tr dropper problem

**smackk** · 07-18-2010 01:24 AM

hi i found this trojan called the tr dropper through my antivir anti virus

was wondering what problems it could cause and how to remove it?

also,i suspect it came from my thumbdrive(which was plugged into my computer when i did the scan)

here are the logs:

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:19 PM, on 7/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SingTelWCM\McciTrayApp.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\jie heng.COMPUTER\My Documents\RMP2\RMP2.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Little Fighter 2 Toolbar Helper - {AE90C38C-97CF-4696-B290-C7973DC9675E} - C:\Program Files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Little Fighter 2 Toolbar - {C3CD744D-2FAE-4640-8297-16B5DA423104} - C:\Program Files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SingTelWCM_McciTrayApp] C:\Program Files\SingTelWCM\McciTrayApp.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Dimondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-KLKD7.exe" /REG
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [RGSC] E:\jie heng's things\JIE HENG GAMES\gta4\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [svchost.exe] C:\Documents and Settings\jie heng.COMPUTER\Application Data\Microsoft\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: RMP2.lnk = C:\Documents and Settings\jie heng.COMPUTER\My Documents\RMP2\RMP2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/.../GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - ijji - Where Gamers Unite!
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - ijji - Where Gamers Unite!
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark Measurement Services Client) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - ijji - Where Gamers Unite!
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by129fd.bay129.hotmail.msn.co...x/HMAtchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BZQXJDKO - Unknown owner - C:\DOCUME~1\JIEHEN~1.COM\LOCALS~1\Temp\BZQXJDKO.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SOLXII - Unknown owner - C:\DOCUME~1\JIEHEN~1.COM\LOCALS~1\Temp\SOLXII.exe (file missing)
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 16058 bytes

malwarebytes log

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/18/2010 2:19:31 PM
mbam-log-2010-07-18 (14-19-31).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|)
Objects scanned: 386721
Time elapsed: 2 hour(s), 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (regedit.exe"%1" %*) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> No action taken.
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleaner) -> No action taken.

**NeonFx** · 07-19-2010 02:24 PM

Hello there

Welcome to the Help2Go Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Basic Scans please change the radio button under Registry from Safe List to All.
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please paste the contents of the following codebox into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

To ensure that I get all the information this log will need to be attached. Please attach the log in your next post. To do so click on the gray "Reply to Thread" button or "Go Advanced" and click on the "Manage Attachments" button. You will get a dialog where you can "Browse..." for the file.

Step 2

GMER Rootkit Scanner
Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable your security programs when done.

If you have trouble running GMER, please try running it in Safe Mode. To get to Safe Mode you'll need to repeatedly tap the F8 key on your keyboard as you turn your computer on until a black and white menu appears with the option.

If you continue to have trouble with it, try running it without the "Files" scan checked.

Again, if the results are really long, please attach them using the instructions I gave you at the end of step 1. This is to avoid having to scroll down the page too much and make the space cleaner.

**smackk** · 07-20-2010 08:56 AM

GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit quick scan 2010-07-20 21:49:10
Windows 5.1.2600 Service Pack 3
Running: hmkdvgxi.exe; Driver: C:\DOCUME~1\JIEHEN~1.COM\LOCALS~1\Temp\pgldqpow.sys

---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xBA6DBD48]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6DC0C0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AD0DA40
Device \FileSystem\Fastfat \Fat 8A8F66F0

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- EOF - GMER 1.0.15 ----

**NeonFx** · 07-20-2010 12:44 PM

The following program will scan for and remove infections but it will do other things such as preventing USB drives from infecting your computer by preventing them from running anything automatically:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

**smackk** · 07-21-2010 05:27 AM

hey if i plug my USB drive into my computer while running this program,will it remove the virus from my computer as well as my thumbdrive?

**NeonFx** · 07-21-2010 12:34 PM

It can't hurt

But you will probably have to erase everything on the USB drive by formatting it after we're done to be absolutely sure it's clean.

