AI by Example Source Code.rar
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    .NXG File Extension
    Web page created with Netopia eSite Builder NXG, an online Web development environment that provides a WYSIWYG ("What You See Is What You Get") interface for creating and updating Web pages; typically built from an eSite Builder NXG template.
    NOTE: If a Web address ends in ".nxg," the Web page is most likely hosted on a server running eSite Builder.

    The vir designation means it's an infected file. I don't have enough to go on to do anything wiith that file specifically, but do the following and see if it helps:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    ===================================
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Post the log and then attempt to download Combofix and scan again.
    ===================================
    My question:
    Your reply: (Edited)
    We are referring to 2 different things. My query was about Services Startup Type:
    Start> Run> type in services.msc> enter> Each Services is set with a Startup Type of Automatic, Manual or Disabled.

    You are referring to the Startup menu where processes that are checked start on boot.
  7. aaronb1232

    aaronb1232 Newcomer, in training Topic Starter Posts: 18

    Alright, got ComboFix working this time. One thing I was very alarmed about was it said it had deleted the following folder: c:\windows\system32\Microsoft

    This obviously made me a bit alerted, but I'm unsure if it's doing the right thing here--I'll let you be the judge. The first time I tried running Combofix today after the other steps, it said it started scanning and just stopped there. Nothing would quit the process so I had to hit the manual reset key on the case. Once I rebooted, it scanned and made the log file fine.

    As for the ESET-found file, I had deleted that already after seeing it, so I'm unsure how effective the MoveIt process went, but I ran it anyway.

    No, I don't recall ever changing any values in the Startup menu you showed me now. I've only turned off some start up processes in the menu that I was talking about before.

    Anyway, here are the log files:

    1. MoveIt

    All processes killed
    ========== FILES ==========
    File/Folder C:\Users\Aaron\Documents\Game.Design.eBooks.Pack\Programming\Programming AI by Example Source Code.rar not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Aaron
    ->Temp folder emptied: 656332 bytes
    ->Temporary Internet Files folder emptied: 3200500 bytes
    ->Java cache emptied: 1565929 bytes
    ->FireFox cache emptied: 49490704 bytes
    ->Flash cache emptied: 2825 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 130778 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 52.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03072011_172258


    2. ExeHelper (I'd run in twice, hence two entries)
    exeHelper by Raktor
    Build 20100414
    Run at 17:36:37 on 03/07/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 17:37:10 on 03/07/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    3. rkill.log

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/07/2011 at 17:35:43.
    Operating System: Windows 7 Professional


    Processes terminated by Rkill or while it was running:



    Rkill completed on 03/07/2011 at 17:35:47.


