TechSpot

Constant drop in FPS in almost every MMO that I played. (logs included)

By MalwareNewbie
Mar 15, 2011
  1. Every time I start playing a MMO, my FPS would be normal and steady, but later on there will be a huge tremendous drop in my FPS for 5 minutes then it goes back to normal and repeat. For example, I would get a constant 99FPS on 1.6, but a little later it would drop to 20-30 FPS for 5 minutes then go back up. This situation also happened in Bioshock single player mode.

    Mbam Logs

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6069

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    3/15/2011 4:29:34 PM
    mbam-log-2011-03-15 (16-29-34).txt

    Scan type: Quick scan
    Objects scanned: 155098
    Time elapsed: 4 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\programdata\55677939 (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)

    Gmer Logs
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-15 16:47:55
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\00000082 WDC_WD50 rev.12.0
    Running: 7g0u16k8.exe; Driver: C:\Users\Michael\AppData\Local\Temp\uwldifow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdePort0 8620B1F8
    Device \Driver\atapi \Device\Ide\IdePort1 8620B1F8
    Device \Driver\alql8wb7 \Device\Scsi\alql8wb71 87C3B1F8
    Device \Driver\alql8wb7 \Device\Scsi\alql8wb71Port5Path0Target0Lun0 87C3B1F8
    Device \FileSystem\Ntfs \Ntfs 8620E1F8

    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    ---- EOF - GMER 1.0.15 ----

    DDS logs


    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Michael at 16:50:11.90 on 03/15/2011 Tue
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_20
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    AV: Trend Micro Internet Security Pro *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
    SP: Trend Micro Internet Security Pro *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\IOI\ButtonMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Razer\Mamba\RazerTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Windows\System32\svchost.exe -k Akamai
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Hotspot Shield\bin\hsswd.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    c:\Program Files\tbh\base\bin\tbhDaemon.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Hotspot Shield\bin\openvpntray.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Michael\Downloads\dds.scr
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.ask.com/?o=101760&l=dis
    uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uSearch Bar = hxxp://www.google.com/ie
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
    uRun: [googletalk] c:\users\michael\appdata\roaming\google\google talk\googletalk.exe /autostart
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
    uRun: [Steam] "c:\program files\steam2\Steam.exe" -silent
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [ButtonMonitor] c:\program files\ioi\ButtonMonitor.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [Razer Mamba Driver] c:\program files\razer\mamba\RazerTray.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
    mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\michael\appdata\roaming\micros~1\windows\startm~1\programs\startup\my_aut~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
    StartupFolder: c:\users\michael\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    TCP: {56AE0D82-F326-430B-A969-118E73D932B3} = 68.94.156.1,68.94.157.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\6vkuwr3k.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.wordsmith.org/
    FF - prefs.js: keyword.URL - hxxp://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={28CE2055-8015-4796-A589-884C3F057463}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=15&Productid=1704&Vendorid=3852&Offerid=6693&searchterm=
    FF - prefs.js: keyword.enabled - false
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiCHPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\windows\system32\npOGPPlugin.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ---- FIREFOX POLICIES ----
    pref(dom.disable_open_during_load, true); FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    ============= SERVICES / DRIVERS ===============
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2010-8-8 146448]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-14 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-14 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-14 61960]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-12-6 1238408]
    R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2011-2-14 2304]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
    R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
    R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-8-10 36368]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2010-8-8 283152]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-19 24652]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
    S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
    S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1c9f610cba8061f;Google Update Service (gupdate1c9f610cba8061f);c:\program files\google\update\GoogleUpdate.exe [2009-6-25 133104]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-2-26 30192]
    S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-8-8 51792]
    S3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-8-8 497008]
    S3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-8-8 689416]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 XDva346;XDva346;c:\windows\system32\XDva346.sys [2010-4-18 70728]
    .
    =============== Created Last 30 ================
    .
    2011-03-15 23:18:29 -------- d-----w- c:\users\michael\appdata\roaming\Malwarebytes
    2011-03-15 23:18:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-15 23:18:20 -------- d-----w- c:\progra~2\Malwarebytes
    2011-03-15 23:18:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-15 23:18:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-15 06:43:29 -------- d-----w- c:\users\michael\appdata\roaming\Avira
    2011-03-15 06:41:29 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-15 06:41:29 -------- d-----w- c:\program files\Avira
    2011-03-15 06:41:29 -------- d-----w- c:\progra~2\Avira
    2011-03-15 01:59:45 -------- d-----w- C:\Perfect World Entertainment
    2011-03-11 09:30:06 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{2fef1a64-392f-462e-9b83-7fa1a58ac745}\mpengine.dll
    2011-03-06 16:00:17 -------- d-----w- c:\program files\Gravity
    2011-02-17 22:43:55 -------- d-----w- c:\users\michael\appdata\local\Turbine
    2011-02-17 22:42:25 -------- d-----w- c:\users\michael\appdata\local\ApplicationHistory
    2011-02-17 22:40:51 -------- d-----w- c:\windows\system32\URTTEMP
    2011-02-17 22:29:49 -------- d-----w- c:\program files\Turbine
    2011-02-17 04:34:07 -------- d-----w- c:\users\michael\Tracing
    2011-02-17 03:12:22 -------- d-----w- C:\Riot Games
    2011-02-16 06:05:21 -------- d-----w- c:\progra~2\NVIDIA Corporation
    2011-02-16 06:04:24 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
    2011-02-16 06:04:24 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
    2011-02-16 06:04:24 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2011-02-16 06:04:24 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
    2011-02-16 06:04:24 4941928 ----a-w- c:\windows\system32\nvcuda.dll
    2011-02-16 06:04:24 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-02-16 06:04:24 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-02-16 06:04:24 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-02-16 06:04:24 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-02-16 06:04:24 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-02-16 02:44:35 -------- d-----w- C:\Atlus Online
    2011-02-15 08:50:48 -------- d-----w- c:\program files\common files\Software Update Utility
    2011-02-15 00:20:07 -------- d-----w- c:\program files\Stunlock Studios
    2011-02-15 00:15:05 -------- d-----w- c:\program files\Microsoft XNA
    2011-02-14 23:52:22 2304 ----a-w- c:\windows\system32\HtsysmNT.sys
    .
    ==================== Find3M ====================
    .
    2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-08 05:06:44 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-01-08 05:06:34 3597416 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-08 05:06:14 2620520 ----a-w- c:\windows\system32\nvsvc.dll
    2011-01-08 05:06:02 608872 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-01-08 05:06:02 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-08 03:27:00 1965672 ----a-w- c:\windows\system32\nvapi.dll
    2011-01-08 03:27:00 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
    .
    ============= FINISH: 16:51:01.38 ===============