**smackk** · 07-22-2010 06:01 AM

i copy and pasted the files from my thumbdrive into a folder on my desktop called "thumdrive"

"??"=hex:71,b3,06,08,d2,cb,03,1c,d4,12,b5,46,8d,8f,db,2f,54,79,49,bd,b8,ea,b3,
52,5a,9b,41,77,76,7d,98,18,6e,e4,b1,5c,2c,84,8a,e5,92,72,ae,6f,40,0f,2f,1d,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1060284298-1547161642-725345543-1007\Software\SecuROM\License information*]
"datasecu"=hex:7e,98,7f,44,7c,6f,5a,c9,75,5e,3b,a6,36,af,d8,ee,12,d5,1b,ed,61,
35,ec,45,e6,0e,89,af,cc,1c,7b,45,f4,e8,ba,52,47,4c,fb,60,d6,24,58,be,53,68,\
"rkeysecu"=hex:e9,8d,ff,fe,b1,74,c6,6f,48,31,49,f7,be,e2,3e,41

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7F13F4A5D3FD3A87D01773B38115B704548384BF6117FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA9C6AECB7A5D1407A6A0AC4980AC793387EE99D49CA7306A1346C10224E097682866B461A508726ADBB159329FF3C4BFC56018EEEA38F64C4B865CE47DE67F26C9A55AD870F04C4889CEA23E630C85C9815591802232A0346B130453A5293C5C2B36E0216119D4D2FEA971F95A42C2620904091F192B0CA01F88FE9664F28207F1BFF655CAA738A80113F6EF85353C68DF8355E61F5A2E50C569E87AF1379C687DCB1C117567B52B8ABC3A2E59A8477E3BCF2077F49C1348749AB250FD8C69055C49A5F79A459F8148BF13C73D064B0C86CAE9754D74564F71669F6B28AB5C27538B3B2EE9D6DE941B96B0538D57C43CDFB80487D385A8F1B8F7462688737959DBC65C5E07D1EE931AA094EB984E447E9AC096D9A497CF82786215DBA8E55B6F2216D6B60811DC718CA194AFA43D6E063C709B1B519AA591169BC8ED07A8327D067951E67812CC62F240DAC1E81DF94900B76200DD9D977AA87B77C194843E5C1D5144A6D6FA77E0FB096348910A3503546A8CC0435525D77A40083EB7E8D72A2FE5FBAD1710A6AC0F6A02EDBE437E345B429117EE1B65898C0B35514B6767C7B86098BB9FBE3BC6C4385B6183AB4B9E6B5A3C43C2EB01B492E1916A9CB56AD8EACE9110CB1326F4EAA9E9D5694DA2C910B3AB0A1369B541F1ADFD006DAD76C8A9A42CF26A41704283D97B026AD223010733D1B229D654DA48BBB388734DAF438D3808ABBE20B3FB434AB09F798C7AD2C321F608409D42F1E3BDBE825A36CF3A634314097E2A22B4155B01ED77EDEE93EAA8B35A0C4BF73AC9C8FD6DBE2E26E1AA6496DD5700FBC314D6B4AFBE90D7D958DB78FC3111042D305625CEB39F94B49A1EA67DE5E11A4114E56A2B1AAD22009BAD08484742070603C3BDAFBE98926E98563243BD39678C191A92AAC9264DA574F77818DB59B6C461D2A11B594BA7914358798B670FE3475EE475FD037FED2FDB7634CAEFF25CAC9FA80123710C74E1E9521239DB932158CF20AAF6EB5FACC1FA48FAC4F74E54C744CE5FDA6AD62C6A915764B00B19C8680F85216CA112454A3273606DDED211E18C3216DC994792F573DBACDCD8969367F2341AB9348908F69160C7AF0108178AE5A54F44482102177A3BFC2B1A26520704B0AB3CA7D7583AE05BEF7D2E1B0016F45C0BB2B5C86AA34835388C9C0868BC7F6140D7F2B431CC1B14E5C82CDCF71D12721E4D924A4D33326998779C9ECB43D69293F104FC1C296D1F8B88344242FA4662AFBA07D1C1A3BE612AE44FF00A1831F23976B930BA8E3BF4193A73E3B24FD38F3BA82A327016AB05CDD2DAA9407E6616"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7836)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\Rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Razer\razerofa.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\3M\PSNLite\PSNGive.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-22 18:55:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-22 10:55

Pre-Run: 12,121,518,080 bytes free
Post-Run: 12,658,991,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C517A2986FCC8F5B7923272A34951B95