    4. ComboFix log

    ComboFix 11-03-07.02 - Aaron 03/07/2011 17:54:01.7.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2639 [GMT -5:00]
    Running from: c:\users\Aaron\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\LogFiles\AIT\AitEventLog.etl.001
    c:\windows\system32\LogFiles\AIT\AitEventLog.etl.002
    c:\windows\system32\LogFiles\AIT\AitEventLog.etl.003
    c:\windows\system32\LogFiles\AIT\AitEventLog.etl.004
    c:\windows\system32\LogFiles\AIT\AitEventLog.etl.005
    c:\windows\system32\LogFiles\HTTPERR\httperr1.log
    c:\windows\system32\LogFiles\PunkBuster\pbsvc.log
    c:\windows\system32\LogFiles\PunkBuster\PnkBstrA.log
    c:\windows\system32\LogFiles\PunkBuster\PnkBstrB.log
    c:\windows\system32\LogFiles\Scm\01d0a735-043f-4689-8a32-b95147552789
    c:\windows\system32\LogFiles\Scm\05ee699f-ab25-42d8-8781-558c5d1d2fad
    c:\windows\system32\LogFiles\Scm\071d41b6-8806-4eb0-b661-6cb67be6e86e
    c:\windows\system32\LogFiles\Scm\0d9b5d92-3a22-486d-a887-3aa21597cf27
    c:\windows\system32\LogFiles\Scm\0e12083c-0335-49db-9542-ba1ec6d83ecc
    c:\windows\system32\LogFiles\Scm\1099eb83-e99f-448b-ac8a-3c32f6b2a14c
    c:\windows\system32\LogFiles\Scm\12ec4686-328f-4a90-a635-150e77de3931
    c:\windows\system32\LogFiles\Scm\18e6d428-d26c-4169-bedf-3b5bddc952f6
    c:\windows\system32\LogFiles\Scm\1ec9510d-a439-4950-9399-b6399edf9ea7
    c:\windows\system32\LogFiles\Scm\2375f586-1009-41fb-b54e-30d8af2b781d
    c:\windows\system32\LogFiles\Scm\245c8924-8474-427f-be0a-005087f12bc3
    c:\windows\system32\LogFiles\Scm\24fa84a0-e087-48ec-bc51-2b9c4c815d78
    c:\windows\system32\LogFiles\Scm\28369638-773d-401d-844b-6f2c5b8f5710
    c:\windows\system32\LogFiles\Scm\2bb82a58-8fa7-45bb-8152-e5fe3badc25d
    c:\windows\system32\LogFiles\Scm\2bd05ba6-988d-4bd3-a9cd-9a39f80af524
    c:\windows\system32\LogFiles\Scm\2c59ecaf-3a27-4640-9f4b-519b05bdd70f
    c:\windows\system32\LogFiles\Scm\3223a9d0-d76e-4f01-8b0b-5caee9dd50fb
    c:\windows\system32\LogFiles\Scm\346f9d65-db37-46dd-8be0-3d988c9af1e3
    c:\windows\system32\LogFiles\Scm\367f930a-a3db-4112-b1f1-50e92a171c88
    c:\windows\system32\LogFiles\Scm\3eb5dd61-d014-4cb0-953a-9857f47dd4bc
    c:\windows\system32\LogFiles\Scm\4040e761-8758-4007-b2fe-142b24bf4b16
    c:\windows\system32\LogFiles\Scm\4503e4b3-439b-4736-9c6f-32d55a5f287d
    c:\windows\system32\LogFiles\Scm\48c30bdd-08ca-41a8-a5e7-ab8057bc6d05
    c:\windows\system32\LogFiles\Scm\50fb5a03-0e1e-48de-b8a1-bee9d7d2cd0f
    c:\windows\system32\LogFiles\Scm\5a55fe46-80d5-4687-93e0-6e447a535c39
    c:\windows\system32\LogFiles\Scm\5b184694-64c3-4633-94c5-945b3fa561d6
    c:\windows\system32\LogFiles\Scm\5c2c622f-70e9-4194-a7da-033e827365ad
    c:\windows\system32\LogFiles\Scm\5e421979-0899-4a47-948b-5873bf8888ab
    c:\windows\system32\LogFiles\Scm\60158c7a-6808-42cd-95ee-afd9a57925db
    c:\windows\system32\LogFiles\Scm\6375cc1c-d975-48d2-9cd5-63db19b10d4a
    c:\windows\system32\LogFiles\Scm\65c0755e-358d-4456-b8e8-d6a393e70450
    c:\windows\system32\LogFiles\Scm\6aef0c98-2cb4-4b67-8c70-4c977c7355cc
    c:\windows\system32\LogFiles\Scm\6b7ac694-8d6d-481b-9dd8-2a3a741ada6d
    c:\windows\system32\LogFiles\Scm\718b5099-ce5e-472f-b8ae-317055eab3e8
    c:\windows\system32\LogFiles\Scm\731e9c62-95b5-4c8c-ab64-4cc591c9ff5b
    c:\windows\system32\LogFiles\Scm\73259f86-29d6-42ff-b1e7-634f6e40d4f8
    c:\windows\system32\LogFiles\Scm\7cd854c4-89ca-4022-b3c9-7d9b5049eddb
    c:\windows\system32\LogFiles\Scm\7d3c7871-a917-4ef0-82e8-5f0a96423051
    c:\windows\system32\LogFiles\Scm\845e78d2-61d9-4dd1-a837-e810e300f32f
    c:\windows\system32\LogFiles\Scm\888fbfea-cf0e-4512-b2e1-cd5165e1c669
    c:\windows\system32\LogFiles\Scm\8905ecd8-016f-4dc2-90e6-a5f1fa6a841a
    c:\windows\system32\LogFiles\Scm\8a4cc83d-39c2-472a-a7a9-2d0efc9eac58
    c:\windows\system32\LogFiles\Scm\9334c323-f100-4656-9ba0-e4aa69c0f9c2
    c:\windows\system32\LogFiles\Scm\937ba315-d336-486d-901e-1c46c40fa160
    c:\windows\system32\LogFiles\Scm\98bdbc07-455c-41f5-96b8-6d34a57bd107
    c:\windows\system32\LogFiles\Scm\9adf1ad7-2201-44f8-8dae-247d1f79f1b0
    c:\windows\system32\LogFiles\Scm\9b75c702-ea13-406a-badb-6c588ee4375b
    c:\windows\system32\LogFiles\Scm\9efacbe6-a797-4905-a0c6-014cd3000dbb
    c:\windows\system32\LogFiles\Scm\9f27b292-cff6-44ef-9bda-e8028bd0f207
    c:\windows\system32\LogFiles\Scm\9f54b95f-5096-4803-ae61-e9b3ac5b616d
    c:\windows\system32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
    c:\windows\system32\LogFiles\Scm\a2cfb6f3-b3ae-4971-8e29-c415be22d2e5
    c:\windows\system32\LogFiles\Scm\a316e645-1c56-45a6-bd6a-7dca79778090
    c:\windows\system32\LogFiles\Scm\a6394592-54ce-4e93-8d64-1a068f462632
    c:\windows\system32\LogFiles\Scm\a746df6c-984b-40c8-9453-5eb10dfdd801
    c:\windows\system32\LogFiles\Scm\a9e137a8-6750-4c67-b697-f788f6135892
    c:\windows\system32\LogFiles\Scm\aae80b72-612a-4cb0-981c-3870c3388c43
    c:\windows\system32\LogFiles\Scm\ab771a9f-fb0f-4fa1-8b5f-48186615901e
    c:\windows\system32\LogFiles\Scm\ae4dee48-80cd-4e3a-b5f1-5ed593a0e8dd
    c:\windows\system32\LogFiles\Scm\b9bee219-c29e-4310-819c-147a5a0e045e
    c:\windows\system32\LogFiles\Scm\bba67ad0-4ba0-4b44-827b-ff419b70c057
    c:\windows\system32\LogFiles\Scm\c370ff4d-a2d2-4060-87c4-6077d07519d9
    c:\windows\system32\LogFiles\Scm\c4338053-180e-40bb-8b1a-3fbe6aa33f71
    c:\windows\system32\LogFiles\Scm\c666178e-0e21-45ff-b0d1-a0d707a25c33
    c:\windows\system32\LogFiles\Scm\c8f483cc-4de8-4c0f-82de-d6090bd5bbbe
    c:\windows\system32\LogFiles\Scm\c90440a0-6d8f-423f-8f42-83eef05ce708
    c:\windows\system32\LogFiles\Scm\cd9fdb61-9b9f-41f6-bf75-6b5487c17bd8
    c:\windows\system32\LogFiles\Scm\d21f6024-191f-4454-bbbc-09a650da2549
    c:\windows\system32\LogFiles\Scm\d622195c-d680-4fea-9c56-59660c7c9e94
    c:\windows\system32\LogFiles\Scm\d8bb5b7f-d0ca-4f67-a3d7-73e1d05f63da
    c:\windows\system32\LogFiles\Scm\d9cf7e4f-25de-43eb-9321-8c28a6c387fd
    c:\windows\system32\LogFiles\Scm\dd2dff08-4e05-4713-8da1-806a9f017e4e
    c:\windows\system32\LogFiles\Scm\de8699d2-8a05-42f7-8a85-5162af47d26a
    c:\windows\system32\LogFiles\Scm\de8bae53-2809-4f75-85ef-427d364b9b2c
    c:\windows\system32\LogFiles\Scm\e5c2c523-72c2-4e62-8855-08056315b677
    c:\windows\system32\LogFiles\Scm\e6299119-8eca-44e3-ba3a-272be8bcfa11
    c:\windows\system32\LogFiles\Scm\e6f3a527-8b0b-43fa-94eb-584032761924
    c:\windows\system32\LogFiles\Scm\e79b2998-8f63-451a-a56d-26edc0a5098a
    c:\windows\system32\LogFiles\Scm\e8164c0d-216c-4b6b-9eb8-31bf958b8014
    c:\windows\system32\LogFiles\Scm\f1369a11-e983-4458-b390-712efa1cba44
    c:\windows\system32\LogFiles\Scm\f8aa5a77-9650-4e45-87f3-b468060a3915
    c:\windows\system32\LogFiles\Scm\f93c7104-998a-4a38-b935-775a3138b3c3
    c:\windows\system32\LogFiles\Scm\ffb8486a-9861-4b82-be38-c7f8fb1b6605
    c:\windows\system32\LogFiles\Scm\SCM.EVM
    c:\windows\system32\LogFiles\Scm\SCM.EVM.1
    c:\windows\system32\LogFiles\Scm\SCM.EVM.2
    c:\windows\system32\LogFiles\Scm\SCM.EVM.3
    c:\windows\system32\LogFiles\Scm\SCM.EVM.4
    c:\windows\system32\LogFiles\WMI\Terminal-Services-Core.etl
    c:\windows\system32\LogFiles\WMI\Terminal-Services-IP-Virtualization.etl
    c:\windows\system32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
    c:\windows\system32\LogFiles\WMI\Terminal-Services-Unified-APIs.etl
    c:\windows\system32\LogFiles\WUDF\WUDFTrace.etl
    c:\windows\system32\Microsoft
    c:\windows\system32\Microsoft\Protect\S-1-5-18\d4e9ede5-af8c-4d03-afda-19299978b0db
    c:\windows\system32\Microsoft\Protect\S-1-5-18\Preferred
    c:\windows\system32\Microsoft\Protect\S-1-5-18\User\04ece708-132d-4bf0-a647-e3329269a012
    c:\windows\system32\Microsoft\Protect\S-1-5-18\User\2929ccce-ca90-4d14-9056-6bfc33f2a0e5
    c:\windows\system32\Microsoft\Protect\S-1-5-18\User\bb2e0d45-6c64-4ac2-b6d5-1f16d18f266c
    c:\windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred
    c:\windows\system32\Microsoft\Protect\S-1-5-19\b5ce2028-bb0a-4968-844f-1a744d941bba
    c:\windows\system32\Microsoft\Protect\S-1-5-19\Preferred
    c:\windows\system32\Microsoft\Protect\S-1-5-20\78b9569c-f613-41ec-b695-5b1179f0912f
    c:\windows\system32\Microsoft\Protect\S-1-5-20\cc1820a0-12a3-4e8b-8f89-7b4084b86392
    c:\windows\system32\Microsoft\Protect\S-1-5-20\Preferred
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-07 22:29 . 2011-03-07 22:29 -------- d--h--w- c:\windows\PIF
    2011-03-07 22:22 . 2011-03-07 22:22 -------- d-----w- C:\_OTM
    2011-03-07 19:18 . 2011-03-07 19:18 -------- d-----w- c:\users\Aaron\AppData\Local\Google
    2011-03-07 01:25 . 2011-03-07 19:18 -------- d-----w- c:\program files\Google
    2011-03-07 00:53 . 2011-03-07 00:53 -------- d-----w- c:\users\Aaron\AppData\Local\Thunderbird
    2011-03-06 08:27 . 2011-03-06 08:27 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-06 00:02 . 2011-03-07 22:58 -------- d-----w- c:\users\Aaron\AppData\Local\temp
    2011-03-05 19:52 . 2011-03-05 19:52 -------- d-----w- c:\program files\ESET
    2011-03-04 14:58 . 2011-03-04 14:58 -------- d-----w- c:\program files\Microsoft XNA
    2011-03-04 14:51 . 2011-03-04 14:52 -------- d-----w- c:\users\Aaron\AppData\Local\BIT.TRIP RUNNER
    2011-03-01 16:46 . 2011-03-01 16:46 -------- d-----w- c:\program files\Common Files\Java
    2011-03-01 06:08 . 2011-03-01 06:08 -------- d-----w- C:\The Neverhood + patch (English)
    2011-03-01 05:31 . 2009-11-11 18:15 -------- d-----w- C:\Neverhood Win7 Color Fix
    2011-03-01 05:30 . 2011-03-01 05:30 -------- d-----w- c:\program files\DreamWorks Interactive
    2011-02-28 01:42 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-28 01:42 . 2011-02-28 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-28 01:42 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-26 08:03 . 2011-02-26 08:08 -------- d-----w- c:\program files\Savage XR
    2011-02-23 06:41 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
    2011-02-22 22:32 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-22 22:32 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-21 20:01 . 2011-02-21 20:01 -------- d-----w- c:\program files\BandiMPEG1
    2011-02-21 19:57 . 2011-02-21 19:58 -------- d-----w- c:\program files\Nexon
    2011-02-21 19:11 . 2011-02-21 20:01 -------- d-----w- c:\program files\Vindictus
    2011-02-21 19:10 . 2011-03-07 01:37 -------- d-----w- c:\program files\Pando Networks
    2011-02-15 18:02 . 2011-03-03 19:48 -------- d-----w- c:\program files\MyDefrag v4.3.1
    2011-02-15 02:06 . 2011-02-15 02:06 -------- d-----w- c:\windows\system32\URTTEMP
    2011-02-15 02:01 . 2011-02-15 02:01 669184 ----a-w- c:\windows\system32\pbsvc.exe
    2011-02-11 19:59 . 2011-02-13 23:55 -------- d-----w- c:\program files\Astonsoft
    2011-02-11 00:00 . 2011-02-11 00:00 -------- d-----w- c:\program files\Memorex exPressit Label Design Studio
    2011-02-11 00:00 . 2011-02-11 00:00 -------- d-----w- c:\windows\MVUNINST
    2011-02-11 00:00 . 1996-08-24 16:11 289552 ----a-w- c:\windows\system32\temp.001
    2011-02-11 00:00 . 1993-10-14 22:51 28672 ----a-w- c:\windows\system32\temp.000
    2011-02-10 17:19 . 2011-02-11 00:00 -------- d-----w- c:\users\Aaron\AppData\Local\MicroVision Applications
    2011-02-10 17:18 . 2009-12-15 22:25 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2011-02-10 17:18 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2011-02-10 17:18 . 2011-02-11 01:11 -------- d-----w- c:\program files\Common Files\SureThing Shared
    2011-02-09 14:21 . 2011-02-09 14:21 -------- d-----w- c:\program files\Notepad++
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-04 14:51 . 2010-11-19 20:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-03-04 14:51 . 2010-11-19 20:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-03-01 16:45 . 2010-11-18 23:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-15 02:02 . 2010-12-21 02:23 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-02-15 02:02 . 2010-12-21 02:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-02-15 02:01 . 2010-12-21 02:22 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-01-15 20:16 . 2010-12-22 03:05 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-01-15 20:11 . 2010-12-21 02:22 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2010-12-21 02:22 . 2010-12-21 02:22 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
    2010-12-18 07:33 . 2010-10-27 07:14 52736 ----a-w- c:\windows\system32\coinst.dll
    2010-12-18 07:33 . 2010-12-18 07:33 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2010-12-18 07:33 . 2010-10-27 07:13 30720 ----a-w- c:\windows\system32\atiuxpag.dll
    2010-12-18 07:33 . 2010-09-29 01:46 4066816 ----a-w- c:\windows\system32\atidxx32.dll
    2010-12-18 07:33 . 2010-09-29 01:13 28672 ----a-w- c:\windows\system32\atiu9pag.dll
    2010-12-18 07:33 . 2010-12-18 07:33 249856 ----a-w- c:\windows\system32\atiadlxx.dll
    2010-12-18 07:33 . 2010-09-29 01:55 550400 ----a-w- c:\windows\system32\aticfx32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2010-12-18 07:33 . 2010-12-18 07:33 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2010-12-18 07:33 . 2010-12-18 07:33 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2010-12-18 07:33 . 2010-12-18 07:33 4122624 ----a-w- c:\windows\system32\atiumdag.dll
    2010-12-18 07:33 . 2010-12-18 07:33 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 6650368 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2010-12-18 07:33 . 2010-12-18 07:33 393216 ----a-w- c:\windows\system32\atieclxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 143360 ----a-w- c:\windows\system32\atiapfxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 16702976 ----a-w- c:\windows\system32\atioglxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2010-12-18 07:33 . 2010-12-18 07:33 27136 ----a-w- c:\windows\system32\atigktxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2010-12-18 07:33 . 2010-12-18 07:33 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 231936 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2010-12-18 07:33 . 2010-12-18 07:33 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 3460096 ----a-w- c:\windows\system32\atiumdva.dll
    2010-12-18 07:33 . 2010-12-18 07:33 5441024 ----a-w- c:\windows\system32\aticaldd.dll
    2010-12-18 07:33 . 2010-12-18 07:33 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 102416 ----a-w- c:\windows\system32\drivers\AtihdW73.sys
    2010-12-14 17:27 . 2010-12-14 17:28 111960 ----a-w- c:\windows\dxsdkuninst.exe
    2009-11-20 02:08 . 2009-11-20 02:08 3749224 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
    2009-11-20 02:08 . 2009-11-20 02:08 2941288 ----a-w- c:\program files\Common Files\adlmint.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-29 03:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2011-02-06 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-26 98304]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
    2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
    .
    R1 MpKsl37240fcb;MpKsl37240fcb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl37240fcb.sys [x]
    R1 MpKsl536c0657;MpKsl536c0657;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl536c0657.sys [x]
    R1 MpKsl93161387;MpKsl93161387;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl93161387.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\Drivers\GPWADrv.sys [2010-03-09 571264]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
    R3 SaiKF622;SaiKF622;c:\windows\system32\DRIVERS\SaiKF622.sys [2009-06-02 113664]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-10-05 16240]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-18 1343400]
    S1 MpKsl2634ea7e;MpKsl2634ea7e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0255F80-C2BD-4180-A495-57CE4AACC8F9}\MpKsl2634ea7e.sys [2011-03-07 28752]
    S1 MpKslfc2c26d2;MpKslfc2c26d2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0255F80-C2BD-4180-A495-57CE4AACC8F9}\MpKslfc2c26d2.sys [2011-03-07 28752]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-12-18 176128]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2010-10-13 4869488]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2010-10-13 416112]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-12-18 6650368]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-12-18 231936]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-12-18 102416]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Akamai REG_MULTI_SZ Akamai
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: line6.net
    FF - ProfilePath - c:\users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\cwzufi5z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.homestarrunner.com/
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-GoldenEye: Source - c:\program files\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3609119862-1929810349-4011554424-1000\Software\SecuROM\License information*]
    "datasecu"=hex:60,62,b7,46,44,82,5c,4d,d7,ab,83,fd,98,e9,27,dd,6b,93,c3,4c,40,
    9f,4c,00,d3,01,7a,87,8f,ac,7f,bb,83,59,bb,71,d4,43,5a,a1,41,0a,78,6f,44,1e,\
    "rkeysecu"=hex:c8,ae,91,d7,23,14,34,ab,b1,8f,92,62,54,88,40,d1
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-03-07 18:01:32
    ComboFix-quarantined-files.txt 2011-03-07 23:01
    .
    Pre-Run: 263,299,129,344 bytes free
    Post-Run: 263,210,582,016 bytes free
    .
    - - End Of File - - 72EDA01AAA158270F09C741F43A71A49
  8. aaronb1232

