Author Topic: ohnoes! i think i've been hacked. (Read 641 times)

ep0xy · « **on:** October 16, 2008, 07:51:42 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ohmy.gif\' class=\'bbc_emoticon\' alt=\'

\' /> ohnoes! i think i've been hacked.

Ok well i was searching for a fix to crack smartftp... i know im a bad boy and im prob getting what i deserve :\

I found a torrent for a crack, i dl'd it and replaced the icon with this new one it came with two i replaced the icons mcafee didnt pop up nothing. I double clicked on the new icons and i go a hour glass... nothing happened... nor did smart ftp open.

I tryed to open internet explorer... oddly it comes up with ie encountered a problem and needs to close.. IE wont work.. what the heck..

i noticed on my process list i had some strange junk.. first off is rundll32 on the lsit under the "username" i don't know..
then i saw a process called "player.exe" after a reboot Internet explorer works again...

BUT all my cookies have been deleted or something cause all my sites what me to enter my user name and pw's again... instresting eh.. soo im little sketched out...

Here's my hijack this (files) and i say files cause i saved one made some checks and scaned again soo ima show you the first one and then the second.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:14 PM, on 10/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Excursion9.5\mIRC.ExCurSioN.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Player] C:\Documents and Settings\ep0xy\Application Data\Adobe\Player.exe
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4564 bytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:35 PM, on 10/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: gzipmod - C:\WINDOWS\SYSTEM32\gzipmod.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4223 bytes

ALSO WHAT IS AWWSERVICE.EXE

Please help thanks!

guestolo · « **Reply #1 on:** October 16, 2008, 09:28:59 PM »

Download haxfix.exe and save it to your desktop.

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with this options:

1. Make logfile
E. Exit Haxfix

Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread.

ep0xy · « **Reply #2 on:** October 16, 2008, 09:48:19 PM »

checking iexplore.exe
iexplore.exe is not infected

--- Checking for other Goldun, Spybanker and Haxdoor files ---
no other Haxdoor or Goldun files found