    Attach Logs
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    .
    Motherboard: ECS | | MCP61PM-GM
    Processor: AMD Phenom(tm) 9500 Quad-Core Processor | Socket AM2 | 2200/235mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 455 GiB total, 206.544 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 5.185 GiB free.
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 8.1.2
    Adobe Setup
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    Agere Systems PCI-SV92PP Soft Modem
    AIM 7
    AIM Toolbar
    Akamai NetSession Interface
    Alien Swarm
    ALZip
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Avira AntiVir Personal - Free Antivirus
    Bandisoft MPEG-1 Decoder
    BioShock
    BioShock 2
    Bloodline Champions
    Bonjour
    Borderlands
    Browser Address Error Redirector
    Browser Highlighter - Firefox
    Compatibility Pack for the 2007 Office system
    Condition Zero
    Counter-Strike
    Counter-Strike: Source
    Diablo II
    DivX Setup
    Download Updater (AOL LLC)
    Dragon Saga
    Dungeons & Dragons Online ョ: Eberron Unlimited ・v01.13.01.801
    Dystopia
    ffdshow
    Garena
    Gateway Connect
    Gateway Games
    Gateway Recovery Center Installer
    GGPO
    Google Chrome
    Google Desktop
    Google Talk (remove only)
    Google Toolbar for Internet Explorer
    Google Update Helper
    Half-Life 2: Episode One
    Half-Life 2: Episode Two
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotspot Shield 1.52
    ijji
    ijji - Gunz
    ijji FireFox Launcher 1.0
    ijji REACTOR
    IrisOnline
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 4
    Java(TM) 6 Update 5
    Junk Mail filter update
    Killing Floor
    LabelPrint
    League of Legends
    LogMeIn Hamachi
    LSI PCI-SV92PP Soft Modem
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Money Essentials
    Microsoft Money Shared Libraries
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Microsoft XNA Framework Redistributable 3.1
    mIRC
    Mozilla Firefox (3.6.15)
    MSVCRT
    My.Freeze.com NetAssistant
    My.Freeze.com NetAssistant for Firefox
    Nexon Game Manager
    NVIDIA 3D Vision Driver 266.58
    NVIDIA Control Panel 266.58
    NVIDIA Drivers
    NVIDIA Graphics Driver 266.58
    NVIDIA Install Application
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.10.0514
    NVIDIA Stereoscopic 3D Driver
    OGA Notifier 2.0.0048.0
    Pando Media Booster
    PandoraSaga version 1.0
    PDF Settings
    Portal
    Power2Go 5.0
    Prototype(TM)
    PVSonyDll
    Python 2.7
    QuickTime
    Railroad Tycoon 2: Platinum
    Razer Mamba
    RealPlayer
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Sid Meier's Civilization III: Complete
    Sid Meier's Civilization IV
    Sid Meier's Pirates!
    Skype? 5.1
    Smart Copy
    Starcraft
    Steam
    Stronghold
    Stronghold 2
    Stronghold Crusader + Extreme
    Stronghold Legends
    SUPERAntiSpyware Free Edition
    Team Fortress 2
    TeamSpeak 3 Client
    TeamViewer 5
    Trend Micro Internet Security Pro
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC80CRTRedist - 8.0.50727.4053
    Ventrilo Client
    Viewpoint Media Player
    Warcraft III
    Warcraft III: All Products
    Winamp
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Mail
    Windows Live Messenger
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Player Firefox Plugin
    WinPcap 4.0.2
    WinRAR archiver
    Xfire (remove only)
    Yahoo! Software Update
    Yahoo! Toolbar
    YVD
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    Please run the following: Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Additionally, if you are using any file sharing programs, please disable or uninstall while I am helping you.
    ==================='
    FPF=?
     
  3. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    Thanks for the reply, here are the logs.

    eset logs


    C:\Program Files\Garena\plugins\UI\GEngine.dll probably a variant of Win32/Agent.LIJKDGU trojan
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application

    Combofix logs

    ComboFix 11-03-16.01 - Michael 6/2011 Wed 19:03:05.1.4 - x86
    Running from: c:\users\Michael\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    AV: Trend Micro Internet Security Pro *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
    FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Trend Micro Internet Security Pro *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Michael\AppData\Roaming\Kaspersky_Key_Finder_(KKF
    c:\users\Michael\AppData\Roaming\Kaspersky_Key_Finder_(KKF\Kaspersky_Key_Finder_V1.5_Url_k2iwexdtd4ybmkjvxm5z2u3smrbe2qb5\1.5.0.0\user.config
    c:\windows\system32\Config.ini
    c:\windows\system32\service
    c:\windows\system32\service\09082010_TIS17_SfFniAU.log
    c:\windows\system32\service\12092010_TIS17_SfFniAU.log
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-17 02:11 . 2011-03-17 02:11 -------- d-----w- c:\users\Michael\AppData\Local\temp
    2011-03-17 02:11 . 2011-03-17 02:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-16 05:46 . 2011-03-16 05:46 -------- d-----w- c:\program files\ESET
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\users\Michael\AppData\Roaming\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-15 06:43 . 2011-03-15 06:43 -------- d-----w- c:\users\Michael\AppData\Roaming\Avira
    2011-03-15 06:41 . 2011-03-16 23:12 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\programdata\Avira
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\program files\Avira
    2011-03-15 06:41 . 2011-01-10 21:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-15 01:59 . 2011-03-15 01:59 -------- d-----w- C:\Perfect World Entertainment
    2011-03-13 23:14 . 2011-03-13 23:14 -------- d-----w- c:\program files\Common Files\Skype
    2011-03-11 09:30 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2FEF1A64-392F-462E-9B83-7FA1A58AC745}\mpengine.dll
    2011-03-06 16:00 . 2011-03-06 16:00 -------- d-----w- c:\program files\Gravity
    2011-02-17 22:43 . 2011-02-17 22:45 -------- d-----w- c:\users\Michael\AppData\Local\Turbine
    2011-02-17 22:42 . 2011-02-20 00:08 -------- d-----w- c:\users\Michael\AppData\Local\ApplicationHistory
    2011-02-17 22:40 . 2011-02-17 22:40 -------- d-----w- c:\windows\system32\URTTEMP
    2011-02-17 22:29 . 2011-02-17 22:29 -------- d-----w- c:\program files\Turbine
    2011-02-17 04:34 . 2011-03-15 23:16 -------- d-----w- c:\users\Michael\Tracing
    2011-02-17 03:12 . 2011-02-17 03:12 -------- d-----w- C:\Riot Games
    2011-02-16 06:05 . 2011-02-16 06:05 -------- d-----w- c:\programdata\NVIDIA Corporation
    2011-02-16 06:04 . 2011-01-08 03:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
    2011-02-16 06:04 . 2011-01-08 03:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
    2011-02-16 06:04 . 2011-01-08 03:27 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2011-02-16 06:04 . 2011-01-08 03:27 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
    2011-02-16 06:04 . 2011-01-08 03:27 4941928 ----a-w- c:\windows\system32\nvcuda.dll
    2011-02-16 06:04 . 2011-01-08 03:27 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-02-16 06:04 . 2011-01-08 03:27 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-02-16 06:04 . 2011-01-08 03:27 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-02-16 06:04 . 2011-01-08 03:27 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-02-16 06:04 . 2011-01-08 03:27 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-02-16 02:44 . 2011-02-16 02:44 -------- d-----w- C:\Atlus Online
    2011-02-15 08:50 . 2011-02-15 08:50 -------- d-----w- c:\program files\Common Files\Software Update Utility
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-03 01:11 . 2009-11-21 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-08 05:06 . 2011-01-08 05:06 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-01-08 05:06 . 2011-01-08 05:06 3597416 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-08 05:06 . 2011-01-08 05:06 2620520 ----a-w- c:\windows\system32\nvsvc.dll
    2011-01-08 05:06 . 2011-01-08 05:06 608872 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-01-08 05:06 . 2011-01-08 05:06 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-08 03:27 . 2011-02-16 06:04 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
    2011-01-08 03:27 . 2008-12-26 05:08 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
    2011-01-08 03:27 . 2008-02-26 17:34 1965672 ----a-w- c:\windows\system32\nvapi.dll
    2010-08-31 01:59 . 2008-08-20 20:37 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-09-30 01:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-17 39408]
    "googletalk"="c:\users\Michael\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-14 2002160]
    "Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
    "Steam"="c:\program files\steam2\Steam.exe" [2010-11-21 1242448]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 4702208]
    "ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-31 30192]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "Razer Mamba Driver"="c:\program files\Razer\Mamba\RazerTray.exe" [2009-03-15 3274584]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-16 198160]
    "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2011-03-13 492840]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-12-06 1910152]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
    .
    c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    My_AutoWarkey_Script.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2011-01-23 01:15 3046808 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [x]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [x]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [x]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1c9f610cba8061f;Google Update Service (gupdate1c9f610cba8061f);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 133104]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-31 30192]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-12-16 3453712]
    R3 TKFsAc;TKFsAc;c:\windows\system32\TKFsAc2k.sys [x]
    R3 TKFsAv;TKFsAv;c:\windows\system32\TKFsAv2k.sys [x]
    R3 TKFsFt;TKFsFt;c:\windows\system32\TKFsFt2k.sys [x]
    R3 TKRgAc;TKRgAc;c:\windows\system32\TKRgAc2k.sys [x]
    R3 TKRgFt;TKRgFt;c:\windows\system32\TKRgFtXp.sys [x]
    R3 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-07-19 51792]
    R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2010-08-09 497008]
    R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2010-08-09 689416]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 XDva143;XDva143;c:\windows\system32\XDva143.sys [x]
    R3 XDva208;XDva208;c:\windows\system32\XDva208.sys [x]
    R3 XDva223;XDva223;c:\windows\system32\XDva223.sys [x]
    R3 XDva296;XDva296;c:\windows\system32\XDva296.sys [x]
    R3 XDva310;XDva310;c:\windows\system32\XDva310.sys [x]
    R3 XDva311;XDva311;c:\windows\system32\XDva311.sys [x]
    R3 XDva323;XDva323;c:\windows\system32\XDva323.sys [x]
    R3 XDva337;XDva337;c:\windows\system32\XDva337.sys [x]
    R3 XDva343;XDva343;c:\windows\system32\XDva343.sys [x]
    R3 XDva344;XDva344;c:\windows\system32\XDva344.sys [x]
    R3 XDva346;XDva346;c:\windows\system32\XDva346.sys [2010-04-18 70728]
    R3 XDva349;XDva349;c:\windows\system32\XDva349.sys [x]
    R3 XDva351;XDva351;c:\windows\system32\XDva351.sys [x]
    R3 XDva370;XDva370;c:\windows\system32\XDva370.sys [x]
    R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-13 717296]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
    S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2010-08-09 146448]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-12-06 1238408]
    S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-09-22 325168]
    S2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2010-11-04 2304]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
    S2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
    S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-12-04 36368]
    S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2010-08-09 283152]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - SSMDRV
    *NewlyCreated* - UWLDIFOW
    *Deregistered* - uwldifow
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    2011-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com/?o=101760&l=dis
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    TCP: {56AE0D82-F326-430B-A969-118E73D932B3} = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\6vkuwr3k.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.wordsmith.org/
    FF - prefs.js: keyword.URL - hxxp://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={28CE2055-8015-4796-A589-884C3F057463}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=15&Productid=1704&Vendorid=3852&Offerid=6693&searchterm=
    FF - prefs.js: keyword.enabled - false
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    pref(dom.disable_open_during_load, true); FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-NCsoft Launcher - c:\program files\NCSoft\Launcher\NCLauncher.exe
    HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
    MSConfigStartUp-osiiuuhi - c:\users\Michael\AppData\Local\wmdqtmuec\xxsbuuetssd.exe
    AddRemove-LSI Soft Modem - c:\windows\agrsmdel
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-16 19:11
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-684128119-126982121-4194404797-1000\Software\SecuROM\License information*]
    "datasecu"=hex:6c,53,22,0d,d8,58,0c,cf,b0,ef,e9,92,a2,c2,27,0c,92,e8,56,29,e2,
    00,02,4c,cd,08,02,46,8b,3b,3d,d7,09,39,3e,33,e2,41,d2,3f,c6,f4,e6,98,93,6c,\
    "rkeysecu"=hex:07,7e,47,d4,24,3a,12,ad,28,c6,ed,e1,7f,28,d3,4b
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2011-03-16 19:14:35
    ComboFix-quarantined-files.txt 2011-03-17 02:14
    .
    Pre-Run: 225,238,740,992 bytes free
    Post-Run: 225,188,323,328 bytes free
    .
    - - End Of File - - 60E8343D1902A483080514C0E73507D6
     