    aaronb1232 Newcomer, in training Topic Starter Posts: 18

    Uh yeah, it looks like something completely FUBAR'd my comp there. I'm posting on another comp in the house.

    Everything was working fine afterwards, but when I went to restart later in the night (just now), it ran a CHKDSK, went through that, and now when Win7 gets to the user login screen an error message pops up saying "LogonUI.exe devobj.dll not found" or something to that extent. I'm guessing this has something to do with ComboFix outright deleting my Microsoft folder in system32.

    I log in fine after that, but what loads is a black screen with my cursor. I can control alt del out, producing an error again but the ctrl alt del screen afterwards, but I can see nothing on the desktop--no programs or UI are loading; the UI is basically dead at this point.

    So um, are there any options for restoring a Windows 7 install without a total reformat? And if not, is there any way to get my data off before reformatting (I can't see any UI, which makes this difficult)? This kinda sucks and I'm hoping this isn't a case of "If it's not broke, don't fix it."
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\temp.001
    c:\windows\system32\temp.000
    Folder::
    c:\users\Default\AppData\Local\temp
    c:\users\Aaron\AppData\Local\temp
    Extra::
    File::
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    Firefox::
    Firefox-:-Profile- c:\users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\cwzufi5z.default\
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    RegNull::
    [HKEY_USERS\S-1-5-21-3609119862-1929810349-4011554424-1000\Software\SecuROM\License information*]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Consider reinstalling te NetFramework> http://support.microsoft.com/kb/908077
    Note reference to this URTTemp folder which is on yous system:
    2011-02-15 02:06 -------- d-----w- c:\windows\system32\URTTEMP
    =================================
    Are you using the fast user switching? The conbination of the following may be causing a conflict: "LogonUI.exe devobj.dll not found"
    logonui.exe is a Microsoft Logon User Interface.logonui.exe is a system process relating to the Microsoft Windows XP user switching screen.
    devobj.dll is a Microsoft Windows Operating System Device Information Set DLL. The file path is C:\Windows\winsxs\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7600.16385_none_dd4b472f7afdc1a7\
    =================================
    Go head and do the backus if needed. When you replace the files, you should run Combofix and Eset again. You have the Ask bar ll over the system.

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
  10. aaronb1232

    aaronb1232 Newcomer, in training Topic Starter Posts: 18

    Hey there,

    I couldn't get anything working with the FUBAR'd system; the desktop was just a black screen with my mouse cursor, and explorer.exe wouldn't boot up through the Task Manager. I ended up doing a System Restore to before the ComboFix/MoveIt/ExeHelper/Rkill processes. Now everything's up and running again (phew!), but there's obviously the problem of those past actions having no effect now.