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 23:15:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager]
"PendingFileRenameOperations"=str(7):"\x6264\2\x04d8ee\0\xffe0\xffff\xe4e8d\xebb0d\xe2c8d\xe2f0d\xffc0d\x1378e\xfd30d\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\xfb38d\0\0\0\0\xffff\xffff\xffff\xffff\2\0\xebd0d\x1e8\0\xffff\xffff\0\0\0\0\26\0F\0\0\0\n\0\x6150\x6172\x656d\x6574\x7372lde\xffd8\xffff\x6b76\nF\0\x0100e\2\0\1o\x6553\x7672\x6369\x4465\x6c6ce D\xffb0\xffff%SystemRoot%\system32\schedsvc.dll\0\0Au\xffd8\xffff\x6b76\v"\0\x0178e\1\0\1c\x6553\x7672\x6369\x4d65\x6961nMa\xffd8\xffffSchedServiceMain\0n\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\xfb38d\0\0\0\0\xffff\xffff\xffff\xffff\1\0\xfdb0d\xf278E\xffff\xffff\0\0\0\0\20\0\xa8\0\1\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\x90\0\x0218e\3\0\1\20\x6553\x7563\x6972\x7974\xff50\xffff\1\x8014x\0\x84\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2H\3\0\0\24\x18d\2\x101\0\0\x500\v\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x1fd\2\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\0\0\xffe8\xffff\x686c\2xe\xea98\x6e7f\x01a0e\xe2d0\xe465\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\xe7d0^\0\0\0\0\xffff\xffff\xffff\xffff\1\0\xfff0d\xe588E\xffff\xffff\0\0\0\0\22\0V\0\xf5\0\b\0\x6353\x6973\x6f50\x7472\xffd8\xffff\x6b76\tV\0\x0360e\2\0\1W\x6d49\x6761\x5065\x7461hs S\xffa0\xffff%SystemRoot%\system32\drivers\scsiport.sys\0 Pr\xffa8\xffff\x6b6e \xceea\xf340\x2ff4\x1c9\0\0\xe7d0^\1\0\1\0\x04e8e\x7ff0\x8000\6\0\x3560`\x1e8\0\xffff\xffff\22\0\0\0\30\08\0\xf6\0\6\0\x6553\x6463\x7672\0\xffe0\xffff\x6b76\4\4\x8000\1\0\4\0\1g\x7954\x6570SS\xffd8\xffff\x6b76\17 \0\x27f8e\a\0\1\0\x6544\x6570\x646e\x6e4f\x6553\x7672\x6369e\xff88\xffffProvides automatic configuration for the 802.11 adapters\0\0\xfff0\xffff\xe020h\x6020i\0o\xfff0\xffff\x686c\1\x05b0e\xe2d0\xe465\xfff8\xffff\x0c58e\xff70\xffff\??\C:\Documents and Settings\ep0xy\Desktop\wowglider\vhndlqwivh.sys\0\x6369\xffe0\xffff\x6b76\5\4\x8000\3\0\4\0\1r\x7453\x7261tv\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x03c0e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\xfff8d\xf278E\xffff\xffff\0\0\0\0\20\0\xa8\0\0\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\x90\0\x0628e\3\0\1\0\x6553\x7563\x6972\x7974\xff50\xffff\1\x8014x\0\x84\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2H\3\0\0\24\x19d\2\x101\0\0\x500\4\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x1fd\2\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\0\0\xffa8\xffff\x6b6e \xceea\xf340\x2ff4\x1c9\0\0\xe7d0^\2\0\1\0\x0d10e\x8128\x8000\a\0\xf720b\x1e8\0\xffff\xffff\26\0\0\0\30\0\x1bc\0\xf7\0\b\0\x6573\x6c63\x676f\x6e6f\xffd0\xffff\xd50`\xd70`\xdea0c\xdec8c\xfd58d\x0438e\x1c58e\x0948e\x0e48e\x08e0e2\\xffd0\xffff\x2d00[\x2fa8[\x2390d\x28c8d\x27c8d\x2228d\x16b0e\xfd80d\x2780d\x0908e\0o\xffd8\xffff192.168.1.1\000255\0\0\0\xffe0\xffff\x6b76\1\20\0\x4f10d\1\0\1\0000\0\0\0\xffe8\xffffVLAN Id\0\0\0\xffc8\xffff\x3d10'\x8588'\x7ad0'\x7390'\x7af8'\x7270'\x72d0'\x72f8'\xcfd8'\xce40'\xcd50'\xe640\34\x2870e\20\0\xe240g\xe2c0g\xe2e8g\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x6820d\1\0\0\0\x0f70e\xffff\xffff\3\0\x53c8$\xe588E\xffff\xffff\n\0\0\0\22\0\32\0\3\0\a\0\x7445\x5668\x414cN\xffd8\xffff\x6b76\t\32\0\x1ba0e\1\0\1\x72e1\x6150\x6172\x446d\x7365\x9e63"\x711b\xd760\xffd8\xffff\x5180\1\0\0\0\0\2\0 S\1\0\xea60\0\1\0\xea60\0\xffd8\xffff\x6b76\v\x272\0\xa8g\1\0\1\0\x6544\x6373\x6972\x7470\x6f69n\0\0\xffd8\xffff\x6b76\vr\0\x0460e\1\0\1\xffff\x6544\x6373\x6972\x7470\x6f69nX\0\xffe8\xffff\x2500e\x2540e\x2560e\x2580e\x25a0e\xffd8\xffff\x6b76\n\30\0\x28f8e\1\0\1\0\x624f\x656a\x7463\x614e\x656d\0\0\0\xff90\xffffMonitors system security settings and configurations.\0\xffd8\xffff\xd90`\xdb0`\x1bb0b\x1bd8b\x2340d\x2258d\xfd30d\x28c8eua\xffa8\xffff\x6b6e \x3144\xf343\x2ff4\x1c9\0\0\xe7d0^\1\0\1\0\x7820>\x9410\x8000\a\0\x28a8d\x1e8\0\xffff\xffff\22\0\0\0\30\0V\0\x119\0\6\0\x6d74\x6f63\x6d6dn \0\x6b76\b\b\0\x8f58Y\3\0\1\x6cb8\x3031\x4232\x3530\x3032\xffc0\xffffRemote Access IP ARP Driver\0\0\0\xffe8\xffffDisable\0\0\0\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x06d8e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\xef48d\x1e8\0\xffff\xffff\0\0\0\0\26\0F\0\0\0\n\0\x6150\x6172\x656d\x6574\x7372\0\0\0\xffd8\xffff\x6b76\nF\0\x0b60e\2\0\1L\x6553\x7672\x6369\x4465\x6c6c003\xffb0\xffff%SystemRoot%\System32\seclogon.dll\0\nHK\xffd8\xffff\x6b76\v$\0\x0bd8e\1\0\1\0\x6553\x7672\x6369\x4d65\x6961\xe16e\24\0\xffd8\xffffSvcEntry_Seclogon\0\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x06d8e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x04f8e\xf278E\xffff\xffff\0\0\0\0\20\0\x90\0\1\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\x90\0\x0c78e\3\0\1e\x6553\x7563\x6972\x7974\xff68\xffff\1\x8014x\0\x84\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2H\3\0\0\24\x18d\2\x101\0\0\x500\v\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x1fd\2\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\0A\xffe8\xffff\x686c\2\x0ad8e\xea98\x6e7f\x0c00e\xe2d0\xe465\xffa8\xffff\x6b6e \xceea\xf340\x2ff4\x1c9\0\0\xe7d0^\2\0\1\0\x1308e\x8240\x8000\t\0\x1980c\x1e8\0\xffff\xffff\26\0\0\0\36\0\x100\0\xf8\0\4\0\x4553\x534eib\xffe0\xffff\x6b76\4\n\0\x7e30$\1\0\1\0\x7974\x6570\0\0\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x0838e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\x8fd0$\xe588E\xffff\xffff\0\0\0\0\2\0\20\0\0\0\4\0\x6e65\x6d75\0\0\xffe0\xffff\x6b76\1\20\0\x8fe8d\1\0\1\0000\0\0\0\b\0\0\0\xffe0\xffffLocalSystem\0le\b\0\x0e48e\xffd8\xffff\x6b76\16$\0\x08b8e\3\0\1\0\x6146\x6c69\x7275\x4165\x7463\x6f69\x736e\0\20\0atm\0\0\0\xffa0\xffff\x6b76F\xc8\0\xcf0g\1\0\1^\x3a43\x505c\x6f72\x7267\x6d61\x4620\x6c69\x7365\x535c\x6574\x6d61\x735c\x6574\x6d61\x7061\x7370\x625c\x6e75\x4067\x6179\x6379\x616c\x2e6e\x6f63\x5c6d\x6164\x2079\x666f\x6420\x6665\x6165\x5c74\x6c68\x652e\x6578\t\xff70\xffff\??\C:\Documents and Settings\ep0xy\Desktop\wowglider\ydzodmzw.sys\0\0\x686c\0\xfff0\xffff\x686c\1\x0da0e\x02457\xfff8\xffff\x1188e\xfff0\xffff\x686c\1\x1830e\xea98\x6e7f\xffc0\xffffSystem32\DRIVERS\wanarp.sys\0\0\0\20\0\xe478g\xe4b8g\0a\xfff8\xffff\x1250e\xfff0\xffff\x686c\1\x29a0e\x02457\x6268\x6e69\x1000e\x1000\0\0\0\0\0\0\0\0\0\0\0\xff70\xffffC:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui\0\xffe0\xffff\x6b76\3\4\x8000\1\0\4\0\1t\x6154gn \xffb0\xffffWindows Management Instrumentation\0\0\0\0\b\0\xb119\xe182\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x0d28e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x0f80e\x1e8\0\xffff\xffff\0\0\0\0\24\0>\0\0\0\n\0\x6150\x6172\x656d\x6574\x7372\0\0\30\xffd8\xffff\x6b76\n>\0\x11b0e\2\0\1o\x6553\x7672\x6369\x4465\x6c6cppl\xffb8\xffff%SystemRoot%\system32\sens.dll\000280\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x0d28e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x0fe8e\xf278E\xffff\xffff\0\0\0\0\20\0\x90\0\1\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\x90\0\x1270e\3\0\1w\x6553\x7563\x6972\x7974\xff68\xffff\1\x8014x\0\x84\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2H\3\0\0\24\x18d\2\x101\0\0\x500\v\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x1fd\2\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0b\0\xffe8\xffff\x686c\2\x1128e\xea98\x6e7f\x11f8e\xe2d0\xe465\xffa8\xffff\x6b6e \xe1ba\xf353\x2ff4\x1c9\0\0\xe7d0^\0\0\1\0\xffff\xffff\x170\x8001\a\0\x2e60c\x1e8\0\xffff\xffff\n\0\0\0\30\0:\0\xf9\0\a\0\x6573\x6572\x756em\xffd8\xffff\x6b76\v8\0\xf380d\1\0\1\0\x6544\x6373\x6972\x7470\x6f69n\0\0\xffd0\xffff\x6b76\21\4\x8000\xe5cc\x48f7\4\0\1\0\x654c\x7361\x4f65\x7462\x6961\x656e\x5464\x6d69e\0\0\0\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x2fa0e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\x50e0$\xe588E\xffff\xffff\0\0\0\0\2\0\20\0\0\0\4\0\x6e65\x6d75\0\0\xfff0\xffff\x686c\1\x3e10e\x02457\xfff8\xffff\x1f20e\xfff0\xffff002e\0\x29c4\xffc0\xffff\x40c0_\x40e8_\x2470`\x2378b\x23a0b\xe1b8c\xe220c\xe248c\x13a0e\xe200c\x2320d\x1c80e\x750\0\x1258\0s\\xffb0\xffff\x6b762\x92\0\x1950e\1\0\1o\x3a43\x505c\x6f72\x7267\x6d61\x4620\x6c69\x7365\x475c\x6f6f\x6c67\x5c65\x6f47\x676f\x656c\x5420\x6c61\x5c6b\x6f67\x676f\x656c\x6174\x6b6c\x652e\x6578\0\x686c\0\xffe0\xffff\x6b76\1\16\0\x8e10d\1\0\1\0001\0\0\0\xffe8\xffffEnable\0\0\0\0\xffe0\xffff\x0418e\x0590e\x1a58e\x10b0e\x1e40e\x2380e\x2630e\xffa8\xffff\x6b6e \xe1ba\xf353\x2ff4\x1c9\0\0\xe7d0^\1\0\1\0\x0f88e\xffe8\x8000\f\0\x3288c\x1e8\0\xffff\xffff\26\0\0\0\36\08\0\xfa\0\6\0\x6553\x6972\x6c61\0\xffe0\xffff\x6b76\1\20\0\x0ac0e\1\0\1\0000\0\0\0\xffe0\xffff\x6b76\1\16\0\x1500e\1\0\1\0001\0\0\0\xffa0\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x6820d\1\0\0\0\x1428e\xffff\xffff\3\0\xb498$\xe588E\xffff\xffff\n\0\0\0\22\0,\0\6\0\r\0\x6f46\x6372\x5365\x6570\x6465\x7044x\0\xffd8\xffff\x6b76\t,\0\x1658e\1\0\1\0\x6150\x6172\x446d\x7365c\0\0\0\xffd0\xffffSpeed/duplex settings\0\xffe0\xffff\x6b76\a\4\x80000\0\1\0\1\0\x6564\x6166\x6c75t\b\0\x3537\x3635\xffd8\xffff\x6b76\17\36\0\x2848e\a\0\1\0\x6544\x6570\x646e\x6e4f\x6553\x7672\x6369e\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x35e0d\0\0\0\0\xffff\xffff\xffff\xffff\2\0\x3310$\xe588E\xffff\xffff\0\0\0\0\2\0\20\0\0\0\4\0\x6e65\x6d75\0\0\b\0\0\0\xffa8\xffff\x6b6e \xc3b6\x1b17\x1de3\x1c9\0\0\x2a18e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\xffe8d\xf278E\xffff\xffff\0\0\0\0\20\0\xa8\0\0\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\xa8\0\xa990g\3\0\1\0\x6553\x7563\x6972\x7974\xff80\xffff\??\C:\Documents and Settings\ep0xy\Desktop\wowglider\ztb.sys\0\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x1538e\0\0\0\0\xffff\xffff\xffff\xffff\0\0\xffff\xffff\x1e8\0\xffff\xffff\0\0\0\0\0\0\0\0\0\0\n\0\x6150\x6172\x656d\x6574\x7372\0\0\x500\xffa8\xffff\x6b6e \xe2\xf907\x2ff4\x1c9\0\0\xe7d0^\0\0\1\0\xffff\xffff\xc578\x8001\6\0\x32e0c\x1e8\0\xffff\xffff\n\0\0\0\32\0\36\0\xfb\0\a\0\x6653\x6f6c\x7070y\xff98\xffff\x6b76P\xbe\0\x16e8g\1\0\1a\x3a43\x505c\x6f72\x7267\x6d61\x4620\x6c69\x7365\x535c\x6574\x6d61\x735c\x6574\x6d61\x7061\x7370\x6e5c\x6869\x6c69\x7369\x7074\x6f72\x6170\x6167\x646e\x5c61\x6164\x2079\x666f\x6420\x6665\x6165\x2074\x6f73\x7275\x6563\x685c\x326c\x652e\x6578\xff68\xffffC:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk\0l\20\0\x8000\xc562\x1c0\x1c1\0\0\xffa0\xffff\x6b6e \xceea\xf340\x2ff4\x1c9\0\0\xe7d0^\4\0\1\0\x2f78e\x8350\x8000\t\0\x7710c\x1e8\0\xffff\xffff\26\0\0\0\36\0\x116\0\xfc\0\f\0\x6853\x7261\x6465\x6341\x6563\x7373ra\xffd8\xffff\x6b76\f\4\x8000\1\0\4\0\1r\x7245\x6f72\x4372\x6e6f\x7274\x6c6ftw\xfee0\xffff\\?\{C1FCC185-55B3-4E00-814B-C588A13525E1}#Vid_046d&Pid_c041&Rev_4600&MI_00&HidFilt#8&211afbb7&0&00#{d21a038a-7762-4451-a518-d571b1a7a24a}\0X\xd020X\xffe0\xffffVLAN Support\0\0\xffe8\xffff\x25c0e\x3168e\x3278e\x3298e\x4070e\xffc0\xffffsystem32\DRIVERS\Wdf01000.sys\0\xffc0\xffffsystem32\drivers\wdmaud.sys\0\0\0\xffd8\xffff\x6b76\r\2\x8000\0\0\a\0\1\0\x6544\x6570\x646e\x6e4f\x7247\x756fp\0\xffd0\xffff\x6b76\23\4\x8000\x374c\x48f9\4\0\1\17\x654c\x7361\x5465\x7265\x696d\x616e\x6574\x5473\x6d69e\xfe18\17\b\0\xfe18\17\xffd8\xffff\x6b76\17\20\0\x1250[\a\0\1\0\x6544\x6570\x646e\x6e4f\x6553\x7672\x6369e\xffa0\xffff\xc268 \xc320 \xc400 \x41306\x9698G\x408g\x488g\x4d28f\xd510f\x0860f\x0980f\x84f0d\xa538e\xa438e\xc490 \xa3d0_\x5020e\xc588 \x4d28\35\x4440\35\x1490e\x1490e\x6b76\17\xffc8\xffff\x6b76\34\4\x8000\0\0\4\0\1\x6e4f\x6944\x6173\x6c62\x2065\x6550\x6672\x726f\x616d\x636e\x2065\x6f43\x6e75\x6574\x7372\1\0\xffc8\xffff\x72b0'\x7aa8'\x7b20'\xccc8'\xd248'\xd270'\xd290'\xd2f0'\xd348'\xad48(\xd320'\x1d40e\x2630e\xffc8\xffff\x6b76\e\x4b40\0He\a\0\1\5\x6550\x646e\x6e69\x4667\x6c69\x5265\x6e65\x6d61\x4f65\x6570\x6172\x6974\x6e6fs\x6b76\r \0\x6b76\b\b\0\x9aa0Y\3\0\1\x13d5\x3031\x4232\x3530\x3132\xffe0\xffff\x6b76\a\4\x80000\0\1\0\1\0\x6564\x6166\x6c75t\xffe8\xffffDisable\0\0\0\xffd8\xffff\x6b76\t<\0\x1bd8e\2\0\1i\x6d49\x6761\x5065\x7461hide\xffa8\xffff\x6b6e \x3ac4\x18d0\x2ff5\x1c9\0\0\x19f8e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\xf1c0\\x1e8\0\xffff\xffff\0\0\0\0\n\0\4\0\0\0\5\0\x7045\x636fh4\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x19f8e\1\0\0\0\x31905\xffff\xffff\1\0\x1438e\x1e8\0\xffff\xffff\36\0\0\0\24\0F\0\1\0\n\0\x6150\x6172\x656d\x6574\x7372\0\0\0\xffd8\xffff\x6b76\nF\0\x1f48e\2\0\1\0\x6553\x7672\x6369\x4465\x6c6c\0\0\0\xffb0\xffff%SystemRoot%\System32\ipnathlp.dll\0\0\0\0\xffd8\xffff\x6b76\t\32\0\xa040d\1\0\1\0\x6150\x6172\x446d\x7365c\0\0\0\xffc8\xffff\x6b76\35z\0\x21a0e\1\0\1\0\x7725\x6e69\x6964\x2572\x735c\x7379\x6574\x336d\x5c32\x6573\x7373\x676d\x2e72\x7865\x6565\x6544\b\0\x2380e\x6268\x6e69\x2000e\x1000\0\0\0\0\0\0\0\0\0\0\0\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x1ec0e\2\0\0\0\x1a70F\xffff\xffff\0\0\xffff\xffff\x1e8\0\xffff\xffff \0\0\0\0\0\0\0\0\0\16\0\x6946\x6572\x6177\x6c6c\x6f50\x696c\x7963\0\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x2020e\1\0\0\0\x77d85\xffff\xffff\0\0\xffff\xffff\x1e8\0\xffff\xffff.\0\0\0\0\0\0\0\0\0\r\0\x6f44\x616d\x6e69\x7250\x666f\x6c69\xff65\xffff\xff98\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x2080e\1\0\0\0\x40d06\xffff\xffff\0\0\xffff\xffff\x1e8\0\xffff\xffff\n\0\0\0\0\0\0\0\0\0\26\0\x7541\x6874\x726f\x7a69\x6465\x7041\x6c70\x6369\x7461\x6f69\x736e\0\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x20e0e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\x2300e\x1e8\0\xffff\xffff\0\0\0\0R\0\x92\0\0\0\4\0\x694c\x7473\0\0\xff80\xffff%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019\0\e\xffb8\xffff\x6b76)\x92\0\x2268e\1\0\1\x4955\x7725\x6e69\x6964\x2572\x4e5c\x7465\x6f77\x6b72\x4420\x6169\x6e67\x736f\x6974\x5c63\x7078\x656e\x6474\x6169\x2e67\x7865e\0\x6b76\n\xff68\xffff%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000\0}\xfff0\xffff\x1fc0e\x2220e\0\0\xfff0\xffff0017\0\0\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x2020e\2\0\0\0\xd6c8E\xffff\xffff\2\0\xad28[\x1e8\0\xffff\xffff.\0\0\0(\0\4\0\1\0\17\0\x7453\x6e61\x6164\x6472\x7250\x666f\x6c69e\xffd8\xffff\x6b76\v\22\0\x51d8]\1\0\1e\x6944\x7073\x616c\x4e79\x6d61eal\xffe8\xffffEnable\0\0\0\0\xff98\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x2320e\1\0\0\0\x17688\xffff\xffff\0\0\xffff\xffff\x1e8\0\xffff\xffff\n\0\0\0\0\0\0\0\0\0\26\0\x7541\x6874\x726f\x7a69\x6465\x7041\x6c70\x6369\x7461\x6f69\x736e\0\xffa8\xffff\x6b6e \x4d1e\xb294\x2fe9\x1c9\0\0\x23c0e\0\0\0\0\xffff\xffff\xffff\xffff!