**smackk** · 07-22-2010 06:02 AM

sorry this is the full combofix scan

ComboFix 10-07-21.02 - jie heng 07/22/2010 18:39:11.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1586 [GMT 8:00]
Running from: c:\documents and settings\jie heng.COMPUTER\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jie heng.COMPUTER\Application Data\.#
c:\windows\settings.reg
c:\windows\system32\Data
c:\windows\system32\skinboxer43.dll
c:\windows\system32\Temp
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-18 15:55 . 2010-07-18 15:55 -------- d-----w- c:\documents and settings\jie heng.COMPUTER\Local Settings\Application Data\iRinger
2010-07-18 13:19 . 2010-07-18 13:19 -------- d-----w- c:\program files\iPod
2010-07-18 13:19 . 2010-07-18 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-18 13:16 . 2010-07-18 13:17 -------- d-----w- c:\program files\QuickTime
2010-07-18 13:15 . 2010-07-18 13:15 -------- d-----w- c:\program files\Apple Software Update
2010-07-18 13:12 . 2010-07-18 13:12 -------- d-----w- c:\program files\Bonjour
2010-07-18 04:13 . 2010-07-18 04:13 -------- d-----w- c:\program files\Trend Micro
2010-07-18 04:13 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-18 04:13 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 13:24 . 2008-03-30 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-18 13:20 . 2010-02-26 14:03 -------- d-----w- c:\program files\iTunes
2010-07-18 13:19 . 2007-10-09 11:51 -------- d-----w- c:\program files\Common Files\Apple
2010-07-06 15:47 . 2009-09-06 11:08 -------- d-----w- c:\documents and settings\jie heng.COMPUTER\Application Data\Any Video Converter
2010-06-19 17:20 . 2008-12-25 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-06-19 06:46 . 2008-12-25 16:23 -------- d-----w- c:\program files\Messenger Plus! Live
2010-06-19 00:06 . 2010-06-19 00:06 503808 ----a-w- c:\documents and settings\jie heng.COMPUTER\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3b566d37-n\msvcp71.dll
2010-06-19 00:06 . 2010-06-19 00:06 499712 ----a-w- c:\documents and settings\jie heng.COMPUTER\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3b566d37-n\jmc.dll
2010-06-19 00:06 . 2010-06-19 00:06 348160 ----a-w- c:\documents and settings\jie heng.COMPUTER\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3b566d37-n\msvcr71.dll
2010-06-15 12:01 . 2010-06-15 12:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-15 04:30 . 2010-06-15 04:26 25214 ----a-r- c:\documents and settings\jie heng.COMPUTER\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_29D232B856F0A1CBA486B8.exe
2010-06-15 04:30 . 2010-06-15 04:26 10398 ----a-r- c:\documents and settings\jie heng.COMPUTER\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_3324690356DD71877A1B6A.exe
2010-06-15 04:30 . 2010-06-15 04:26 -------- d-----w- c:\program files\iPhoneBrowser
2010-06-15 03:25 . 2010-06-15 03:25 -------- d-----w- c:\program files\WinSCP
2010-05-18 08:35 . 2010-05-18 08:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 08:35 . 2010-05-18 08:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-03 07:05 . 2010-02-26 14:13 76800 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-29 15:26 . 2010-04-29 15:45 360448 ----a-w- c:\windows\ltsModule.exe
2008-07-10 12:39 . 2008-02-09 14:37 553 ----a-w- c:\program files\FRAPSLOG.TXT
2008-02-09 14:36 . 2008-02-09 14:36 34552 ----a-w- c:\program files\uninstall.exe
2008-01-14 12:53 . 2008-01-14 12:53 913064 ----a-w- c:\program files\fraps.exe
2008-01-14 12:51 . 2008-01-14 12:51 172032 ----a-w- c:\program files\fraps.dll
2008-01-14 12:51 . 2008-01-14 12:51 111616 ----a-w- c:\program files\fraps64.dll
2008-01-14 12:51 . 2008-01-14 12:51 1683968 ----a-w- c:\program files\fraps64.dat
2008-01-14 12:51 . 2008-01-14 12:51 135168 ----a-w- c:\program files\frapslcd.dll
2008-01-14 12:12 . 2008-01-14 12:12 12988 ----a-w- c:\program files\changes.txt
2008-01-14 12:07 . 2008-01-14 12:07 1841 ----a-w- c:\program files\README.HTM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE90C38C-97CF-4696-B290-C7973DC9675E}]
2009-03-11 14:11 806912 ----a-w- c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C3CD744D-2FAE-4640-8297-16B5DA423104}"= "c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll" [2009-03-11 806912]