    Should I go ahead and repeat the instructions from before, then update with those logs again? Thanks again for all your help through this.
  11. aaronb1232

    aaronb1232 Newcomer, in training Topic Starter Posts: 18

    Alright, so I went ahead and did those processes again for the fact that it's similar circumstances for when I did it last time. This time, I set up System Restore points before each process just in case something went haywire. Luckily for me, Combofix didn't go postal on my OS (and deleted a lot less, at that). I, however, did not yet do the ComboFix with your attached script due to the fact that this new log may change some of the commands you put into the script--I'm unsure for this, so I'll let you be the judge.

    Here are the new logs:
    1. OTMoveIt

    All processes killed
    ========== FILES ==========
    File/Folder C:\Users\Aaron\Documents\Game.Design.eBooks.Pack\Programming\Programming AI by Example Source Code.rar not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Aaron
    ->Temp folder emptied: 625019 bytes
    ->Temporary Internet Files folder emptied: 1664501 bytes
    ->Java cache emptied: 1 bytes
    ->FireFox cache emptied: 45524183 bytes
    ->Flash cache emptied: 4146 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 66248 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 46.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03082011_164152


    2. RKill
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/08/2011 at 16:52:48.
    Operating System: Windows 7 Professional


    Processes terminated by Rkill or while it was running:



    Rkill completed on 03/08/2011 at 16:52:51.


    3. ExeHelper

    exeHelper by Raktor
    Build 20100414
    Run at 16:54:37 on 03/08/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    4. ComboFix log (without your previous script)

    ComboFix 11-03-08.02 - Aaron 03/08/2011 17:02:56.7.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2671 [GMT -5:00]
    Running from: c:\users\Aaron\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Quicktime\QTTask.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-08 22:08 . 2011-03-08 22:08 -------- d-----w- c:\users\Aaron\AppData\Local\temp
    2011-03-08 22:08 . 2011-03-08 22:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-08 17:18 . 2011-03-08 17:18 -------- d-----w- c:\users\Aaron\AppData\Local\Google
    2011-03-08 17:14 . 2011-03-08 17:14 -------- d-----w- c:\program files\VS Revo Group
    2011-03-08 17:09 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7328EE50-5706-4D35-A584-42C495EB5CF6}\mpengine.dll
    2011-03-07 23:43 . 2011-03-07 23:43 -------- d-----w- c:\program files\Stunlock Studios
    2011-03-07 22:29 . 2011-03-07 22:29 -------- d--h--w- c:\windows\PIF
    2011-03-07 22:22 . 2011-03-07 22:22 -------- d-----w- C:\_OTM
    2011-03-07 01:25 . 2011-03-08 17:18 -------- d-----w- c:\program files\Google
    2011-03-07 00:53 . 2011-03-07 00:53 -------- d-----w- c:\users\Aaron\AppData\Roaming\Thunderbird
    2011-03-07 00:53 . 2011-03-07 00:53 -------- d-----w- c:\users\Aaron\AppData\Local\Thunderbird
    2011-03-06 08:19 . 2011-03-08 20:05 -------- d-----w- C:\ironman
    2011-03-05 19:52 . 2011-03-05 19:52 -------- d-----w- c:\program files\ESET
    2011-03-04 14:58 . 2011-03-04 14:58 -------- d-----w- c:\program files\Microsoft XNA
    2011-03-04 14:51 . 2011-03-04 14:52 -------- d-----w- c:\users\Aaron\AppData\Local\BIT.TRIP RUNNER
    2011-03-01 16:46 . 2011-03-01 16:46 -------- d-----w- c:\program files\Common Files\Java
    2011-03-01 06:08 . 2011-03-01 06:08 -------- d-----w- C:\The Neverhood + patch (English)
    2011-03-01 05:31 . 2009-11-11 18:15 -------- d-----w- C:\Neverhood Win7 Color Fix
    2011-03-01 05:30 . 2011-03-01 05:30 -------- d-----w- c:\program files\DreamWorks Interactive
    2011-02-28 01:42 . 2011-02-28 01:42 -------- d-----w- c:\users\Aaron\AppData\Roaming\Malwarebytes
    2011-02-28 01:42 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-28 01:42 . 2011-02-28 01:42 -------- d-----w- c:\programdata\Malwarebytes
    2011-02-28 01:42 . 2011-02-28 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-28 01:42 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-26 08:03 . 2011-02-26 08:08 -------- d-----w- c:\program files\Savage XR
    2011-02-23 06:41 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
    2011-02-22 22:32 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-22 22:32 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-21 22:05 . 2011-02-21 22:05 -------- d-----w- c:\programdata\Nexon
    2011-02-21 20:01 . 2011-02-21 20:01 -------- d-----w- c:\program files\BandiMPEG1
    2011-02-21 19:57 . 2011-02-21 19:58 -------- d-----w- c:\program files\Nexon
    2011-02-21 19:11 . 2011-02-21 20:01 -------- d-----w- c:\program files\Vindictus
    2011-02-21 19:10 . 2011-03-07 01:37 -------- d-----w- c:\program files\Pando Networks
    2011-02-15 18:02 . 2011-03-03 19:48 -------- d-----w- c:\program files\MyDefrag v4.3.1
    2011-02-15 02:06 . 2011-02-15 02:06 -------- d-----w- c:\windows\system32\URTTEMP
    2011-02-15 02:01 . 2011-02-15 02:01 669184 ----a-w- c:\windows\system32\pbsvc.exe
    2011-02-11 20:06 . 2011-02-11 20:33 -------- d-----w- c:\users\Aaron\AppData\Roaming\Nero
    2011-02-11 20:04 . 2011-02-11 20:05 -------- d-----w- c:\programdata\Nero
    2011-02-11 20:00 . 2011-02-11 20:06 -------- d-----w- c:\users\Aaron\AppData\Roaming\DeepBurner
    2011-02-11 19:59 . 2011-02-13 23:55 -------- d-----w- c:\program files\Astonsoft
    2011-02-11 00:00 . 2011-02-11 00:00 -------- d-----w- c:\program files\Memorex exPressit Label Design Studio
    2011-02-11 00:00 . 2011-02-11 00:00 -------- d-----w- c:\windows\MVUNINST
    2011-02-11 00:00 . 1996-08-24 16:11 289552 ----a-w- c:\windows\system32\temp.001
    2011-02-11 00:00 . 1993-10-14 22:51 28672 ----a-w- c:\windows\system32\temp.000
    2011-02-10 23:22 . 2011-02-10 23:22 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-6\markup.dll
    2011-02-10 17:19 . 2011-02-11 00:00 -------- d-----w- c:\users\Aaron\AppData\Local\MicroVision Applications
    2011-02-10 17:18 . 2009-12-15 22:25 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2011-02-10 17:18 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2011-02-10 17:18 . 2011-02-11 01:11 -------- d-----w- c:\program files\Common Files\SureThing Shared
    2011-02-09 14:21 . 2011-02-09 14:54 -------- d-----w- c:\users\Aaron\AppData\Roaming\Notepad++
    2011-02-09 14:21 . 2011-02-09 14:21 -------- d-----w- c:\program files\Notepad++
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-04 14:51 . 2010-11-19 20:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-03-04 14:51 . 2010-11-19 20:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-03-01 16:45 . 2010-11-18 23:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-18 23:47 . 2010-11-19 16:29 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-02-18 12:31 . 2010-11-19 15:28 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-02-15 02:02 . 2010-12-21 02:23 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-02-15 02:02 . 2010-12-21 02:23 22328 ----a-w- c:\users\Aaron\AppData\Roaming\PnkBstrK.sys
    2011-02-15 02:02 . 2010-12-21 02:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-02-15 02:01 . 2010-12-21 02:22 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-02-04 12:38 . 2011-02-04 12:38 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-7\markup.dll
    2011-01-29 22:24 . 2011-01-29 22:24 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-01-27 18:04 . 2011-01-27 18:04 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{79424082-15F5-40E2-A6C1-122F03393FF7}\gapaengine.dll
    2011-01-26 00:30 . 2009-08-18 16:30 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
    2011-01-26 00:30 . 2009-08-18 16:24 17816 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-01-15 20:16 . 2010-12-22 03:05 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-01-15 20:11 . 2010-12-21 02:22 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-01-13 09:41 . 2011-01-26 23:19 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2011-01-13 09:41 . 2010-11-18 17:24 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-12-21 02:22 . 2010-12-21 02:22 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
    2010-12-18 07:33 . 2010-10-27 07:14 52736 ----a-w- c:\windows\system32\coinst.dll
    2010-12-18 07:33 . 2010-12-18 07:33 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2010-12-18 07:33 . 2010-10-27 07:13 30720 ----a-w- c:\windows\system32\atiuxpag.dll
    2010-12-18 07:33 . 2010-09-29 01:46 4066816 ----a-w- c:\windows\system32\atidxx32.dll
    2010-12-18 07:33 . 2010-09-29 01:13 28672 ----a-w- c:\windows\system32\atiu9pag.dll
    2010-12-18 07:33 . 2010-12-18 07:33 249856 ----a-w- c:\windows\system32\atiadlxx.dll
    2010-12-18 07:33 . 2010-09-29 01:55 550400 ----a-w- c:\windows\system32\aticfx32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2010-12-18 07:33 . 2010-12-18 07:33 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2010-12-18 07:33 . 2010-12-18 07:33 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2010-12-18 07:33 . 2010-12-18 07:33 4122624 ----a-w- c:\windows\system32\atiumdag.dll
    2010-12-18 07:33 . 2010-12-18 07:33 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 6650368 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2010-12-18 07:33 . 2010-12-18 07:33 393216 ----a-w- c:\windows\system32\atieclxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 143360 ----a-w- c:\windows\system32\atiapfxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 16702976 ----a-w- c:\windows\system32\atioglxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2010-12-18 07:33 . 2010-12-18 07:33 27136 ----a-w- c:\windows\system32\atigktxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2010-12-18 07:33 . 2010-12-18 07:33 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 231936 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2010-12-18 07:33 . 2010-12-18 07:33 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 3460096 ----a-w- c:\windows\system32\atiumdva.dll
    2010-12-18 07:33 . 2010-12-18 07:33 5441024 ----a-w- c:\windows\system32\aticaldd.dll
    2010-12-18 07:33 . 2010-12-18 07:33 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 102416 ----a-w- c:\windows\system32\drivers\AtihdW73.sys
    2010-12-14 17:27 . 2010-12-14 17:28 111960 ----a-w- c:\windows\dxsdkuninst.exe
    2010-12-09 17:04 . 2010-12-09 17:04 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2009-11-20 02:08 . 2009-11-20 02:08 3749224 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
    2009-11-20 02:08 . 2009-11-20 02:08 2941288 ----a-w- c:\program files\Common Files\adlmint.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-29 03:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2011-02-06 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-26 98304]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
    2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
    .
    R1 MpKsl37240fcb;MpKsl37240fcb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl37240fcb.sys [x]
    R1 MpKsl536c0657;MpKsl536c0657;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl536c0657.sys [x]
    R1 MpKsl93161387;MpKsl93161387;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl93161387.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\Drivers\GPWADrv.sys [2010-03-09 571264]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
    R3 SaiKF622;SaiKF622;c:\windows\system32\DRIVERS\SaiKF622.sys [2009-06-02 113664]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-10-05 16240]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-18 1343400]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-12-18 176128]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2010-10-13 4869488]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2010-10-13 416112]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-12-18 6650368]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-12-18 231936]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-12-18 102416]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Akamai REG_MULTI_SZ Akamai
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: line6.net
    FF - ProfilePath - c:\users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\cwzufi5z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.homestarrunner.com/
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
    AddRemove-GoldenEye: Source - c:\program files\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3609119862-1929810349-4011554424-1000\Software\SecuROM\License information*]
    "datasecu"=hex:60,62,b7,46,44,82,5c,4d,d7,ab,83,fd,98,e9,27,dd,6b,93,c3,4c,40,
    9f,4c,00,d3,01,7a,87,8f,ac,7f,bb,83,59,bb,71,d4,43,5a,a1,41,0a,78,6f,44,1e,\
    "rkeysecu"=hex:c8,ae,91,d7,23,14,34,ab,b1,8f,92,62,54,88,40,d1
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-03-08 17:09:26
    ComboFix-quarantined-files.txt 2011-03-08 22:09
    ComboFix2.txt 2011-03-07 23:01
    .
    Pre-Run: 260,218,028,032 bytes free
    Post-Run: 260,411,994,112 bytes free
    .
    - - End Of File - - A178F0B71DCC76EE535C96EC214D2D46