\0\xa680\3\x1e8\0\xffff\xffff\0\0\0\0\xf0\0\x12e\0\0\0\4\0\x694c\x7473\x6b76\a\xffe0\xffff\x6b76\1\16\0\xdfe8d\1\0\1\0001\0\0\0\xffa0\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x6820d\0\0\0\0\xffff\xffff\xffff\xffff\5\0\x0930e\xe588E\xffff\xffff\0\0\0\0\22\0\20\0\4\0\t\0\x7445\x5668\x414c\x494ed\0\0\0\xffd8\xffff\x6b76\t\20\0\x07d8e\1\0\1\0\x6150\x6172\x446d\x7365c\0\0\0\20\0\xe980g\xea00g\xe6f0g\xfff8\xffff\x2f58e\xffe0\xffff\x6b76\a\4\x80001\0\1\0\1\0\x6564\x6166\x6c75t\xffe0\xffff\x6b76\4\n\0\x98e8$\1\0\1\0\x7974\x6570\0\0\xffe0\xffff\x6b76\3\4\x80001\0\1\0\1\0\x696dn\0\0\xffe0\xffff\x6b76\3\n\0\x91d8$\1\0\1\0\x616dx\0\0\xffe0\xffff\x6b76\1,\0\x25e0e\1\0\1\0000\0\0\0\xffd0\xffff1500 (Standard frame)\0\20\0\xeb98g\xebe0g\x686c\0\xfff0\xffff001B\0t\xffe0\xffff\x6b76\5\32\0\x2a70e\1\0\1v\x7247\x756fpu\xffd8\xffff\x6b76\f\4\x8000\1\0\4\0\1\0\x7245\x6f72\x4372\x6e6f\x7274\x6c6f\0\0X\0\x6b6e \x34e\x257e\x1de6\x1c9\0\0\x7b38^\0\0\0\0\xffff\xffff\xffff\xffff\4\0\x3968\20\xffff\xffff\xffff\xffff\0\0\0\0000\0\x86\0\0\0\a\0\x6f43\x746e\x6f72\x6c6c\xff98\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x6820d\1\0\0\0\x0ff0e\xffff\xffff\3\0\x9bf0$\xe588E\xffff\xffff\n\0\0\0\22\0000\0\5\0\22\0\x7445\x5768\x4c4f\x7246\x6d6f\x6f50\x6577\x4f72\x6666\0\0\0\xffc8\xffffWakeOnLAN From PowerOff\0\0\0\xffe8\xffffDisable\0\0\0000\0\x6b76\b\b\0\xa0b0Y\3\0\1\37\x3031\x4232\x3530\x3532\20\0\x8000\xc562\x1c0\x1c1\0\0\xffe8\xffffEnable\0\0\0\0\xffd8\xffff\x6b76\t8\0\x1c18e\2\0\1\0\x6d49\x6761\x5065\x7461h\0\0\0\xffd8\xffffRPCSS\0Eventlog\0\0\0\0\xffe0\xffff\x6b76\4\n\0\x4c30$\1\0\1\0\x7974\x6570\0\0\b\0\xaf18\35\xffd8\xffffRpcSs\0Ndisuio\0\0\1\0\17\xffd8\xffff\x6b76\t0\0\x2738e\1\0\1\0\x6150\x6172\x446d\x7365c\0\0\0\b\00016\xffd8\xffff\x6b76\v^\0\xf2d8d\1\0\1\0\x6944\x7073\x616c\x4e79\x6d61e\0\0\xffd8\xffff\x6b76\vl\0\x0970e\1\0\1\0\x6544\x6373\x6972\x7470\x6f69nys\b\0ys\xffe0\xffffLocalSystem\0\0\0\xffe8\xffffNVENETFD\0\0\xffd0\xffff\x44d0\35\x46b0\35\x43f0\35\x45c0\35\x4610\35\x4c50\35\x7558\37\xae98\37\x5880\e\x1b38!\x2320d\xffe0\xffff\x6b76\a\4\x80001\0\1\0\1\0\x6564\x6166\x6c75t\xffe0\xffff\x6b76\4\n\0\x9e20$\1\0\1\0\x7974\x6570\0\0\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x26d0e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\xa4a0$\xe588E\xffff\xffff\0\0\0\0\2\0\20\0\0\0\4\0\x6e65\x6d75\0\0\xfff0\xffff0011\0\0\20\0\xa0e0i\xa258i\xa108i\xffa8\xffff\x6b6e \x3144\xf343\x2ff4\x1c9\0\0\xe7d0^\1\0\1\0\x16c0B\xa190\x8000\a\0\x1518e\x1e8\0\xffff\xffff\22\0\0\0\30\0<\0\x131\0\b\0\x6457\x3066\x3031\x3030\xffe0\xffffWdfLoadGroup\0o\xffc8\xffffNT AUTHORITY\LocalService\0\xff98\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x2320e\1\0\0\0\x19308\xffff\xffff\0\0\xffff\xffff\xe588E\xffff\xffff\n\0\0\0\0\0\0\0\1\0\21\0\x6c47\x626f\x6c61\x796c\x704f\x6e65\x6f50\x7472stsv\xffa8\xffff\x6b6e \xdbca\xf6ff\x2ecd\x1c9\0\0\x2ac8e\0\0\0\0\xffff\xffff\xffff\xffff\6\0\xec00+\xe588E\xffff\xffff\0\0\0\0\20\0v\0\0\0\4\0\x694c\x7473on\xffe0\xffff\x6b76\bf\0\x2ba8e\1\0\1'\x3931\x3030\x553a\x5044\xff90\xffff1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007\0itl\xffe0\xffff\x6b76\bf\0\x2c38e\1\0\1p\x3832\x3936\x543a\x5043\xff90\xffff2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008\0\0\x6b76\5\xffe0\xffff\x6b76\ad\0\x2cc8e\1\0\1\r\x3331\x3a39\x4354P\xff98\xffff139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004\0\xffe0\xffff\x6b76\ad\0\x2d50e\1\0\1r\x3434\x3a35\x4354P\xff98\xffff445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005\0\xffe8\xffffMicrosoft\0\xffe0\xffff\x6b76\ad\0\x2df0e\1\0\1s\x3331\x3a37\x4455P\xff98\xffff137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001\0\xffe0\xffff\x6b76\ad\0\x2e78e\1\0\1\0\x3331\x3a38\x4455\x6e50\xff98\xffff138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002\0\xffe0\xffff\x6b76\a\4\x80001\0\1\0\1\0\x6564\x6166\x6c75t\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x19f8e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x2538e\xf278E\xffff\xffff\0\0\0\0\20\0\xa8\0\2\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\xa8\0\x3020e\3\0\1\0\x6553\x7563\x6972\x7974\xffd8\xffff\x686c\4\x1e68e\xbe73\x7f4\x1ec0e\xea98\x6e7f\x2f00e\xe2d0\xe465\x1588\0\xb881\x97c\xffa0\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x6820d\1\0\0\0\xf368d\xffff\xffff\3\0\x35a8$\xe588E\xffff\xffff\n\0\0\0\22\0\32\0\2\0\16\0\x7445\x4668\x6f6c\x4377\x6e6f\x7274\x6c6f\0\x6268\x6e69\x3000e\x1000\0\0\0\0\0\0\0\0\0\0\0\xff50\xffff\1\x8014\x90\0\x9c\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2`\4\0\0\24\x1fd\2\x101\0\0\x500\22\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x18d\2\x101\0\0\x500\v\0\0\30\x1fd\2\x201\0\0\x500 \0\x223\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\0\0\xffc8\xffffJumbo Frame Payload Size\0\0\xffa8\xffff\x6b6e \x55b2\x1a67\x1de3\x1c9\0\0\xa4b8e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\x2eb8%\xe588E\xffff\xffff\0\0\0\0\2\0\20\0\0\0\4\0\x6e65\x6d75\0\0\b\0\x5fb8e\xffe0\xffff\x6b76\1\n\0\xcc68$\1\0\1\0001\0\0\0\xfff0\xffff\x686c\1\x3220e\x02457\xffa0\xffff\x6b6e \xceea\xf340\x2ff4\x1c9\0\0\xe7d0^\2\0\1\0\x36d8e\x8470\x8000\t\0\x82c8c\x1e8\0\xffff\xffff\26\0\0\0\36\0Z\0\xfd\0\20\0\x6853\x6c65\x486c\x4457\x7465\x6365\x6974\x6e6f \0\x6b76\b\b\0\xa228Y\3\0\1\x1fc2\x3031\x4544\x3130\x3030\xfff8\xffff\x3608e\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x4ee0e\0\0\0\0\xffff\xffff\xffff\xffff\4\0\x1bc0e\xe588E\xffff\xffff\0\0\0\0\2\0,\0\0\0\4\0\x6e65\x6d75\0\0\xffe0\xffff\x6b76\1\n\0\xce00$\1\0\1\0002\0\0\0\xffe0\xffff\x6b76\1\n\0\xd3c8$\1\0\1\0003\0\0\0\xfff0\xffff\x686c\1\x3f48e\x02457\xfff8\xffff\x55d0e\xffe0\xffff\x6b76\5\32\0\x6090e\1\0\1\0\x7247\x756f\x4d70e\xfff0\xffff\x34c8e\x3538e\x3240e\xfff8\xffff\x39b8e\xff30\xffffC:\Program Files\Steam\steamapps\roundnycEmail Removed\day of defeat\hl.exe:*:Enabled:Half-Life Launcher\0\0\0\30\0\x686c\0\xba58h\xe141\xc736\xba58h\xe141\xc736\xffd8\xffff\xd3d8$\xe90+\x26a84\x27904\x40e0e\x3b00e\x3fe0e\x4110e\x5650e\xffd0\xffffFull autonegotiation\0\0\xfff0\xffff\x686c\1\x97d0e\x02457\xfff0\xffff\x686c\1\x9750e\xe2d0\xe465\xffa0\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x3198e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\x32f0e\x1e8\0\xffff\xffff\0\0\0\0\26\0B\0\0\0\n\0\x6150\x6172\x656d\x6574\x7372\0\0\0\xffd8\xffff\x6b76\nB\0\x34f0e\2\0\1\0\x6553\x7672\x6369\x4465\x6c6c\0\0\0\xffb8\xffff%SystemRoot%\System32\shsvcs.dll\0\0\xffd8\xffff\x6b76\v:\0\x3560e\1\0\1\0\x6553\x7672\x6369\x4d65\x6961n\0\0\xffc0\xffffHardwareDetectionServiceMain\0\0\xfff0\xffff\x686c\1\x3958e\xea98\x6e7f\xffa8\xffff\x6b6e \x3a4e\x1b0e\x1de3\x1c9\0\0\x3198e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x3218e\xf278E\xffff\xffff\0\0\0\0\20\0\xa8\0\1\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\xa8\0\x3628e\3\0\1\20\x6553\x7563\x6972\x7974\xff50\xffff\1\x8014\x90\0\x9c\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2`\4\0\0\24\x1fd\2\x101\0\0\x500\22\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x18d\2\x101\0\0\x500\v\0\0\30\x1fd\2\x201\0\0\x500 \0\x223\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\0\0\xffe8\xffff\x686c\2\x3468e\xea98\x6e7f\x35b0e\xe2d0\xe465\xffa8\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\xe7d0^\0\0\0\0\xffff\xffff\xffff\xffff\5\0\x37e8e\x1e8\0\xffff\xffff\0\0\0\0\30\0\16\0\xfe\0\6\0\x6953\x626d\x6461a\xffd8\xffff\x6b76\f\4\x8000\1\0\4\0\1\\x7245\x6f72\x4372\x6e6f\x7274\x6c6f\24\0\xffe0\xffff\x6b76\5\16\0\x3790e\1\0\1\0\x7247\x756fp\0\xffe8\xffffFilter\0\3\xd0c0\3\xffe0\xffff\x6b76\5\4\x8000\4\0\4\0\1\0\x7453\x7261t\0\xffe0\xffff\x6b76\3\4\x8000\1\0\4\0\1\x500\x6154g\0\30\xffe8\xffff\x3748e\x3770e\x37a8e\x37c8e\x3800e\xffe0\xffff\x6b76\4\4\x8000\1\0\4\0\0017\x7954\x6570c,\xffa8\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\xe7d0^\1\0\0\0\x35a0e\xffff\xffff\5\0\x3920e\x1e8\0\xffff\xffff\26\0\0\0\30\0\34\0\xff\0\a\0\x7053\x7261\x6f72w\xffd8\xffff\x6b76\f\4\x8000\1\0\4\0\1\0\x7245\x6f72\x4372\x6e6f\x7274\x6c6f\x624f\x7153\xffe0\xffff\x6b76\5\34\0\x38c0e\1\0\1\0\x7247\x756fp\0\xffe0\xffffSCSI miniport\0\xffe0\xffff\x6b76\5\4\x8000\4\0\4\0\1\0\x7453\x7261t\0\xffe0\xffff\x6b76\3\4\x8000\a\0\4\0\1,\x6154g,9\xffe8\xffff\x3878e\x38a0e\x38e0e\x3900e\x3938e\xffe0\xffff\x6b76\4\4\x8000\1\0\4\0\1\\x7954\x6570 \xffa0\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\x3820e\1\0\0\0\x3a70e\xffff\xffff\1\0\x3300e\x1e8\0\xffff\xffff\32\0\0\0,\0\4\0\0\0\n\0\x6150\x6172\x656d\x6574\x7372\0\0\0\xffd0\xffff\x6b76\26\4\x8000\0\0\4\0\0010\x654c\x6167\x7963\x6441\x7061\x6574\x4472\x7465\x6365\x6974\x6e6fV\xffa0\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\x3958e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x3a68e\x1e8\0\xffff\xffff\0\0\0\0\2\0\4\0\0\0\f\0\x6e50\x4970\x746e\x7265\x6166\x6563Co\xffe0\xffff\x6b76\1\4\x8000\1\0\4\0\1W1,"c\xfff8\xffff\x3a48e\xfff0\xffff\x686c\1\x39e8e\x5aa7\x6bea\xffa8\xffff\x6b6e \xc90e\x7c2\x2ff5\x1c9\0\0\xe7d0^\1\0\1\0\x3b20e\x2490\x8002\5\0\xf570\\x1e8\0\xffff\xffff\22\0\0\0\30\0@\0\x100\0\b\0\x7073\x696c\x7474\x7265 \0\x6b76\b\b\0\x9b60Y\3\0\1`\x3335\x3333\x3139\x3230\xfff8\xffff\x3ca0e\xffe0\xffff\x6b76\b\4\x8000\4\0\4\0\1\17\x7044\x4969\x646e\x7865\xfff0\xffff\x686c\1\x3c48e\xe2d0\xe465\xff98\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x6820d\1\0\0\0\x32b8e\xffff\xffff\3\0\xcd38$\xe588E\xffff\xffff\n\0\0\0\22\0006\0\b\0\26\0\x6f4c\x5077\x776f\x7265\x7453\x7461\x4c65\x6e69\x536b\x6570\x6465\0\xffd8\xffff\x6b76\t6\0\x3bc0e\1\0\1\0\x6150\x6172\x446d\x7365c\0\0\0\xffc0\xffffLow Power State Link Speed\0\0\0\0\xffe0\xffff\x6b76\a\4\x80001\0\1\0\1\0\x6564\x6166\x6c75t\b\0\x6360e\xffe0\xffff\x6b76\a\n\0\x4440e\1\0\1e\x6553\x7672\x6369e\xffa8\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\x3a80e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x3af8e\xf278E\xffff\xffff\0\0\0\0\20\0\xa8\0\0\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\xa8\0\x3cc0e\3\0\1\0\x6553\x7563\x6972\x7974\xff50\xffff\1\x8014\x90\0\x9c\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2`\4\0\0\24\x1fd\2\x101\0\0\x500\22\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x18d\2\x101\0\0\x500\v\0\0\30\x1fd\2\x201\0\0\x500 \0\x223\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0\0\0\xffa8\xffff\x6b6e \xceea\xf340\x2ff4\x1c9\0\0\xe7d0^\3\0\1\0\x4568e\x8598\x8000\n\0\x7d10c\x1e8\0\xffff\xffff\30\0\0\0\36\0T\0\x101\0\a\0\x7053\x6f6f\x656cr\xffe0\xffff\x6b76\4\n\0\xba30$\1\0\1\0\x7974\x6570\0\0\xfff0\xffff\x3000\0\x2000\0ST\xfff0\xffff\x686c\1\x5e90e#\0\xfff8\xffff\x44b0e\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x15d0e\0\0\0\0\xffff\xffff\xffff\xffff\n\0\x4a88e\xe588E\xffff\xffff\0\0\0\0\2\0002\0\0\0\4\0\x6e65\x6d75\0\0\xffe8\xffffms_psched\0\20\0\xa3c0i\xa3e8i\0\0\xffc8\xffffAutonegotiate for 100FD\0\0\0\xffe0\xffff\x6b76\0012\0\x4a50e\1\0\1\09\0\0\0\xffe0\xffff\x6b76\a\4\x80000\0\1\0\1\0\x6564\x6166\x6c75t\xfff8\xffff\x5938e\xffe8\xffffPerfClose\0\xffe0\xffff\x6b76\4\n\0\xec90$\1\0\1\0\x7974\x6570\0\0\xffa8\xffff\x6b6e \xf358\x1a64\x1de3\x1c9\0\0\x3b30e\0\0\0\0\xffff\xffff\xffff\xffff\2\0\xf4a0$\xe588E\xffff\xffff\0\0\0\0\2\0\20\0\0\0\4\0\x6e65\x6d75\0\0\xffe0\xffff\x6b76\1\20\0\x1e28e\1\0\1\0000\0\0\0\xfff0\xffff0019\0\0\20\0\x8000\xc562\x1c0\x1c1\x4e64\x29c4\xffe0\xffff\x6b76\5\4\x8000\xb33\0\4\0\1.\x7053\x6565d\x6e61\x6268\x6e69\x4000e\x1000\0\0\0\0\0\0\0\0\0\0\0\xffe0\xffff\x6b76\1,\0\x4040e\1\0\1\0003\0\0\0\xffd0\xffffForce 100 Half Duplex\0\xffe0\xffff\x6b76\1,\0\x5838e\1\0\1\0004\0\0\0(\0\x6b76\4\x468\0\xb248g\n\0\1\0\x6f52\x746f\xe458\5\b\0\x3b98e\xffe0\xffff\x6b76\5\24\0\x3f10e\1\0\1\0\x6c43\x736fe\0\xfff8\xffff\x4820e\xffd0\xffff\x6b76\22\4\x8000\0\0\4\0\1a\x7250\x636f\x7365\x6973\x676e\x6944\x6173\x6c62\x6465\0\x6b76\16\xffe0\xffff\x6b76\6\4\x8000\xb33\0\4\0\1\x6976\x7053\x6565\x5964g\xffa0\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\x3d70e\0\0\0\0\xffff\xffff\xffff\xffff\0\0\xffff\xffff\x1e8\0\xffff\xffff\0\0\0\0\0\0\0\0\0\0\n\0\x6150\x6172\x656d\x6574\x7372ll \xffa0\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\x3d70e\0\0\0\0\xffff\xffff\xffff\xffff\v\0\x4410e\x1e8\0\xffff\xffff\0\0\0\0*\0\32\0\1\0\v\0\x6550\x6672\x726f\x616d\x636ee\0\0\xffe0\xffff\x6b76\a\30\0\x4210e\1\0\1\x500\x6f43\x6c6c\x6365t\xffe0\xffffPerfCollect\0\0\0\xfff0\xffff1450\0\3\xffd8\xffff\x6b76\17\4\x8000\x7d0\0\4\0\1.\x6f43\x6c6c\x6365\x2074\x6954\x656d\x756ft\xffe0\xffff\x6b76\a\32\0\x4288e\1\0\1C\x694c\x7262\x7261y\xffe0\xffffwinspool.drv\0n\xffe8\xffff\x7e77\x9db2\x3501\x1ad8\x82d9\x2b8a\x4405\x9634\0\0\xffd8\xffff\x6b76\v\n\0\x4230e\1\0\1\0\x624f\x656a\x7463\x4c20\x7369t\x101\0\xffe0\xffff\x6b76\4\22\0\x4308e\1\0\1\17\x704f\x6e65\0\x500\xffe8\xffffPerfOpen\0\0\xfff0\xffff\x6000\x99bd\x4f53\x1c2\0\0\xfff8\xffff\x52f0e\xfff8\xffff\x50c0e\xffd8\xffff\x6b76\f\4\x8000\xfa0\0\4\0\1h\x704f\x6e65\x5420\x6d69\x6f65\x7475wT\xffd0\xffff\x6b76\25\20\0\x42a8e\3\0\1\17\x6257\x6d65\x6441\x7061\x6946\x656c\x6953\x6e67\x7461\x7275\x5665\17\xffd8\xffff\x6b76\16\4\x8000\0\0\4\0\1\17\x6257\x6d65\x6441\x7061\x7453\x7461\x7375"\xffd8\xffff\x6b76\20\b\0\x4320e\3\0\1\0\x6257\x6d65\x6441\x7061\x6946\x656c\x6954\x656d\xffd8\xffff\x6b76\20\4\x8000\x3c00\2\4\0\1\0\x6257\x6d65\x6441\x7061\x6946\x656c\x6953\x657a\xffd0\xffff\x40b8e\x41f0e\x4240e\x4268e\x42c0e\x42e8e\x4340e\x4368e\x43c0e\x43e8e\x4398e\xfff0\xffffUdfs\0&\xfff8\xffff\x4db0e\xffa8\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\x3d70e\0\0\0\0\xffff\xffff\xffff\xffff\1\0\x3e08e\xf278E\xffff\xffff\0\0\0\0\20\0\x90\0\2\0\b\0\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\x90\0\x44d0e\3\0\1E\x6553\x7563\x6972\x7974\xff68\xffff\1\x8014x\0\x84\0\24\0000\0\2\34\1\0\x8002\24\x1ff\17\x101\0\0\x100\0\0\2H\3\0\0\24\x18d\2\x101\0\0\x500\v\0\0\30\x1ff\17\x201\0\0\x500 \0\x220\0\0\24\x1fd\2\x101\0\0\x500\22\0\x101\0\0\x500\22\0\x101\0\0\x500\22\0io\xffd8\xffff\x686c\3\x4130e\xea98\x6e7f\x4190e\x436\x3087\x4458e\xe2d0\xe465\0\0\0\0\xff98\xffff\x6b6e \x9ca8\x1b10\x1de3\x1c9\0\0\xe7d0^\1\0\0\0\x1d188\xffff\xffff\b\0\x48b0e\x7858C\xffff\xffff\22\0\0\0\36\0\xd6\0\x102\0\26\0\x5153\x414c\x6567\x746e\x5324\x4e4f\x5f59\x454d\x4944\x4d41\x5247y\xffe0\xffff\x6b76\4\4\x8000\20\0\4\0\1;\x7954\x6570\P\xffe0\xffff\x6b76\5\4\x8000\3\0\4\0\1s\x7453\x7261ti\xffd8\xffff\x6b76\f\4\x8000\1\0\4\0\1s\x7245\x6f72\x4372\x6e6f\x7274\x6c6fat\xffd8\xffff\x6b76\t\xd6\0\x4688e&#