  4. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    I think it's the hot spot shield's problem. Every time I close hot spot shield from the notification tray, it reopens itself after 3-5 minutes.

    It stopped reopening itself after two times.

    It reopened again after 30 minutes.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're using Vista with SP1- is that correct? And you have an AMD processor?

    Hot Spot Shield may be part of it but not all. You have quite a lot of other entries I'm going to move.

    Do you want me to include the entries for HSS in the script I'm writing for you to run through Combofix?

    You have 2 antivirus programs running:
    AV: AntiVir Desktop
    AV: Trend Micro Internet Security Pro


    Please uninstall one of them. Reboot the computer when through.
     
  6. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    Yup, I'm using Vista with SP1 and I have an AMD processor, and I don't know what entry means, but do what you think is best for me.

    Uninstalling Trend AV.

    Also could I just uninstall HSS? Haven't been using it much anyways.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\TKFsAc2k.sys 
    c:\windows\system32\TKFsAv2k.sys 
    c:\windows\system32\TKFsFt2k.sys 
    c:\windows\system32\TKRgAc2k.sys 
    c:\windows\system32\TKRgFtXp.sys 
    c:\windows\system32\XDva143.sys  
    c:\windows\system32\XDva208.sys 
    c:\windows\system32\XDva223.sys 
    c:\windows\system32\XDva296.sys 
    c:\windows\system32\XDva310.sys 
    c:\windows\system32\XDva311.sys 
    c:\windows\system32\XDva323.sys 
    c:\windows\system32\XDva337.sys 
    c:\windows\system32\XDva343.sys 
    c:\windows\system32\XDva344.sys 
    c:\windows\system32\XDva349.sys 
    c:\windows\system32\XDva351.sys 
    c:\windows\system32\XDva370.sys 
    c:\windows\system32\XDva375.sys 
    FileLook::
    c:\windows\system32\XDva346.sys
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    DDS::
    uStart Page = hxxp://www.ask.com/?o=101760&l=dis
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    
    RegNull::
    [HKEY_USERS\S-1-5-21-684128119-126982121-4194404797-1000\Software\SecuROM\License information*]
    
    Driver::
    TKFsAc
    TKFsAv
    TKFsFt
    TKRgAc
    TKRgFt
    XDva143
    XDva208
    XDva223
    XDva296
    XDva310
    XDva311
    XDva323
    XDva337
    XDva343
    XDva344
    XDva349
    XDva351
    XDva370
    XDva375
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  8. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    My computer restarted after the scan, and after the restart Combofix produced the logs.