    Should I go ahead and run ComboFix with your previous script, or will you write up a new one in lieu of this new log; or should I proceed otherwise?
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Yes, please.
  13. aaronb1232

    aaronb1232 Newcomer, in training Topic Starter Posts: 18

    Alrighty, here's what I did:

    1. I ran ComboFix with the script, and everything seemed to work out okay.

    2. I ran it again afterwards, and it seemed okay.

    3. I ran another ESET Online Scan, and it didn't find any infected files. I can't post it because I couldn't find the log for it this time around (possibly because it didn't find anything?), so I couldn't copy it to the clipboard.

    When I tried booting Steam and installing something through the Adobe Updater, it ended up giving me strange .dll errors, I attributed this to ComboFix deleting crucial files again, and did another System Restore to before the 2nd ComboFix without the script and ESET Scan (from my Steps 2 and 3). The first ComboFix is still in effect, and everything seems to be working fine. I've got the logs for both iterations through ComboFix, so maybe you can see if something's up or how I should proceed from here.

    1. First ComboFix run (with your written script)
    ComboFix 11-03-11.02 - Aaron 03/11/2011 20:36:01.8.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2616 [GMT -5:00]
    Running from: C:\Users\Aaron\Desktop\ComboFix.exe
    Command switches used :: C:\Users\Aaron\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    FILE ::
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}"
    "c:\windows\system32\temp.000"
    "c:\windows\system32\temp.001"


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    c:\users\Aaron\AppData\Local\temp
    c:\users\Aaron\AppData\Local\temp\catchme.dll
    c:\users\Aaron\AppData\Local\temp\FXSAPIDebugLogFile.txt
    c:\users\Default\AppData\Local\temp
    c:\windows\system32\temp.000
    c:\windows\system32\temp.001


    ((((((((((((((((((((((((( Files Created from 2011-02-12 to 2011-03-12 )))))))))))))))))))))))))))))))