guestolo · « **Reply #3 on:** October 16, 2008, 10:13:57 PM »

Well, that showed nothing that I thought it should
Can you do the following please

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

In addition, post a fresh Hijackthis log

ep0xy · « **Reply #4 on:** October 16, 2008, 11:25:55 PM »

Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 3

10/17/2008 12:58:32 AM
mbam-log-2008-10-17 (00-58-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129720
Time elapsed: 56 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gzipmod.dll (Rootkit.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gzipmod.dll (Trojan.Agent) -> Delete on reboot.

ep0xy · « **Reply #5 on:** October 16, 2008, 11:31:35 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:06 AM, on 10/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Excursion9.5\mIRC.ExCurSioN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\mIRC-TPG\mirc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4187 bytes

guestolo · « **Reply #6 on:** October 17, 2008, 07:27:22 AM »

How is everything running now?
Log looks good

ep0xy · « **Reply #7 on:** October 17, 2008, 07:37:42 AM »

Everything seems to berunning great! Was the malware that program found a key logger? Or just a ad spammer. What did it do?

Again Thanks soo much questolo!

guestolo · « **Reply #8 on:** October 17, 2008, 08:01:16 AM »

The file and registry entries are related to Haxdoor
Here's a brief description from F-Secure

Quote

spying capabilities and according to reports, it has been used to steal bank-related information, logins and passwords for online bank accounts, and other information.

Just to be on the safe side, you should change all online passwords

Can I see one more log please
I just want to double check there are no left over files
Download [color=\"blue\"]random's system information tool (RSIT)[/color] by [color=\"#6600cc\"]random/random[/color] from >>[color=\"red\"]here[/color]<< and save it to your desktop.

Double click on RSIT.exe to launch program.
Click Continue at the disclaimer screen.
Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
Once it has finished, two logs will open: log.txt[color=\"red\"]<-- this will be maximized[/color] and info.txt[color=\"red\"]<-- this will be minimized[/color].