    ComboFix Logs

    ComboFix 11-03-18.01 - Michael 8/2011 Fri 15:04:19.2.4 - x86
    Running from: c:\users\Michael\Downloads\ComboFix.exe
    Command switches used :: c:\users\Michael\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\TKFsAc2k.sys"
    "c:\windows\system32\TKFsAv2k.sys"
    "c:\windows\system32\TKFsFt2k.sys"
    "c:\windows\system32\TKRgAc2k.sys"
    "c:\windows\system32\TKRgFtXp.sys"
    "c:\windows\system32\XDva143.sys"
    "c:\windows\system32\XDva208.sys"
    "c:\windows\system32\XDva223.sys"
    "c:\windows\system32\XDva296.sys"
    "c:\windows\system32\XDva310.sys"
    "c:\windows\system32\XDva311.sys"
    "c:\windows\system32\XDva323.sys"
    "c:\windows\system32\XDva337.sys"
    "c:\windows\system32\XDva343.sys"
    "c:\windows\system32\XDva344.sys"
    "c:\windows\system32\XDva349.sys"
    "c:\windows\system32\XDva351.sys"
    "c:\windows\system32\XDva370.sys"
    "c:\windows\system32\XDva375.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\askbardis\bar\bin\askBar.dll
    c:\program files\divx\divx update\DivXUpdate.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_TKFSAC
    -------\Legacy_TKFSAV
    -------\Legacy_TKFSFT
    -------\Legacy_TKRGAC
    -------\Legacy_TKRGFT
    -------\Legacy_XDVA143
    -------\Legacy_XDVA208
    -------\Legacy_XDVA223
    -------\Legacy_XDVA296
    -------\Legacy_XDVA310
    -------\Legacy_XDVA311
    -------\Legacy_XDVA323
    -------\Legacy_XDVA337
    -------\Legacy_XDVA343
    -------\Legacy_XDVA344
    -------\Legacy_XDVA349
    -------\Legacy_XDVA351
    -------\Legacy_XDVA370
    -------\Service_TKFsAc
    -------\Service_TKFsAv
    -------\Service_TKFsFt
    -------\Service_TKRgAc
    -------\Service_TKRgFt
    -------\Service_XDva143
    -------\Service_XDva208
    -------\Service_XDva223
    -------\Service_XDva296
    -------\Service_XDva310
    -------\Service_XDva311
    -------\Service_XDva323
    -------\Service_XDva337
    -------\Service_XDva343
    -------\Service_XDva344
    -------\Service_XDva349
    -------\Service_XDva351
    -------\Service_XDva370
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-18 to 2011-03-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-18 22:13 . 2011-03-18 22:16 -------- d-----w- c:\users\Michael\AppData\Local\temp
    2011-03-18 22:13 . 2011-03-18 22:13 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\users\Michael\AppData\Roaming\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-15 06:43 . 2011-03-15 06:43 -------- d-----w- c:\users\Michael\AppData\Roaming\Avira
    2011-03-15 06:41 . 2011-03-16 23:12 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\programdata\Avira
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\program files\Avira
    2011-03-15 06:41 . 2011-01-10 21:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-15 01:59 . 2011-03-15 01:59 -------- d-----w- C:\Perfect World Entertainment
    2011-03-13 23:14 . 2011-03-13 23:14 -------- d-----w- c:\program files\Common Files\Skype
    2011-03-11 09:30 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2FEF1A64-392F-462E-9B83-7FA1A58AC745}\mpengine.dll
    2011-03-06 16:00 . 2011-03-06 16:00 -------- d-----w- c:\program files\Gravity
    2011-02-17 22:43 . 2011-02-17 22:45 -------- d-----w- c:\users\Michael\AppData\Local\Turbine
    2011-02-17 22:42 . 2011-02-20 00:08 -------- d-----w- c:\users\Michael\AppData\Local\ApplicationHistory
    2011-02-17 22:40 . 2011-02-17 22:40 -------- d-----w- c:\windows\system32\URTTEMP
    2011-02-17 22:29 . 2011-02-17 22:29 -------- d-----w- c:\program files\Turbine
    2011-02-17 04:34 . 2011-03-18 15:30 -------- d-----w- c:\users\Michael\Tracing
    2011-02-17 03:12 . 2011-02-17 03:12 -------- d-----w- C:\Riot Games
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-03 01:11 . 2009-11-21 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-08 05:06 . 2011-01-08 05:06 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-01-08 05:06 . 2011-01-08 05:06 3597416 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-08 05:06 . 2011-01-08 05:06 2620520 ----a-w- c:\windows\system32\nvsvc.dll
    2011-01-08 05:06 . 2011-01-08 05:06 608872 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-01-08 05:06 . 2011-01-08 05:06 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-08 03:27 . 2011-02-16 06:04 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
    2011-01-08 03:27 . 2011-02-16 06:04 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
    2011-01-08 03:27 . 2011-02-16 06:04 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2011-01-08 03:27 . 2011-02-16 06:04 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
    2011-01-08 03:27 . 2011-02-16 06:04 4941928 ----a-w- c:\windows\system32\nvcuda.dll
    2011-01-08 03:27 . 2011-02-16 06:04 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-01-08 03:27 . 2011-02-16 06:04 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-01-08 03:27 . 2011-02-16 06:04 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-01-08 03:27 . 2011-02-16 06:04 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-01-08 03:27 . 2011-02-16 06:04 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
    2011-01-08 03:27 . 2011-02-16 06:04 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-01-08 03:27 . 2008-12-26 05:08 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
    2011-01-08 03:27 . 2008-02-26 17:34 1965672 ----a-w- c:\windows\system32\nvapi.dll
    2010-08-31 01:59 . 2008-08-20 20:37 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\XDva346.sys ---
    Company: www.wiselogic.co.kr
    File Description: Windows Kernel
    File Version: 1.02
    Product Name:
    Copyright: Copyright (C)WiseLogic 2004
    Original Filename: XTrapD12.Sys
    File size: 70728
    Created time: 2010-04-18 08:50
    Modified time: 2010-04-18 08:50
    MD5: FFAF5B4048F0100445B0DCD66CA9DAA8
    SHA1: 60DBC374B3E3FD92156E84E9076005C046A934C9
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-17 39408]
    "googletalk"="c:\users\Michael\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-14 2002160]
    "Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
    "Steam"="c:\program files\steam2\Steam.exe" [2010-11-21 1242448]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 4702208]
    "ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-31 30192]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "Razer Mamba Driver"="c:\program files\Razer\Mamba\RazerTray.exe" [2009-03-15 3274584]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-16 198160]
    "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2011-03-18 492840]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-12-06 1910152]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
    .
    c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    My_AutoWarkey_Script.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2011-01-23 01:15 3046808 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [x]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [x]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [x]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1c9f610cba8061f;Google Update Service (gupdate1c9f610cba8061f);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 133104]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-31 30192]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-12-16 3453712]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 XDva346;XDva346;c:\windows\system32\XDva346.sys [2010-04-18 70728]
    R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-13 717296]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-12-06 1238408]
    S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-09-22 325168]
    S2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2010-11-04 2304]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
    S2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    2011-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    TCP: {56AE0D82-F326-430B-A969-118E73D932B3} = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\6vkuwr3k.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.wordsmith.org/
    FF - prefs.js: keyword.URL - hxxp://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={28CE2055-8015-4796-A589-884C3F057463}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=15&Productid=1704&Vendorid=3852&Offerid=6693&searchterm=
    FF - prefs.js: keyword.enabled - false
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    pref(dom.disable_open_during_load, true); FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Hotspot Shield\bin\openvpnas.exe
    c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\tbh\base\bin\tbhDaemon.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\conime.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-18 15:26:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-18 22:25
    ComboFix2.txt 2011-03-17 02:14
    .
    Pre-Run: 226,271,395,840 bytes free
    Post-Run: 226,490,089,472 bytes free
    .
    - - End Of File - - CB2A8AF48A16123D5496FA2A75213058
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Before I finish you up, please answer the following:

    1. Has there been any improvement in the system?
    2. For the 3rd time, what is FPS?
    3. Did you want to uninstall Hot Spot Shield?
    4. Do you plane to reinstall AVG when we're finished?
     
  10. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    1. Yes, thank you. :D
    2. I think this is the first time that you asked me, I saw your first post with "FPF=?". FPS = Frame per second.
    3. Yup.
    4. Nope, I plan on keeping Avira.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for that! I knew MMO but couldn't figure the FPS out!

    Please run this Custom CFScript:
    1. . Close any open browsers.
    2. . Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. . Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\System32\Drivers\avgldx86.sys
    c:\windows\System32\Drivers\avgtdix.sys
    c:\program files\AVG\AVG9\avgemc.exe
    c:\program files\AVG\AVG9\avgwdsvc.exe
    c:\program files\Viewpoint\Common\ViewpointService.exe 
    c:\program files\Hotspot Shield\bin\openvpnas.exe
    c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
    Driver::
    AvgLdx86  
    AvgTdiX  
    avg9emc  
    avg9wd  
    Viewpoint Manager Service 
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    I removed the HotSpot Shield entries I saw. You need to complete the uninstall in Add/Remove Programs. Please include any Viewpoint entries for uninstall.