    2011-03-11 06:08:44 . 2011-03-11 06:08:45 -------- d-----w- C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
    2011-03-10 21:47:03 . 2011-02-11 06:54:53 5943120 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{24D01ACC-8519-49C4-AE85-95D097F293D9}\mpengine.dll
    2011-03-09 18:34:09 . 2011-02-19 05:33:11 802304 ----a-w- C:\Windows\system32\FntCache.dll
    2011-03-09 18:34:09 . 2011-02-19 05:32:48 1074176 ----a-w- C:\Windows\system32\DWrite.dll
    2011-03-09 18:34:09 . 2011-02-19 05:32:35 739840 ----a-w- C:\Windows\system32\d2d1.dll
    2011-03-09 18:34:08 . 2010-12-23 05:28:28 642048 ----a-w- C:\Windows\system32\CPFilters.dll
    2011-03-09 18:34:07 . 2010-12-23 05:28:29 850432 ----a-w- C:\Windows\system32\sbe.dll
    2011-03-09 18:34:07 . 2010-12-23 05:28:28 534528 ----a-w- C:\Windows\system32\EncDec.dll
    2011-03-09 18:34:07 . 2010-12-23 05:24:02 199680 ----a-w- C:\Windows\system32\mpg2splt.ax
    2011-03-09 18:34:07 . 2010-12-18 05:30:20 2690560 ----a-w- C:\Windows\system32\mstscax.dll
    2011-03-09 18:34:06 . 2010-12-18 05:26:55 1034240 ----a-w- C:\Windows\system32\mstsc.exe
    2011-03-08 17:18:47 . 2011-03-08 17:18:47 -------- d-----w- C:\Users\Aaron\AppData\Local\Google
    2011-03-08 17:14:54 . 2011-03-08 17:14:54 -------- d-----w- C:\Program Files\VS Revo Group
    2011-03-07 23:43:06 . 2011-03-07 23:43:06 -------- d-----w- C:\Program Files\Stunlock Studios
    2011-03-07 22:29:22 . 2011-03-07 22:29:22 -------- d--h--w- C:\Windows\PIF
    2011-03-07 22:22:58 . 2011-03-07 22:22:58 -------- d-----w- C:\_OTM
    2011-03-07 01:25:56 . 2011-03-08 17:18:46 -------- d-----w- C:\Program Files\Google
    2011-03-07 00:53:48 . 2011-03-07 00:53:49 -------- d-----w- C:\Users\Aaron\AppData\Roaming\Thunderbird
    2011-03-07 00:53:48 . 2011-03-07 00:53:49 -------- d-----w- C:\Users\Aaron\AppData\Local\Thunderbird
    2011-03-06 08:19:58 . 2011-03-08 20:05:33 -------- d-----w- C:\ironman
    2011-03-05 19:52:25 . 2011-03-05 19:52:25 -------- d-----w- C:\Program Files\ESET
    2011-03-04 14:58:44 . 2011-03-04 14:58:44 -------- d-----w- C:\Program Files\Microsoft XNA
    2011-03-04 14:51:23 . 2011-03-04 14:52:40 -------- d-----w- C:\Users\Aaron\AppData\Local\BIT.TRIP RUNNER
    2011-03-01 16:46:08 . 2011-03-01 16:46:08 -------- d-----w- C:\Program Files\Common Files\Java
    2011-03-01 06:08:28 . 2011-03-01 06:08:58 -------- d-----w- C:\The Neverhood + patch (English)
    2011-03-01 05:31:23 . 2009-11-11 18:15:13 -------- d-----w- C:\Neverhood Win7 Color Fix
    2011-03-01 05:30:18 . 2011-03-01 05:30:18 -------- d-----w- C:\Program Files\DreamWorks Interactive
    2011-02-28 01:42:26 . 2011-02-28 01:42:26 -------- d-----w- C:\Users\Aaron\AppData\Roaming\Malwarebytes
    2011-02-28 01:42:21 . 2010-12-20 23:09:00 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
    2011-02-28 01:42:20 . 2011-02-28 01:42:20 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-02-28 01:42:17 . 2011-02-28 01:42:23 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
    2011-02-28 01:42:17 . 2010-12-20 23:08:40 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
    2011-02-26 08:03:07 . 2011-02-26 08:08:15 -------- d-----w- C:\Program Files\Savage XR
    2011-02-23 06:41:38 . 2010-09-14 06:07:14 276992 ----a-w- C:\Windows\system32\wcncsvc.dll
    2011-02-22 22:32:58 . 2011-01-07 07:31:10 442880 ----a-w- C:\Windows\system32\XpsPrint.dll
    2011-02-22 22:32:57 . 2011-01-07 07:31:10 288256 ----a-w- C:\Windows\system32\XpsGdiConverter.dll
    2011-02-21 22:05:15 . 2011-02-21 22:05:15 -------- d-----w- C:\ProgramData\Nexon
    2011-02-21 20:01:20 . 2011-02-21 20:01:21 -------- d-----w- C:\Program Files\BandiMPEG1
    2011-02-21 19:57:32 . 2011-02-21 19:58:50 -------- d-----w- C:\Program Files\Nexon
    2011-02-21 19:11:13 . 2011-02-21 20:01:24 -------- d-----w- C:\Program Files\Vindictus
    2011-02-21 19:10:49 . 2011-03-07 01:37:18 -------- d-----w- C:\Program Files\Pando Networks
    2011-02-15 18:02:30 . 2011-03-03 19:48:34 -------- d-----w- C:\Program Files\MyDefrag v4.3.1
    2011-02-15 02:06:09 . 2011-02-15 02:06:09 -------- d-----w- C:\Windows\system32\URTTEMP
    2011-02-15 02:01:44 . 2011-02-15 02:01:46 669184 ----a-w- C:\Windows\system32\pbsvc.exe
    2011-02-11 20:06:13 . 2011-02-11 20:33:13 -------- d-----w- C:\Users\Aaron\AppData\Roaming\Nero
    2011-02-11 20:04:28 . 2011-02-11 20:05:46 -------- d-----w- C:\ProgramData\Nero
    2011-02-11 20:00:20 . 2011-02-11 20:06:25 -------- d-----w- C:\Users\Aaron\AppData\Roaming\DeepBurner
    2011-02-11 19:59:27 . 2011-02-13 23:55:18 -------- d-----w- C:\Program Files\Astonsoft
    2011-02-11 00:00:03 . 2011-02-11 00:00:09 -------- d-----w- C:\Program Files\Memorex exPressit Label Design Studio
    2011-02-11 00:00:03 . 2011-02-11 00:00:05 -------- d-----w- C:\Windows\MVUNINST
    2011-02-10 23:22:51 . 2011-02-10 23:22:51 4277016 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-6\markup.dll
    2011-02-10 17:19:00 . 2011-02-11 00:00:27 -------- d-----w- C:\Users\Aaron\AppData\Local\MicroVision Applications
    2011-02-10 17:18:50 . 2009-12-15 22:25:00 487424 ----a-w- C:\Windows\system32\msvcp70.dll
    2011-02-10 17:18:50 . 2002-01-05 07:37:26 344064 ----a-w- C:\Windows\system32\msvcr70.dll
    2011-02-10 17:18:49 . 2011-02-11 01:11:14 -------- d-----w- C:\Program Files\Common Files\SureThing Shared


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-03-04 14:51:10 . 2010-11-19 20:49:42 444952 ----a-w- C:\Windows\system32\wrap_oal.dll
    2011-03-04 14:51:10 . 2010-11-19 20:49:42 109080 ----a-w- C:\Windows\system32\OpenAL32.dll
    2011-03-01 16:45:46 . 2010-11-18 23:47:51 472808 ----a-w- C:\Windows\system32\deployJava1.dll
    2011-02-18 23:47:42 . 2010-11-19 16:29:16 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-02-18 12:31:17 . 2010-11-19 15:28:42 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-02-15 02:02:17 . 2010-12-21 02:23:20 22328 ----a-w- C:\Windows\system32\drivers\PnkBstrK.sys
    2011-02-15 02:02:17 . 2010-12-21 02:23:20 22328 ----a-w- C:\Users\Aaron\AppData\Roaming\PnkBstrK.sys
    2011-02-15 02:02:03 . 2010-12-21 02:22:54 103736 ----a-w- C:\Windows\system32\PnkBstrB.exe
    2011-02-15 02:01:46 . 2010-12-21 02:22:53 66872 ----a-w- C:\Windows\system32\PnkBstrA.exe
    2011-02-11 06:54:53 . 2010-11-18 17:24:40 5943120 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-02-04 12:38:07 . 2011-02-04 12:38:07 4277016 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-7\markup.dll
    2011-01-29 22:24:25 . 2011-01-29 22:24:25 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-01-27 18:04:32 . 2011-01-27 18:04:48 439632 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{79424082-15F5-40E2-A6C1-122F03393FF7}\gapaengine.dll
    2011-01-26 00:30:38 . 2009-08-18 16:30:38 564632 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\wlidui.dll
    2011-01-26 00:30:36 . 2009-08-18 16:24:10 17816 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-01-15 20:16:02 . 2010-12-22 03:05:20 270904 ----a-w- C:\Windows\system32\PnkBstrB.xtr
    2011-01-15 20:11:14 . 2010-12-21 02:22:54 215128 ----a-w- C:\Windows\system32\PnkBstrB.ex0
    2011-01-13 09:41:52 . 2011-01-26 23:19:42 5890896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2010-12-21 02:22:53 . 2010-12-21 02:22:53 2434856 ----a-w- C:\Windows\system32\pbsvc_bc2.exe
    2010-12-18 07:33:52 . 2010-10-27 07:14:58 52736 ----a-w- C:\Windows\system32\coinst.dll
    2010-12-18 07:33:50 . 2010-12-18 07:33:50 43520 ----a-w- C:\Windows\system32\ati2edxx.dll
    2010-12-18 07:33:50 . 2010-12-18 07:33:50 159744 ----a-w- C:\Windows\system32\atitmmxx.dll
    2010-12-18 07:33:50 . 2010-10-27 07:13:36 30720 ----a-w- C:\Windows\system32\atiuxpag.dll
    2010-12-18 07:33:50 . 2010-09-29 01:46:06 4066816 ----a-w- C:\Windows\system32\atidxx32.dll
    2010-12-18 07:33:50 . 2010-09-29 01:13:44 28672 ----a-w- C:\Windows\system32\atiu9pag.dll
    2010-12-18 07:33:49 . 2010-12-18 07:33:49 249856 ----a-w- C:\Windows\system32\atiadlxx.dll
    2010-12-18 07:33:49 . 2010-09-29 01:55:02 550400 ----a-w- C:\Windows\system32\aticfx32.dll
    2010-12-18 07:33:47 . 2010-12-18 07:33:46 44032 ----a-w- C:\Windows\system32\aticalcl.dll
    2010-12-18 07:33:45 . 2010-12-18 07:33:45 278528 ----a-w- C:\Windows\system32\Oemdspif.dll
    2010-12-18 07:33:45 . 2010-12-18 07:33:44 46080 ----a-w- C:\Windows\system32\aticalrt.dll
    2010-12-18 07:33:44 . 2010-12-18 07:33:36 4122624 ----a-w- C:\Windows\system32\atiumdag.dll
    2010-12-18 07:33:42 . 2010-12-18 07:33:41 176128 ----a-w- C:\Windows\system32\atiesrxx.exe
    2010-12-18 07:33:41 . 2010-12-18 07:33:28 6650368 ----a-w- C:\Windows\system32\drivers\atikmdag.sys
    2010-12-18 07:33:39 . 2010-12-18 07:33:38 393216 ----a-w- C:\Windows\system32\atieclxx.exe
    2010-12-18 07:33:39 . 2010-12-18 07:33:38 143360 ----a-w- C:\Windows\system32\atiapfxx.exe
    2010-12-18 07:33:38 . 2010-12-18 07:33:38 52736 ----a-w- C:\Windows\system32\atimpc32.dll
    2010-12-18 07:33:38 . 2010-12-18 07:33:38 52736 ----a-w- C:\Windows\system32\amdpcom32.dll
    2010-12-18 07:33:38 . 2010-12-18 07:33:29 16702976 ----a-w- C:\Windows\system32\atioglxx.dll
    2010-12-18 07:33:36 . 2010-12-18 07:33:36 53248 ----a-w- C:\Windows\system32\drivers\ati2erec.dll
    2010-12-18 07:33:36 . 2010-12-18 07:33:36 27136 ----a-w- C:\Windows\system32\atigktxx.dll
    2010-12-18 07:33:30 . 2010-12-18 07:33:29 462848 ----a-w- C:\Windows\system32\ATIDEMGX.dll
    2010-12-18 07:33:29 . 2010-12-18 07:33:28 12800 ----a-w- C:\Windows\system32\atiglpxx.dll
    2010-12-18 07:33:28 . 2010-12-18 07:33:28 231936 ----a-w- C:\Windows\system32\drivers\atikmpag.sys
    2010-12-18 07:33:28 . 2010-12-18 07:33:28 15872 ----a-w- C:\Windows\system32\atimuixx.dll
    2010-12-18 07:33:27 . 2010-12-18 07:33:26 3460096 ----a-w- C:\Windows\system32\atiumdva.dll
    2010-12-18 07:33:27 . 2010-12-18 07:33:22 5441024 ----a-w- C:\Windows\system32\aticaldd.dll
    2010-12-18 07:33:24 . 2010-12-18 07:33:23 356352 ----a-w- C:\Windows\system32\atipdlxx.dll
    2010-12-18 07:33:22 . 2010-12-18 07:33:22 102416 ----a-w- C:\Windows\system32\drivers\AtihdW73.sys
    2010-12-14 17:27:46 . 2010-12-14 17:28:58 111960 ----a-w- C:\Windows\dxsdkuninst.exe
    2009-11-20 02:08:02 . 2009-11-20 02:08:02 3749224 ----a-w- C:\Program Files\Common Files\adlmint_libFNP.dll
    2009-11-20 02:08:02 . 2009-11-20 02:08:02 2941288 ----a-w- C:\Program Files\Common Files\adlmint.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-29 03:44:28 1400712 ----a-w- C:\Program Files\Ask.com\GenericAskToolbar.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="C:\Program Files\Steam\steam.exe" [2011-02-06 00:08:09 1242448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 21:05:02 311296]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2010-04-12 08:40:16 180224]
    "StartCCC"="c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-26 02:32:52 98304]
    "MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2010-11-30 18:20:36 997408]
    "SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 19:49:28 249064]
    "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22:02 3739648]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
    2008-08-14 12:58:34 611712 ----a-w- C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