Can you post Both those logs please

guestolo · « **Reply #9 on:** October 17, 2008, 08:12:39 AM »

I'm just on my way out to work, go ahead and post those logs
I'll take a look at them in about 10 hours

ep0xy · « **Reply #10 on:** October 17, 2008, 08:15:36 AM »

Logfile of random's system information tool 1.04 (written by random/random)
Run by ep0xy at 2008-10-17 09:50:59
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 15 GB (20%) free of 76 GB
Total RAM: 3071 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:03 AM, on 10/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Excursion9.5\mIRC.ExCurSioN.exe
C:\mIRC-TPG\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Documents and Settings\ep0xy\Local Settings\Temporary Internet Files\Content.IE5\2UWXLGLN\RSIT[1].exe
C:\Program Files\Trend Micro\HijackThis\ep0xy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 4456 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\Spybot - Search & Destroy.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-11-07 19968]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2008-08-03 36352]
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2007-04-11 56080]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2007-04-11 56080]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-04 582992]
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Steam"=c:\program files\steam\steam.exe [2008-10-09 1410296]
"NVIDIA nTune"=C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe clear []
"AIM"=C:\Program Files\AIM\aim.exe [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe [2004-12-06 532480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2004-11-15 77824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe

C:\Documents and Settings\ep0xy\Start Menu\Programs\Startup
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\ExcursionXBeta\mIRC.exe"="C:\ExcursionXBeta\mIRC.exe:*:Enabled:mIRC"
"C:\Documents and Settings\ep0xy\Local Settings\Temp\nskE9.tmp\utorrent.exe"="C:\Documents and Settings\ep0xy\Local Settings\Temp\nskE9.tmp\utorrent.exe:*:Enabled:ÂµTorrent"
"C:\mIRC-TPG\mirc.exe"="C:\mIRC-TPG\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\source sdk base\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\source sdk base\hl2.exe:*:Enabled:hl2"
"C:\Program Files\HLSW\hlsw.exe"="C:\Program Files\HLSW\hlsw.exe:*:Enabled:hlsw"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\day of defeat\hl.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\day of defeat\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Steam\steamapps\dirtstarEmail Removed\day of defeat\hl.exe"="C:\Program Files\Steam\steamapps\dirtstarEmail Removed\day of defeat\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Steam\steamapps\[email protected]\day of defeat\hl.exe"="C:\Program Files\Steam\steamapps\[email protected]\day of defeat\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\day of defeat source\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\day of defeat source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\roundnycEmail Removed\day of defeat\hl.exe"="C:\Program Files\Steam\steamapps\roundnycEmail Removed\day of defeat\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\counter-strike\hl.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\opposing force\hl.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\opposing force\hl.exe:*:Enabled:Half-Life Launcher"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Steam\steam.exe"="C:\Program Files\Steam\steam.exe:*:Enabled:Steam"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\redrockEmail Removed\day of defeat\hl.exe"="C:\Program Files\Steam\steamapps\redrockEmail Removed\day of defeat\hl.exe:*:Enabled:Half-Life Launcher"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Excursion9.5\mIRC.ExCurSioN.exe"="C:\Excursion9.5\mIRC.ExCurSioN.exe:*:Enabled:mIRC"
"C:\Program Files\Steam\steamapps\common\call of duty 4\iw3mp.exe"="C:\Program Files\Steam\steamapps\common\call of duty 4\iw3mp.exe:*:Enabled:iw3mp"
"C:\World of Warcraft\Repair.exe"="C:\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\age of chivalry\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\age of chivalry\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\diprip warm up\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\diprip warm up\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\nihilistpropaganda\insurgency\hl2.exe"="C:\Program Files\Steam\steamapps\nihilistpropaganda\insurgency\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\common\call of duty 2\CoD2MP_s.exe"="C:\Program Files\Steam\steamapps\common\call of duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-10-17 09:50:59 ----D---- C:\rsit
2008-10-17 00:32:12 ----A---- C:\HaxFix.txt
2008-10-16 23:58:35 ----D---- C:\Documents and Settings\ep0xy\Application Data\Malwarebytes
2008-10-16 23:58:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-16 23:58:30 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-16 23:13:46 ----A---- C:\HaxFix.exe
2008-10-16 23:13:45 ----D---- C:\HaxFix
2008-10-16 20:10:39 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-16 20:10:39 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-16 19:57:13 ----D---- C:\Program Files\Trend Micro
2008-10-15 09:23:24 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard
2008-10-14 15:34:56 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-14 15:34:50 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-14 15:34:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-14 15:34:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-14 15:34:03 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-09-24 17:50:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-09-23 21:38:01 ----D---- C:\WINDOWS\Prefetch
2008-09-23 21:35:43 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-09-23 21:35:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-09-23 21:35:29 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-09-23 21:35:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-09-23 21:35:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-09-23 21:35:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-09-23 21:35:02 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-09-23 21:34:56 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-09-23 21:34:50 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-09-23 21:34:43 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-23 21:34:38 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-23 21:30:50 ----D---- C:\WINDOWS\system32\scripting
2008-09-23 21:30:49 ----D---- C:\WINDOWS\l2schemas
2008-09-23 21:30:48 ----D---- C:\WINDOWS\system32\en
2008-09-22 19:56:57 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-09-22 19:56:56 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-09-22 19:56:55 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-22 19:56:55 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-09-22 19:56:49 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-09-22 19:56:49 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-09-22 19:56:42 ----N---- C:\WINDOWS\system32\setupn.exe
2008-09-22 19:56:39 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-09-22 19:56:38 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-09-22 19:56:37 ----N---- C:\WINDOWS\system32\qutil.dll
2008-09-22 19:56:36 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-09-22 19:56:36 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-09-22 19:56:36 ----N---- C:\WINDOWS\system32\qagent.dll
2008-09-22 19:56:35 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-09-22 19:56:33 ----N---- C:\WINDOWS\system32\onex.dll
2008-09-22 19:56:28 ----N---- C:\WINDOWS\system32\napstat.exe
2008-09-22 19:56:28 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-09-22 19:56:28 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-09-22 19:56:27 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-09-22 19:56:27 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-09-22 19:56:26 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-09-22 19:56:26 ----N---- C:\WINDOWS\system32\mssha.dll
2008-09-22 19:56:19 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-09-22 19:56:19 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-09-22 19:56:19 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-09-22 19:56:19 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-09-22 19:56:12 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-09-22 19:56:12 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-09-22 19:56:11 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-09-22 19:56:11 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-09-22 19:56:11 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-09-22 19:56:11 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-09-22 19:56:02 ----A---- C:\WINDOWS\005417_.tmp
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-09-22 19:56:01 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-09-22 19:55:59 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-09-22 19:55:59 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-09-22 19:55:59 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-09-22 19:55:59 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-09-22 19:55:59 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-09-22 19:55:59 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-09-22 19:55:59 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-09-22 19:55:58 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-09-22 19:55:58 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-09-22 19:55:58 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-09-22 19:55:56 ----N---- C:\WINDOWS\system32\credssp.dll
2008-09-22 19:55:53 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-09-22 19:55:52 ----N---- C:\WINDOWS\system32\azroles.dll
2008-09-22 19:55:46 ----N---- C:\WINDOWS\system32\aaclient.dll

======List of files/folders modified in the last 1 months======

2008-10-17 09:26:29 ----D---- C:\Program Files\Steam
2008-10-17 09:26:22 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2008-10-17 09:25:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-17 09:02:08 ----D---- C:\WINDOWS\Temp
2008-10-17 01:06:52 ----D---- C:\mIRC-TPG
2008-10-17 01:05:22 ----D---- C:\WINDOWS\system32
2008-10-17 01:05:04 ----D---- C:\WINDOWS\system32\drivers
2008-10-17 01:04:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-17 00:32:22 ----D---- C:\WINDOWS
2008-10-16 23:58:30 ----RD---- C:\Program Files
2008-10-16 21:41:18 ----D---- C:\Program Files\HLSW
2008-10-16 21:09:25 ----SHD---- C:\Config.Msi
2008-10-16 21:02:24 ----D---- C:\Program Files\Mozilla Firefox
2008-10-16 20:49:28 ----D---- C:\Excursion9.5
2008-10-16 20:16:58 ----SHD---- C:\WINDOWS\Installer
2008-10-16 20:16:18 ----D---- C:\Program Files\Lavasoft
2008-10-16 20:15:36 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-16 20:14:57 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-16 19:28:08 ----D---- C:\Documents and Settings\ep0xy\Application Data\Adobe
2008-10-15 12:44:46 ----D---- C:\World of Warcraft
2008-10-14 15:36:52 ----D---- C:\Program Files\Internet Explorer
2008-10-14 15:34:58 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-14 15:34:58 ----HD---- C:\WINDOWS\inf
2008-10-14 15:34:55 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-14 15:34:53 ----A---- C:\WINDOWS\imsins.BAK
2008-10-07 15:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-03 13:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-09-25 13:48:22 ----D---- C:\Program Files\Winamp
2008-09-23 21:41:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-09-23 21:38:57 ----A---- C:\WINDOWS\OEWABLog.txt
2008-09-23 21:38:04 ----A---- C:\WINDOWS\setuplog.txt
2008-09-23 21:37:32 ----D---- C:\WINDOWS\system32\Setup
2008-09-23 21:37:32 ----D---- C:\WINDOWS\AppPatch
2008-09-23 21:37:31 ----D---- C:\WINDOWS\system32\wbem
2008-09-23 21:37:30 ----RSD---- C:\WINDOWS\Fonts
2008-09-23 21:36:29 ----D---- C:\WINDOWS\security
2008-09-23 21:35:45 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-23 21:34:45 ----D---- C:\Program Files\Messenger
2008-09-23 21:31:11 ----D---- C:\WINDOWS\WinSxS
2008-09-23 21:31:04 ----D---- C:\WINDOWS\network diagnostic
2008-09-23 21:31:04 ----D---- C:\WINDOWS\ime
2008-09-23 21:31:04 ----D---- C:\WINDOWS\Help
2008-09-23 21:30:51 ----D---- C:\WINDOWS\system32\usmt
2008-09-23 21:30:51 ----D---- C:\WINDOWS\system32\en-US
2008-09-23 21:30:48 ----D---- C:\WINDOWS\system32\bits
2008-09-23 21:30:48 ----D---- C:\WINDOWS\peernet
2008-09-23 21:30:48 ----D---- C:\Program Files\Movie Maker
2008-09-23 21:28:09 ----D---- C:\WINDOWS\system32\Restore
2008-09-23 21:28:09 ----D---- C:\WINDOWS\system32\npp
2008-09-23 21:28:07 ----D---- C:\WINDOWS\msagent
2008-09-23 21:28:05 ----D---- C:\WINDOWS\srchasst
2008-09-23 21:28:03 ----D---- C:\Program Files\NetMeeting
2008-09-23 21:28:02 ----D---- C:\WINDOWS\system32\Com
2008-09-23 21:27:59 ----D---- C:\Program Files\Windows NT
2008-09-23 21:27:59 ----D---- C:\Program Files\Windows Media Player
2008-09-23 21:27:59 ----D---- C:\Program Files\Outlook Express
2008-09-23 21:27:55 ----D---- C:\Program Files\Common Files\System
2008-09-23 21:27:35 ----D---- C:\WINDOWS\system32\oobe
2008-09-23 21:27:33 ----D---- C:\WINDOWS\system
2008-09-23 21:22:13 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-09-23 21:15:59 ----D---- C:\WINDOWS\EHome
2008-09-22 19:39:13 ----D---- C:\WINDOWS\Debug