    Once uninstalled, use Windows Explorer to find the program files and do a right click> Delete on the program folders.

    Click on Start> Run> type services.msc> enter> double click on Viewpoint Service> Change Startup type to Disabled> Stop the Service.
     
  12. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    I couldn't find Viewpoint in my services, and the file with hot spot shield after I executed ComboFix with the script and uninstalled Hot spot shield.

    ComboFix Logs

    ComboFix 11-03-24.03 - Michael 5/2011 Fri 3:19.3.4 - x86
    Running from: c:\users\Michael\Downloads\ComboFix.exe
    Command switches used :: c:\users\Michael\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files\AVG\AVG9\avgemc.exe"
    "c:\program files\AVG\AVG9\avgwdsvc.exe"
    "c:\program files\Hotspot Shield\bin\openvpnas.exe"
    "c:\program files\Hotspot Shield\HssWPR\hsssrv.exe"
    "c:\program files\Viewpoint\Common\ViewpointService.exe"
    "c:\windows\System32\Drivers\avgldx86.sys"
    "c:\windows\System32\Drivers\avgtdix.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Hotspot Shield\bin\openvpnas.exe
    c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
    c:\program files\Viewpoint\Common\ViewpointService.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_AVGLDX86
    -------\Legacy_AVGTDIX
    -------\Service_avg9emc
    -------\Service_avg9wd
    -------\Service_AvgLdx86
    -------\Service_AvgTdiX
    -------\Service_Viewpoint Manager Service
    -------\Service_HotspotShieldService
    -------\Service_HssSrv
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-25 10:30 . 2011-03-25 10:36 -------- d-----w- c:\users\Michael\AppData\Local\temp
    2011-03-25 10:30 . 2011-03-25 10:30 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-03-25 10:30 . 2011-03-25 10:30 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-23 00:58 . 2011-03-23 00:58 -------- d-----w- c:\programdata\Tencent
    2011-03-23 00:58 . 2011-03-23 00:58 -------- d-----w- c:\users\Michael\AppData\Local\Tencent
    2011-03-23 00:57 . 2011-03-23 00:57 106496 ----a-r- c:\users\Michael\AppData\Roaming\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    2011-03-23 00:33 . 2011-03-23 00:33 106496 ----a-r- c:\users\Michael\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    2011-03-23 00:32 . 2011-03-23 00:57 -------- d-----w- c:\program files\Common Files\Tencent
    2011-03-23 00:32 . 2011-03-23 00:54 -------- d-----w- c:\program files\Tencent
    2011-03-23 00:32 . 2011-03-23 00:58 -------- d-----w- c:\users\Michael\AppData\Roaming\Tencent
    2011-03-23 00:32 . 2011-03-23 00:56 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\users\Michael\AppData\Roaming\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-15 06:43 . 2011-03-15 06:43 -------- d-----w- c:\users\Michael\AppData\Roaming\Avira
    2011-03-15 06:41 . 2011-03-16 23:12 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\programdata\Avira
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\program files\Avira
    2011-03-15 06:41 . 2011-01-10 21:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-15 01:59 . 2011-03-15 01:59 -------- d-----w- C:\Perfect World Entertainment
    2011-03-13 23:14 . 2011-03-13 23:14 -------- d-----w- c:\program files\Common Files\Skype
    2011-03-11 09:30 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2FEF1A64-392F-462E-9B83-7FA1A58AC745}\mpengine.dll
    2011-03-06 16:00 . 2011-03-06 16:00 -------- d-----w- c:\program files\Gravity
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-03 01:11 . 2009-11-21 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-08 05:06 . 2011-01-08 05:06 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-01-08 05:06 . 2011-01-08 05:06 3597416 ----a-w- c:\windows\system32\nvcpl.dll
    2011-01-08 05:06 . 2011-01-08 05:06 2620520 ----a-w- c:\windows\system32\nvsvc.dll
    2011-01-08 05:06 . 2011-01-08 05:06 608872 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-01-08 05:06 . 2011-01-08 05:06 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-01-08 03:27 . 2011-02-16 06:04 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
    2011-01-08 03:27 . 2011-02-16 06:04 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
    2011-01-08 03:27 . 2011-02-16 06:04 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2011-01-08 03:27 . 2011-02-16 06:04 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
    2011-01-08 03:27 . 2011-02-16 06:04 4941928 ----a-w- c:\windows\system32\nvcuda.dll
    2011-01-08 03:27 . 2011-02-16 06:04 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-01-08 03:27 . 2011-02-16 06:04 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-01-08 03:27 . 2011-02-16 06:04 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-01-08 03:27 . 2011-02-16 06:04 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-01-08 03:27 . 2011-02-16 06:04 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
    2011-01-08 03:27 . 2011-02-16 06:04 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-01-08 03:27 . 2008-12-26 05:08 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
    2011-01-08 03:27 . 2008-02-26 17:34 1965672 ----a-w- c:\windows\system32\nvapi.dll
    2010-08-31 01:59 . 2008-08-20 20:37 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-17 39408]
    "googletalk"="c:\users\Michael\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-14 2002160]
    "Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
    "Steam"="c:\program files\steam2\Steam.exe" [2010-11-21 1242448]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 4702208]
    "ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-31 30192]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "Razer Mamba Driver"="c:\program files\Razer\Mamba\RazerTray.exe" [2009-03-15 3274584]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-16 198160]
    "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2011-03-25 492840]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-12-06 1910152]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
    .
    c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    My_AutoWarkey_Script.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2011-01-23 01:15 3046808 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1c9f610cba8061f;Google Update Service (gupdate1c9f610cba8061f);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 133104]
    R3 CFcatchme;CFcatchme;c:\users\Michael\AppData\Local\Temp\CFcatchme.sys [x]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-31 30192]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-12-16 3453712]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 XDva346;XDva346;c:\windows\system32\XDva346.sys [2010-04-18 70728]
    R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-13 717296]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-12-06 1238408]
    S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-09-22 325168]
    S2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2010-11-04 2304]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
    S2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    TCP: {56AE0D82-F326-430B-A969-118E73D932B3} = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\6vkuwr3k.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.wordsmith.org/
    FF - prefs.js: keyword.URL - hxxp://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={28CE2055-8015-4796-A589-884C3F057463}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=15&Productid=1704&Vendorid=3852&Offerid=6693&searchterm=
    FF - prefs.js: keyword.enabled - false
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    pref(dom.disable_open_during_load, true); FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\tbh\base\bin\tbhDaemon.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\conime.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-25 03:44:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-25 10:44
    ComboFix2.txt 2011-03-18 22:26
    ComboFix3.txt 2011-03-17 02:14
    .
    Pre-Run: 234,610,765,824 bytes free
    Post-Run: 234,504,237,056 bytes free
    .
    - - End Of File - - 1939FF4583328869B1E089A5961E2E96
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your ISP is AT&T in TX. But I notice you installed Tecent on 3/23/2011. You shouldn't be downloading new programs and getting data while I'm trying to clean the system.

    Tecent is China's largest and most used Internet service portal.. Are you aware of this? Did you install the program?
     
  14. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    Oh, sorry. I was trying to install QQ, an instant messenger often used by people in China, but I uninstalled it now because I have no use of it anymore.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Time has gotten away with both of us! Please give me a quick update on the system.

    I have just a few things in script for you to run:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\users\Michael\AppData\Local\Temp\CFcatchme.sys
    c:\program files\Hotspot Shield\bin\hsswd.exe
    Driver::
    CFcatchme
    HssWd
    FileLook::
    c:\windows\system32\XDva375.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================================
    Click on Start< Run> type in services.msc> enter> Double click on HssWd(full name is Hotspot Shield Monitoring Service)> Change Staaretup type to Disabled> Stop the Service> Exit Services.