    R1 MpKsl37240fcb;MpKsl37240fcb;c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl37240fcb.sys [x]
    R1 MpKsl536c0657;MpKsl536c0657;c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl536c0657.sys [x]
    R1 MpKsl93161387;MpKsl93161387;c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl93161387.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 18:16:28 130384]
    R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\Windows\system32\Drivers\GPWADrv.sys [2010-03-09 22:40:44 571264]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 02:25:38 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 17:26:42 206360]
    R3 SaiKF622;SaiKF622;C:\Windows\system32\DRIVERS\SaiKF622.sys [2009-06-02 20:26:16 113664]
    R3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys [2010-10-05 18:26:10 16240]
    R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2010-11-18 07:27:55 1343400]
    S1 MpKslcbeadd24;MpKslcbeadd24;c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{24D01ACC-8519-49C4-AE85-95D097F293D9}\MpKslcbeadd24.sys [2011-03-12 00:40:53 28752]
    S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe [2009-07-14 01:14:41 20992]
    S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [2010-12-18 07:33:42 176128]
    S2 TabletServicePen;TabletServicePen;C:\Program Files\Tablet\Pen\Pen_Tablet.exe [2010-10-13 16:40:54 4869488]
    S2 TouchServicePen;Wacom Consumer Touch Service;C:\Program Files\Tablet\Pen\Pen_TouchService.exe [2010-10-13 16:41:00 416112]
    S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2010-12-18 07:33:41 6650368]
    S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys [2010-12-18 07:33:28 231936]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW73.sys [2010-12-18 07:33:22 102416]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 02:25:38 43392]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MPKSLCBEADD24

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Akamai REG_MULTI_SZ Akamai


    ------- Supplementary Scan -------

    Trusted Zone: line6.net
    FF - ProfilePath - C:\Users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\cwzufi5z.default\
    FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.homestarrunner.com/
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}


    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"

    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)

    Completion time: 2011-03-11 20:42:04
    ComboFix-quarantined-files.txt 2011-03-12 01:42:03
    ComboFix2.txt 2011-03-08 22:09:26
    ComboFix3.txt 2011-03-07 23:01:32