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-11-17 2297664]
R3 bcgame;Nostromo HID Device Minidriver; C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-23 22821]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2007-04-11 20496]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2007-04-11 34832]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2007-04-11 36112]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-04-05 33536]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-04-05 12928]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S1 bainigne;bainigne; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\bainigne.sys []
S1 flt;flt; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\flt.sys []
S1 gkhapfhdp;gkhapfhdp; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\gkhapfhdp.sys []
S1 glgwukb;glgwukb; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\glgwukb.sys []
S1 jrf;jrf; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\jrf.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 catchme;catchme; \??\C:\DOCUME~1\ep0xy\LOCALS~1\Temp\catchme.sys []
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2005-07-22 26112]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2005-07-22 68864]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 uuhu;uuhu; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\uuhu.sys []
S3 vhndlqwivh;vhndlqwivh; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\vhndlqwivh.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 ydzodmzw;ydzodmzw; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\ydzodmzw.sys []
S3 ztb;ztb; \??\C:\Documents and Settings\ep0xy\Desktop\wowglider\ztb.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2007-11-13 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2008-10-17 182928]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-07-25 378184]
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe [2002-12-17 7520337]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.04 2008-10-17 09:51:05

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Absolute Sound Recorder version 3.3.9-->"C:\Program Files\Absolute Sound Recorder\unins000.exe"
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
ASUS Probe V2.24.10-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Asus Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Asus Probe\probunis.dll"
AsusUpdate-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\AsusUpdate\Uninst.isu"
BitTornado 0.3.17-->C:\Program Files\BitTornado\uninst.exe
Call of Duty 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/2630
Call of Duty 4: Modern Warfare-->"C:\Program Files\Steam\steam.exe" steam://uninstall/7940
CDDRV_Installer-->MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Counter-Strike-->"C:\Program Files\Steam\steam.exe" steam://uninstall/10
Day of Defeat: Source-->"C:\Program Files\Steam\steam.exe" steam://uninstall/300
DH Driver Cleaner Professional Edition-->C:\Program Files\Driver Cleaner Pro\Uninstall.exe
Excursion 9.5-->C:\WINDOWS\unvise32.exe C:\Excursion9.5\uninstal.log
Fraps (remove only)-->"C:\Fraps\uninstall.exe"
Google Talk (remove only)-->"C:\Program Files\Google\Google Talk\uninstall.exe"
Half-Life 2: Deathmatch-->"C:\program files\steam\steam.exe" steam://uninstall/320
HijackThis 2.0.2-->"C:\Documents and Settings\ep0xy\Desktop\HijackThis.exe" /uninstall
HLSW v1.1.5-->"C:\Program Files\HLSW\unins000.exe"
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IndeoÂ® software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Indeo\Uninst.isu" -c"C:\Program Files\Intel\Indeo\SavedSystemFiles\indounin.dll"
KhalInstallWrapper-->MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
K-Lite Codec Pack 3.01 Basic-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech MouseWare 9.79 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech SetPoint-->C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIRC-->"C:\mIRC-TPG\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.16)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MultiMon TaskBar 2.1-->"C:\Program Files\MMTaskbar\unins000.exe"
Nostromo Array Programming Software-->MsiExec.exe /X{0F3A1C5A-DA6A-4536-A058-CBB857CAC20C}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA WDM Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\setup.exe"
NVTweak-->MsiExec.exe /I{39D385DF-53BA-4792-BED3-68132EEB488F}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 8 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP8$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Sony Media Manager 2.0-->MsiExec.exe /X{C589B6DE-F7BF-4E22-8524-53E115EF6AB4}
Sony Vegas 6.0-->MsiExec.exe /X{5FCE0BF9-A1AA-4FA3-A28C-F62431CD52C4}
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoMach 4.0.4-->C:\Program Files\VideoMach-4.0.4\uninstall.exe
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Player] C:\Documents and Settings\ep0xy\Application Data\Adobe\Player.exe

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 35 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2302
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

Any way of telling how long ive had this on my pc ?

ep0xy · « **Reply #11 on:** October 17, 2008, 08:19:25 AM »

Thx again , hope you havea good day

EDIT: after thought

Any way of telling how long ive had this on my pc ?

i decided to change all my pw's

when i went to the bank site the bank site said it did not recognize my computer. Is that because that program had it set so i would re enter my info?

anyways we removed the hack soo we should be good to re type pw's or at least i hope cause i went ahead and did all that already.

ep0xy · « **Reply #12 on:** October 17, 2008, 11:12:55 AM »

another side note strangly my pc wouldnt get me online .. .after unpluging the ruter like 3 times i got back on...

i tryed to open ventrilo when i double clicked it i got some stange msg saying cant open on server 1 something like that i clicked ok cause therewas nothing left to do...

when i doubled clicked it again.,. it opened BUT.... ALL my ventrilo ips user names etc... were all deleted as if it wasa fresh install of vent i lost everything... what would have caused that... its just like email pw's ,log on's etc.. everyone got removed..

at this time , is it safe to use the system restore? Ill wait till i hear word from you. Ill be able to read your response later but away from this pc till SUnday night thx again

guestolo · « **Reply #13 on:** October 17, 2008, 09:13:18 PM »

It's your option to use System Restore, that's why I hate to hear ppls disable before running fixes but if you do, don't restore to a date where you KNOW you were infected
If you do use SR
Post fresh logs from RSIT.exe

Don't forget, your Restore points could all be infected

ep0xy · « **Reply #14 on:** October 18, 2008, 10:58:29 AM »

So the latest logs i posted looked ok questolo ?

Yea.. im not going to do system restore not worth going down that road

what do you think caused ventrilo to delete all my ips and user names ?

guestolo · « **Reply #15 on:** October 18, 2008, 06:26:14 PM »

The latest logs look ok

Quote

what do you think caused ventrilo to delete all my ips and user names ?

i don't use ventrilo, and I can't predict how long you had this rootkit on your computer
You always take a chance when downloading crack files

ep0xy · « **Reply #16 on:** October 19, 2008, 07:50:10 PM »

Yeah for sure, but the log files look clean right ? thanks again

guestolo · « **Reply #17 on:** October 21, 2008, 05:47:16 PM »

Sorry for the delay, the last logs looked fine

ep0xy · « **Reply #18 on:** October 22, 2008, 09:11:03 AM »

np, thanks again Questolo

News:

Author Topic: ohnoes! i think i've been hacked. (Read 641 times)