    I'm not going to delete the Service. Should you decide to run it in the future, return to the Services and change the startup type to either Manual or Automatic. When you reboot, the Service should restart.
    ====================================
    Let's make sure the security programs are okay: Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  16. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    Sorry, for the late reply.

    ComboFix Logs


    ComboFix 11-04-08.02 - Michael 9/2011 Sat 4:04.4.4 - x86
    Running from: c:\users\Michael\Downloads\ComboFix.exe
    Command switches used :: c:\users\Michael\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files\Hotspot Shield\bin\hsswd.exe"
    "c:\users\Michael\AppData\Local\Temp\CFcatchme.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_CFCATCHME
    -------\Service_CFcatchme
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-09 11:14 . 2011-04-09 11:19 -------- d-----w- c:\users\Michael\AppData\Local\temp
    2011-04-09 11:14 . 2011-04-09 11:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-04-09 11:14 . 2011-04-09 11:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-01 07:14 . 2011-04-01 07:16 -------- d-----w- c:\users\Michael\AppData\Roaming\.minecraft
    2011-03-23 00:58 . 2011-03-23 00:58 -------- d-----w- c:\programdata\Tencent
    2011-03-23 00:58 . 2011-03-23 00:58 -------- d-----w- c:\users\Michael\AppData\Local\Tencent
    2011-03-23 00:57 . 2011-03-23 00:57 106496 ----a-r- c:\users\Michael\AppData\Roaming\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    2011-03-23 00:33 . 2011-03-23 00:33 106496 ----a-r- c:\users\Michael\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    2011-03-23 00:32 . 2011-03-23 00:57 -------- d-----w- c:\program files\Common Files\Tencent
    2011-03-23 00:32 . 2011-03-23 00:54 -------- d-----w- c:\program files\Tencent
    2011-03-23 00:32 . 2011-03-23 00:58 -------- d-----w- c:\users\Michael\AppData\Roaming\Tencent
    2011-03-23 00:32 . 2011-03-23 00:56 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\users\Michael\AppData\Roaming\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-15 06:43 . 2011-03-15 06:43 -------- d-----w- c:\users\Michael\AppData\Roaming\Avira
    2011-03-15 06:41 . 2011-03-16 23:12 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\programdata\Avira
    2011-03-15 06:41 . 2011-03-15 06:41 -------- d-----w- c:\program files\Avira
    2011-03-15 06:41 . 2011-01-10 21:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-15 01:59 . 2011-03-15 01:59 -------- d-----w- C:\Perfect World Entertainment
    2011-03-13 23:14 . 2011-03-13 23:14 -------- d-----w- c:\program files\Common Files\Skype
    2011-03-11 09:30 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2FEF1A64-392F-462E-9B83-7FA1A58AC745}\mpengine.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-03 01:11 . 2009-11-21 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-08-31 01:59 . 2008-08-20 20:37 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-17 39408]
    "googletalk"="c:\users\Michael\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-14 2002160]
    "Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
    "Steam"="c:\program files\steam2\Steam.exe" [2010-11-21 1242448]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 4702208]
    "ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-31 30192]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "Razer Mamba Driver"="c:\program files\Razer\Mamba\RazerTray.exe" [2009-03-15 3274584]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-16 198160]
    "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2011-04-09 492840]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-12-06 1910152]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
    .
    c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    My_AutoWarkey_Script.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2011-01-23 01:15 3046808 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1c9f610cba8061f;Google Update Service (gupdate1c9f610cba8061f);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 133104]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-31 30192]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-12-16 3453712]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 XDva346;XDva346;c:\windows\system32\XDva346.sys [2010-04-18 70728]
    R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-13 717296]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-12-06 1238408]
    S2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2010-11-04 2304]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
    S2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    TCP: {56AE0D82-F326-430B-A969-118E73D932B3} = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\6vkuwr3k.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.wordsmith.org/
    FF - prefs.js: keyword.URL - hxxp://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={28CE2055-8015-4796-A589-884C3F057463}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=15&Productid=1704&Vendorid=3852&Offerid=6693&searchterm=
    FF - prefs.js: keyword.enabled - false
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    pref(dom.disable_open_during_load, true); FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-09 04:18
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\6vkuwr3k.default\cookies.sqlite-journal 9800 bytes
    c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\6vkuwr3k.default\parent.lock 0 bytes
    .
    scan completed successfully
    hidden files: 2
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\conime.exe
    c:\program files\tbh\base\bin\tbhDaemon.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    c:\program files\Windows Live\Messenger\wlcsdk.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-09 04:29:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-09 11:29
    ComboFix2.txt 2011-03-25 10:44
    ComboFix3.txt 2011-03-18 22:26
    ComboFix4.txt 2011-03-17 02:14
    .
    Pre-Run: 231,056,056,320 bytes free
    Post-Run: 231,239,839,744 bytes free
    .
    - - End Of File - - 152D952A739E87EBA76AA24F73C7F7D5

    Security Check logs


    Results of screen317's Security Check version 0.99.10
    Windows Vista Service Pack 1 (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Avira AntiVir Personal - Free Antivirus
    WMI entry may not exist for antivirus; attempting automatic update.
    Avira successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 20
    Java(TM) 6 Update 4
    Java(TM) 6 Update 5
    Out of date Java installed!
    Adobe Flash Player 10.2.152.26
    Adobe Reader 8.1.2
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the following Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\users\Michael\AppData\Roaming\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    c:\users\Michael\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    Folder::
    c:\programdata\Tencent
    c:\users\Michael\AppData\Local\Tencent
    c:\program files\Common Files\Tencent
    c:\program files\Tencent
    c:\users\Michael\AppData\Roaming\Tencent
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please uninstall the following:
    Java(TM) 6 Update 20
    Java(TM) 6 Update 4
    Java(TM) 6 Update 5

    Please update the following:
    1. Adobe Reader 8.1.2> Visit this Adobe Reader site
    2. Windows Vista Service Pack 1 to current SP> Microsoft Download Site All updates marked Critical and the current SP update.
    3. Java: Check here:Java Updates

    Have the original problems been resolved?
     
  18. MalwareNewbie

    MalwareNewbie TS Rookie Topic Starter

    Nope, I still have FPS lag in my games.