    Pre-Run: 253,199,138,816 bytes free
    Post-Run: 253,150,289,920 bytes free

    - - End Of File - - E6CB4B00431408D846F3FD98BE5F3C2B

    2. 2nd ComboFix iteration (without script, after first run; currently not in effect because of System Restore)
    ComboFix 11-03-11.02 - Aaron 03/11/2011 21:03:18.9.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2716 [GMT -5:00]
    Running from: c:\users\Aaron\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-12 to 2011-03-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-12 02:08 . 2011-03-12 02:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-12 01:42 . 2011-03-12 02:08 -------- d-----w- c:\users\Aaron\AppData\Local\temp
    2011-03-11 06:08 . 2011-03-11 06:08 -------- d-----w- c:\windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
    2011-03-10 21:47 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{24D01ACC-8519-49C4-AE85-95D097F293D9}\mpengine.dll
    2011-03-09 18:34 . 2011-02-19 05:33 802304 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-09 18:34 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-09 18:34 . 2011-02-19 05:32 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-03-09 18:34 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll
    2011-03-09 18:34 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 18:34 . 2010-12-23 05:28 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 18:34 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-09 18:34 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-09 18:34 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-08 17:18 . 2011-03-08 17:18 -------- d-----w- c:\users\Aaron\AppData\Local\Google
    2011-03-08 17:14 . 2011-03-08 17:14 -------- d-----w- c:\program files\VS Revo Group
    2011-03-07 23:43 . 2011-03-07 23:43 -------- d-----w- c:\program files\Stunlock Studios
    2011-03-07 22:29 . 2011-03-07 22:29 -------- d--h--w- c:\windows\PIF
    2011-03-07 22:22 . 2011-03-07 22:22 -------- d-----w- C:\_OTM
    2011-03-07 01:25 . 2011-03-08 17:18 -------- d-----w- c:\program files\Google
    2011-03-07 00:53 . 2011-03-07 00:53 -------- d-----w- c:\users\Aaron\AppData\Roaming\Thunderbird
    2011-03-07 00:53 . 2011-03-07 00:53 -------- d-----w- c:\users\Aaron\AppData\Local\Thunderbird
    2011-03-06 08:19 . 2011-03-08 20:05 -------- d-----w- C:\ironman
    2011-03-05 19:52 . 2011-03-05 19:52 -------- d-----w- c:\program files\ESET
    2011-03-04 14:58 . 2011-03-04 14:58 -------- d-----w- c:\program files\Microsoft XNA
    2011-03-04 14:51 . 2011-03-04 14:52 -------- d-----w- c:\users\Aaron\AppData\Local\BIT.TRIP RUNNER
    2011-03-01 16:46 . 2011-03-01 16:46 -------- d-----w- c:\program files\Common Files\Java
    2011-03-01 06:08 . 2011-03-01 06:08 -------- d-----w- C:\The Neverhood + patch (English)
    2011-03-01 05:31 . 2009-11-11 18:15 -------- d-----w- C:\Neverhood Win7 Color Fix
    2011-03-01 05:30 . 2011-03-01 05:30 -------- d-----w- c:\program files\DreamWorks Interactive
    2011-02-28 01:42 . 2011-02-28 01:42 -------- d-----w- c:\users\Aaron\AppData\Roaming\Malwarebytes
    2011-02-28 01:42 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-28 01:42 . 2011-02-28 01:42 -------- d-----w- c:\programdata\Malwarebytes
    2011-02-28 01:42 . 2011-02-28 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-28 01:42 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-26 08:03 . 2011-02-26 08:08 -------- d-----w- c:\program files\Savage XR
    2011-02-23 06:41 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
    2011-02-22 22:32 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-22 22:32 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-21 22:05 . 2011-02-21 22:05 -------- d-----w- c:\programdata\Nexon
    2011-02-21 20:01 . 2011-02-21 20:01 -------- d-----w- c:\program files\BandiMPEG1
    2011-02-21 19:57 . 2011-02-21 19:58 -------- d-----w- c:\program files\Nexon
    2011-02-21 19:11 . 2011-02-21 20:01 -------- d-----w- c:\program files\Vindictus
    2011-02-21 19:10 . 2011-03-07 01:37 -------- d-----w- c:\program files\Pando Networks
    2011-02-15 18:02 . 2011-03-03 19:48 -------- d-----w- c:\program files\MyDefrag v4.3.1
    2011-02-15 02:06 . 2011-02-15 02:06 -------- d-----w- c:\windows\system32\URTTEMP
    2011-02-15 02:01 . 2011-02-15 02:01 669184 ----a-w- c:\windows\system32\pbsvc.exe
    2011-02-11 20:06 . 2011-02-11 20:33 -------- d-----w- c:\users\Aaron\AppData\Roaming\Nero
    2011-02-11 20:04 . 2011-02-11 20:05 -------- d-----w- c:\programdata\Nero
    2011-02-11 20:00 . 2011-02-11 20:06 -------- d-----w- c:\users\Aaron\AppData\Roaming\DeepBurner
    2011-02-11 19:59 . 2011-02-13 23:55 -------- d-----w- c:\program files\Astonsoft
    2011-02-11 00:00 . 2011-02-11 00:00 -------- d-----w- c:\program files\Memorex exPressit Label Design Studio
    2011-02-11 00:00 . 2011-02-11 00:00 -------- d-----w- c:\windows\MVUNINST
    2011-02-10 23:22 . 2011-02-10 23:22 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-6\markup.dll
    2011-02-10 17:19 . 2011-02-11 00:00 -------- d-----w- c:\users\Aaron\AppData\Local\MicroVision Applications
    2011-02-10 17:18 . 2009-12-15 22:25 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2011-02-10 17:18 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2011-02-10 17:18 . 2011-02-11 01:11 -------- d-----w- c:\program files\Common Files\SureThing Shared
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-04 14:51 . 2010-11-19 20:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-03-04 14:51 . 2010-11-19 20:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-03-01 16:45 . 2010-11-18 23:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-18 23:47 . 2010-11-19 16:29 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-02-18 12:31 . 2010-11-19 15:28 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-02-15 02:02 . 2010-12-21 02:23 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-02-15 02:02 . 2010-12-21 02:23 22328 ----a-w- c:\users\Aaron\AppData\Roaming\PnkBstrK.sys
    2011-02-15 02:02 . 2010-12-21 02:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-02-15 02:01 . 2010-12-21 02:22 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-02-11 06:54 . 2010-11-18 17:24 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-02-04 12:38 . 2011-02-04 12:38 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-7\markup.dll
    2011-01-29 22:24 . 2011-01-29 22:24 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-01-27 18:04 . 2011-01-27 18:04 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{79424082-15F5-40E2-A6C1-122F03393FF7}\gapaengine.dll
    2011-01-26 00:30 . 2009-08-18 16:30 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
    2011-01-26 00:30 . 2009-08-18 16:24 17816 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-01-15 20:16 . 2010-12-22 03:05 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-01-15 20:11 . 2010-12-21 02:22 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-01-13 09:41 . 2011-01-26 23:19 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2010-12-21 02:22 . 2010-12-21 02:22 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
    2010-12-18 07:33 . 2010-10-27 07:14 52736 ----a-w- c:\windows\system32\coinst.dll
    2010-12-18 07:33 . 2010-12-18 07:33 43520 ----a-w- c:\windows\system32\ati2edxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 159744 ----a-w- c:\windows\system32\atitmmxx.dll
    2010-12-18 07:33 . 2010-10-27 07:13 30720 ----a-w- c:\windows\system32\atiuxpag.dll
    2010-12-18 07:33 . 2010-09-29 01:46 4066816 ----a-w- c:\windows\system32\atidxx32.dll
    2010-12-18 07:33 . 2010-09-29 01:13 28672 ----a-w- c:\windows\system32\atiu9pag.dll
    2010-12-18 07:33 . 2010-12-18 07:33 249856 ----a-w- c:\windows\system32\atiadlxx.dll
    2010-12-18 07:33 . 2010-09-29 01:55 550400 ----a-w- c:\windows\system32\aticfx32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 44032 ----a-w- c:\windows\system32\aticalcl.dll
    2010-12-18 07:33 . 2010-12-18 07:33 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2010-12-18 07:33 . 2010-12-18 07:33 46080 ----a-w- c:\windows\system32\aticalrt.dll
    2010-12-18 07:33 . 2010-12-18 07:33 4122624 ----a-w- c:\windows\system32\atiumdag.dll
    2010-12-18 07:33 . 2010-12-18 07:33 176128 ----a-w- c:\windows\system32\atiesrxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 6650368 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2010-12-18 07:33 . 2010-12-18 07:33 393216 ----a-w- c:\windows\system32\atieclxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 143360 ----a-w- c:\windows\system32\atiapfxx.exe
    2010-12-18 07:33 . 2010-12-18 07:33 52736 ----a-w- c:\windows\system32\atimpc32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 52736 ----a-w- c:\windows\system32\amdpcom32.dll
    2010-12-18 07:33 . 2010-12-18 07:33 16702976 ----a-w- c:\windows\system32\atioglxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2010-12-18 07:33 . 2010-12-18 07:33 27136 ----a-w- c:\windows\system32\atigktxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2010-12-18 07:33 . 2010-12-18 07:33 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 231936 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2010-12-18 07:33 . 2010-12-18 07:33 15872 ----a-w- c:\windows\system32\atimuixx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 3460096 ----a-w- c:\windows\system32\atiumdva.dll
    2010-12-18 07:33 . 2010-12-18 07:33 5441024 ----a-w- c:\windows\system32\aticaldd.dll
    2010-12-18 07:33 . 2010-12-18 07:33 356352 ----a-w- c:\windows\system32\atipdlxx.dll
    2010-12-18 07:33 . 2010-12-18 07:33 102416 ----a-w- c:\windows\system32\drivers\AtihdW73.sys
    2010-12-14 17:27 . 2010-12-14 17:28 111960 ----a-w- c:\windows\dxsdkuninst.exe
    2009-11-20 02:08 . 2009-11-20 02:08 3749224 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
    2009-11-20 02:08 . 2009-11-20 02:08 2941288 ----a-w- c:\program files\Common Files\adlmint.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-29 03:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2011-02-06 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-26 98304]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
    2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
    .
    R1 MpKsl37240fcb;MpKsl37240fcb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl37240fcb.sys [x]
    R1 MpKsl536c0657;MpKsl536c0657;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl536c0657.sys [x]
    R1 MpKsl93161387;MpKsl93161387;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{13DC7D22-5490-40CC-873A-F39D2DF5EB9C}\MpKsl93161387.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\Drivers\GPWADrv.sys [2010-03-09 571264]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
    R3 SaiKF622;SaiKF622;c:\windows\system32\DRIVERS\SaiKF622.sys [2009-06-02 113664]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-10-05 16240]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-18 1343400]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-12-18 176128]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2010-10-13 4869488]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2010-10-13 416112]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-12-18 6650368]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-12-18 231936]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-12-18 102416]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    Akamai REG_MULTI_SZ Akamai
    .
    .
    ------- Supplementary Scan -------
    .
    Trusted Zone: line6.net
    FF - ProfilePath - c:\users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\cwzufi5z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.homestarrunner.com/
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
    "ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_dbc0250.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5884)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    Completion time: 2011-03-11 21:09:44
    ComboFix-quarantined-files.txt 2011-03-12 02:09
    ComboFix2.txt 2011-03-12 01:42
    ComboFix3.txt 2011-03-08 22:09
    ComboFix4.txt 2011-03-07 23:01
    .
    Pre-Run: 253,176,127,488 bytes free
    Post-Run: 253,123,694,592 bytes free
    .
    - - End Of File - - 499A2FD0B57BC79DC0C7955269A4DDFD
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    You undid everything we've done previously! Who instructed you to do a System restore?

    After the script is run, Combofix generates a new log. That's the logs you should have left not run Combofix again!
    What made you decide to install something in the middle of a cleaning and then when it wouldn't work, make an assumption then act on it!

    I don't have time to read multiple 'before and after' sets of logs because you got impatient.

    What are you referring to about Combofix deleting crucial logs-again?

    No wonder Trojans keep coming back! You are restoring the Trojans!

    Support is ended for this thread.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.