    Combo Fix Logs

    ComboFix 11-04-13.04 - Michael 4/2011 Thu 5:57.5.4 - x86
    Running from: c:\users\Michael\Downloads\ComboFix.exe
    Command switches used :: c:\users\Michael\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\Michael\AppData\Roaming\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe"
    "c:\users\Michael\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Common Files\Tencent
    c:\program files\Common Files\Tencent\NPQSCALL\npqscall.dll
    c:\program files\Common Files\Tencent\Paycenter\qqcert.dll
    c:\program files\Common Files\Tencent\Paycenter\qqedit.dll
    c:\program files\Common Files\Tencent\QQDownload\107\dlcore.dll
    c:\program files\Common Files\Tencent\QQDownload\107\extract.dll
    c:\program files\Common Files\Tencent\QQDownload\107\Installlog.txt
    c:\program files\Common Files\Tencent\QQDownload\107\Tencentdl.exe
    c:\program files\Common Files\Tencent\QQPhotoDrawEx\QQPhotoDrawEx.2.27.171.429.dll
    c:\program files\Common Files\Tencent\TXFTN\TXFTNActiveX1.13.dll
    c:\program files\Common Files\Tencent\TXPTOP\p2papi.dll
    c:\program files\Common Files\Tencent\TXPTOP\p2papp.dll
    c:\program files\Common Files\Tencent\TXPTOP\p2pcore.dll
    c:\program files\Common Files\Tencent\TXPTOP\p2pdata.dll
    c:\program files\Common Files\Tencent\TXPTOP\p2phttp.dll
    c:\program files\Common Files\Tencent\TXSSO\1.2.1.15\Bin\SSOAxCtrlForPTLogin.dll
    c:\program files\Common Files\Tencent\TXSSO\1.2.1.15\Bin\SSOCommon.dll
    c:\program files\Common Files\Tencent\TXSSO\1.2.1.15\Bin\SSOLUIControl.dll
    c:\program files\Common Files\Tencent\TXSSO\1.2.1.15\Bin\SSOPlatform.dll
    c:\program files\Common Files\Tencent\TXSSO\1.2.1.15\I18N\2052\PGFStringBundle.xml
    c:\program files\Common Files\Tencent\TXSSO\1.2.1.15\I18N\2052\SSOStringBundle.xml
    c:\program files\Common Files\Tencent\TXSSO\1.2.1.15\I18N\SSOConfig.xml
    c:\program files\Common Files\Tencent\TXSSO\Bin\SSOAxCtrlForPTLogin.dll
    c:\program files\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll
    c:\program files\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll
    c:\program files\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll
    c:\program files\Tencent
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\auzip.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\CMInternet.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\MMInstaller.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\msdmo.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\npQzoneMusic.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\p2papi.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\p2papp.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\p2pcore.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\p2pdata.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\p2phttp.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QQMediaPlayer.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QQMusicAddin\Addin.ini
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QQMusicAddin\qmp_mp3.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QQMusicAddin\wmadmod.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QQMusicDldEx.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QQMusicPlayer.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QQPlayer.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QzoneMusic.dll
    c:\program files\Tencent\QQ\Plugin\Com.Tencent.QQMusic\bin\QQMusic\QzoneMusic.exe
    c:\programdata\Tencent
    c:\programdata\Tencent\QQPCMgr\QMConfig.dat
    c:\users\Michael\AppData\Local\Tencent
    c:\users\Michael\AppData\Local\Tencent\QQPet\QQPetAgent_Profile.ini
    c:\users\Michael\AppData\Roaming\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    c:\users\Michael\AppData\Roaming\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
    c:\users\Michael\AppData\Roaming\Tencent
    c:\users\Michael\AppData\Roaming\Tencent\Logs\QQ.tlg
    c:\users\Michael\AppData\Roaming\Tencent\Logs\QQ2010.tlg
    c:\users\Michael\AppData\Roaming\Tencent\Logs\QQ2010Setup_33.07.0.2032.232.tlg
    c:\users\Michael\AppData\Roaming\Tencent\Logs\QQExternal.tlg
    c:\users\Michael\AppData\Roaming\Tencent\Logs\QQInstall.txt
    c:\users\Michael\AppData\Roaming\Tencent\Logs\QQSetupEx.tlg
    c:\users\Michael\AppData\Roaming\Tencent\Logs\regsvr32.tlg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\1852516993
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\ActiveXWhiteList
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\ADMovement
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\aio_RichButton_140x114_110228bx.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\aio_RichButton_140x240_110318gh.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\aio_RichButton_140x40_110228bx.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\aio_richbutton_140x40_110316xy.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\aio_RichButton_140x40_110318gh.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\detect.txt
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\fodder.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\jieting0228b140x40.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\jieting0228d140x240.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\JOBkhdRB1d0322.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\JOBkhdRB2b0322.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\meng_1402400309.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\meng_140400309.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\ym_140240_0315.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.advertisement\ym_14040_0315.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\blog\blank.htm
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\blog\css\qzBlank.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\blog\icon.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\blog\index.htm
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\blog\script\editor.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\blog\script\portal_editor.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\bg.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\bg_current.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\bg_pop.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\border_l.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\border_r.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\delete_hover.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\delete_normal.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\editor_icon_v2.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\expression_bg.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\expression_layer.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\expression_menu_page.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\gb_editor.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\icon.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\qzfl.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\qzfl_client_tip.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\editor\tips.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\css\default.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\css\default.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e100.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e101.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e102.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e103.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e104.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e105.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e106.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e107.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e108.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e109.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e110.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e111.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e112.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e113.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e114.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e115.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e116.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e117.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e118.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e119.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e120.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e121.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e122.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e123.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e124.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e125.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e126.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e127.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e128.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e129.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e130.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e131.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e132.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e133.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e134.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e135.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e136.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e137.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e138.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e139.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e140.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e141.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e142.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e143.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e144.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e145.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e146.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e147.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e148.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e149.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e150.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e151.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e152.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e153.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e154.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e155.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e156.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e157.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e158.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e159.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e160.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e161.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e162.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e163.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e164.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e165.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e166.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e167.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e168.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e169.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e170.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e171.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e172.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e173.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e174.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e175.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e176.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e177.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e178.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e179.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e180.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e181.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e182.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e183.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e184.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e185.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e186.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e187.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e188.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e189.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e190.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e191.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e192.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e193.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e194.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e195.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e196.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e197.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e198.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e199.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e200.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e201.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e202.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e203.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\e204.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\theme\default.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\theme\default.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\em\theme\default.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\global_mini_portal.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\loading.gif
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\mini_portal.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\miniportal_hint.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\mod_notepad.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\mod_notepad_op.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\mode_bg.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\mode_edit_blog.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\notepad.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\notepad_bg.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\notepad_tools.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\photo_default.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\qzone.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\qzone_img.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\css\vip_icon_2.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\icon.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\script\common.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\common\script\qzfl.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\notepad\blank.htm
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\notepad\css\qzBlank.css
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\notepad\icon.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\notepad\index.htm
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\notepad\right.htm
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\notepad\script\main.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\notepad\script\portal_editor.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\icon.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\index.htm
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\mini_insert.html
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\script\mini_select_photo.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\script\photo_logic.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\script\swfobject.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\script\upload.js
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\swf\playerProductInstall.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\com.tencent.qzone\qzonepackage\photo\swf\QzoneUploader.swf
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\CSC\2052\4\2
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\CSC\2052\7\10
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\CSC\2052\7\12
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\CSC\2052\7\16
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\CSC\2052\7\5
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\CSC\2052\7\9
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\EnvirConf.ini
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\LNN\1001.pic
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\LNN\1002.pic
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\LNN\1011.pic
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\LNN\1012.pic
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\LNN\Storage.lnn
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Misc\MainMenu\416BC4205C700D6CCA4AAB9C6852786A
    c:\users\Michael\AppData\Roaming\Tencent\QQ\SafeBase\tsconfig.dat
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_1\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_1\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_1\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_1\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_1\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_10\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_10\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_10\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_10\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_10\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_13\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_13\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_13\preview.PNG
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_13\recent_preview.PNG
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_13\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_2\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_2\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_2\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_2\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_2\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_3\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_3\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_3\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_3\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_3\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_4\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_4\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_4\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_4\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_4\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_5\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_5\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_5\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_5\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_5\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_6\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_6\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_6\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_6\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_6\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_9\logon_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_9\main.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_9\preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_9\recent_preview.png
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Skins\system\1.45_9\themeconfig.xml
    c:\users\Michael\AppData\Roaming\Tencent\QQ\STemp\Uninstall\33.07.0.2032.232\QQ.msi
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Temp\%Y54%QKY1TOWGC0VX}~X]`U.jpg
    c:\users\Michael\AppData\Roaming\Tencent\QQ\Temp\H8[@RSB(_SC]}EQ)~{A$AM1.jpg
    c:\users\Michael\AppData\Roaming\Tencent\TXSSO\SetupLogs\setuplog.log
    c:\users\Michael\AppData\Roaming\Tencent\TXSSO\SSOConfig\GlobleDB\_SID_0\_UIN_0\txssogbcf.db
    c:\users\Michael\AppData\Roaming\Tencent\TXSSO\SSOConfig\GlobleDB\_SID_0\_UIN_0\txssogbcfgt.db
    c:\users\Michael\AppData\Roaming\Tencent\TXSSO\SSOConfig\GlobleDB\_SID_1\_UIN_1852516993\txssogbcf.db
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\IM\CustomFaceCache\hash_1.dat
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\Cache.db
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\Misc.db
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\1065840769730bd3b87a5dd402cd12b0.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\1484625373.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\1633363810.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\1896209587.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\2050577284.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\2221444022.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\2262524733.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\246861827.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\2588380532.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\3184545946.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\3309942132.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\3840192251.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\38d1e1365e478395ae7f7779e732e873.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\3976842589.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\3a9153d471a74bd5800418258f717cbf.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\436785886.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\79b0971987ebc668e33b43d593ddd81d.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\917131511.idx
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\98460ee78ae99683bd25debbca8005b9.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\9df977734a17fe0db257d43721f59c69.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\a331c695b2549abf8c5859115a458c73.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\bd9ec7c6964deb94eefab0da9e8837fb.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\c3b2471e5c16b1d931f8f2c69ab89e49.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\cfd2eb8e30a316689a3f338bae65a762.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\~HUN_GV9LVZ4LIV{K[]}5D5.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\5[G6}THCWB_@{W0IJR_N2TP.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\6296Q0F3%08L[81HEW6~)%W.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\7P0YPM($F_8Q1K85Q51Z`21.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\8Y2XQYY_T%777Q25R2~]_2A.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\DFVQ`$[M(1F~2A($ME({]QA.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\HCF~%$3FX0EGQXJJ~L7WFGS.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\JRQP3WB$P`I8DRW91ROVSL6.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\KWKRU2_HK1@3324FQ]R{8MR.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\NIY))P_S4D5{UZ1%LXZ0G%X.tmp.tdl
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\OY6L)MNV31LYSO$%E`ZW79K.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\S2LTYEHX{LA]4UFFJG@RD7C.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\SD8}}SEH9%HF$4I3()I]7CU.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\com.tencent.advertisement\ZDV4_}QYWWOXKGPD6O62ICM.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\db6dbfa11a4c6e33d2d94683432c0a01.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\e510753ab0bb40f516a2000f9ee60b08.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\EWQ$QZ]2R[7KN8HU{EK~LO1.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\f21007c60a652dfbe8eee007fcbec6f2.tpt
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\RichOle\5RSSNE7}LPU]}M{2BDMSZ_E.jpg
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\TV1EZC9]O{S%J]$M%J8R~U3.tmp
    c:\users\Michael\AppData\Roaming\Tencent\Users\1852516993\QQ\WinTemp\XWF2`J37I{30K@{7F]I7W7R.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-14 to 2011-04-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-14 13:08 . 2011-04-14 13:11 -------- d-----w- c:\users\Michael\AppData\Local\temp
    2011-04-14 13:08 . 2011-04-14 13:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-04-14 13:08 . 2011-04-14 13:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-01 07:14 . 2011-04-01 07:16 -------- d-----w- c:\users\Michael\AppData\Roaming\.minecraft
    2011-03-23 00:32 . 2011-03-23 00:56 18760 ----a-w- c:\windows\system32\QQVistaHelper.dll
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\users\Michael\AppData\Roaming\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-15 23:18 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-15 23:18 . 2011-03-15 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-16 23:12 . 2011-03-15 06:41 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-11 06:54 . 2011-03-11 09:30 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2FEF1A64-392F-462E-9B83-7FA1A58AC745}\mpengine.dll
    2011-02-03 01:11 . 2009-11-21 16:12 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-08-31 01:59 . 2008-08-20 20:37 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 4702208]
    "ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-31 30192]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "Razer Mamba Driver"="c:\program files\Razer\Mamba\RazerTray.exe" [2009-03-15 3274584]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-16 198160]
    "tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2011-04-14 492840]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-03-28 1910152]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
    .
    c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    My_AutoWarkey_Script.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
    2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-01-01 21:22 3739648 ----a-w- c:\users\Michael\AppData\Roaming\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
    2011-03-28 22:41 1910152 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2011-01-23 01:15 3046808 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2011-01-27 00:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-11-21 05:28 1242448 ----a-w- c:\program files\steam2\Steam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-14 10:10 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2009-03-17 19:16 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1c9f610cba8061f;Google Update Service (gupdate1c9f610cba8061f);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 133104]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-31 30192]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-12-16 3453712]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 XDva346;XDva346;c:\windows\system32\XDva346.sys [2010-04-18 70728]
    R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-13 717296]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-03-28 1242504]
    S2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2010-11-04 2304]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
    S2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    2011-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 03:47]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5674
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    TCP: {56AE0D82-F326-430B-A969-118E73D932B3} = 68.94.156.1,68.94.157.1
    FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\6vkuwr3k.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.wordsmith.org/
    FF - prefs.js: keyword.URL - hxxp://click.w3i.com/?Programid=132&Elementname=Keyword&Applicationid={28CE2055-8015-4796-A589-884C3F057463}&Version=3.6.3&Vintage=20100209&Defaultbrowserid=15&Productid=1704&Vendorid=3852&Offerid=6693&searchterm=
    FF - prefs.js: keyword.enabled - false
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    pref(dom.disable_open_during_load, true); FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-14 06:10
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\conime.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\tbh\base\bin\tbhDaemon.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\ehome\ehmsas.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\msiexec.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-14 06:21:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-14 13:21
    ComboFix2.txt 2011-04-09 11:29
    ComboFix3.txt 2011-03-25 10:44
    ComboFix4.txt 2011-03-18 22:26
    ComboFix5.txt 2011-04-14 12:54
    .
    Pre-Run: 221,614,641,152 bytes free
    Post-Run: 221,850,193,920 bytes free
    .
    - - End Of File - - 6CA2B29AB34448482512F8840B1241C5
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We have remove many files from the system. I don't see anything indicating malware. Since this problem is specific to the games, I think you will need to check the setting involved in games only: For instance, try increasing the Refresh Rate.

    Some other suggestions:
    1. Open perfmon and set counters for CPU and memory utilization. Then monitor hard disk read and writes/sec. Then play a game for a while. Write down on a piece of paper what time on your system clock the slow downs occur then examine the perfmon data during those times.

    2. Have you updated the video card drivers?

    3. Check in windows task manager and it will tell you exactly how much available RAM you really have to use on your system after what is being used for the Vista OS.

    4. Is the paging file set correctly? That’s the file on your hard disk that your system uses as memory when you run true memory runs out. If that’s slow then you will experience problems like your describing.

    5. One happy user found the problem was the motherboard- it couldn't handle other components. Replacing it with one of higher quality, reformatted and reinstalled Vista and all the drivers solved the problem.
    =====================================
    Games can be very resource intensive- some more than others. So having as much of the system resources free will help: You have many unnecessary processes starting on boot. Unchecking these will free up resources:
    To remove entries from the Startup Menu using the msconfig utility:
    1. Click on the Vista start icon in the bottom left corner of your screen.
      [​IMG]
    2. Type MSCONFIG in the search box > press enter
    3. Vista asks you for permission to continue: If not logged on, enter Administrator Name & Password. If logged on. If logged on as Administrator, you will be asked if you want to continue> Click on Yes.
    4. Follow any prompts to pass through the UAC.
    5. Click on Selective Startup
    6. Choose the Startup tab:
      [​IMG]
      Images Courtesy NetSquirrel
    7. Windows' essential program in Vista are loaded through "Windows Services." So most of the startup items you see are optional and can be turned off. The exceptions are: AV program, 3ed party firewall if using one, Touchpad process for laptop and network process if any.
    8. To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    9. Uncheck any unneeded processes
    10. Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    ======================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...