[HKEY_CLASSES_ROOT\clsid\{c3cd744d-2fae-4640-8297-16b5da423104}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C3CD744D-2FAE-4640-8297-16B5DA423104}"= "c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll" [2009-03-11 806912]

[HKEY_CLASSES_ROOT\clsid\{c3cd744d-2fae-4640-8297-16b5da423104}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-07 149280]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SingTelWCM_McciTrayApp"="c:\program files\SingTelWCM\McciTrayApp.exe" [2007-01-28 935936]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-01-23 223232]
"P17Helper"="P17.dll" [2005-05-03 64512]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"Dimondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\jie heng.COMPUTER\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
RMP2.lnk - c:\documents and settings\jie heng.COMPUTER\My Documents\RMP2\RMP2.exe [2010-5-12 1486848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"f:\\jie heng's things\\JIE HENG GAMES\\bf2\\BF2.exe"=
"f:\\jie heng's things\\JIE HENG GAMES\\COD4\\iw3mp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe"=
"f:\\jie heng's things\\JIE HENG GAMES\\AOE 3\\age3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48950:TCP"= 48950:TCP:SolidNetworkManager
"48950:UDP"= 48950:UDP:SolidNetworkManager
"47666:TCP"= 47666:TCP:*

isabled:SolidNetworkManager
"47666:UDP"= 47666:UDP:*

isabled:SolidNetworkManager

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/16/2010 1:55 PM 108289]
R2 sensorsview;sensorsview;c:\windows\system32\drivers\sensorsview.sys [2/9/2006 7:54 PM 3136]
S1 amdtools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\amdtools.sys --> c:\windows\system32\DRIVERS\amdtools.sys [?]
S3 adxapie;adxapie;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\adxapie.sys --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\adxapie.sys [?]
S3 BZQXJDKO;BZQXJDKO;c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\BZQXJDKO.exe --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\BZQXJDKO.exe [?]
S3 cpuz;cpuz;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\cpuz.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\CZQ21.tmp --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\CZQ21.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [5/27/2009 9:15 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [5/27/2009 9:15 PM 79360]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/26/2010 10:00 PM 17408]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [6/3/2007 6:47 PM 13225]
S3 RTCore32;RTCore32;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\Rar$EX00.844\RTCore32.sys --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\Rar$EX00.844\RTCore32.sys [?]
S3 SOLXII;SOLXII;c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\SOLXII.exe --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\SOLXII.exe [?]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva052;XDva052;\??\c:\windows\system32\XDva052.sys --> c:\windows\system32\XDva052.sys [?]
S3 XDva098;XDva098;\??\c:\windows\system32\XDva098.sys --> c:\windows\system32\XDva098.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva220;XDva220;\??\c:\windows\system32\XDva220.sys --> c:\windows\system32\XDva220.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva231;XDva231;\??\c:\windows\system32\XDva231.sys --> c:\windows\system32\XDva231.sys [?]
S3 XDva234;XDva234;\??\c:\windows\system32\XDva234.sys --> c:\windows\system32\XDva234.sys [?]
S3 XDva260;XDva260;\??\c:\windows\system32\XDva260.sys --> c:\windows\system32\XDva260.sys [?]
S3 XDva269;XDva269;\??\c:\windows\system32\XDva269.sys --> c:\windows\system32\XDva269.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva295;XDva295;\??\c:\windows\system32\XDva295.sys --> c:\windows\system32\XDva295.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/4/2006 10:34 PM 643072]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\jie heng.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ogo7ag1a.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - Google
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\AhnLab\ASP\Components\aosmgr\conflict_221\npaosmgr.dll
FF - plugin: c:\program files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RGSC - e:\jie heng's things\JIE HENG GAMES\gta4\Rockstar Games Social Club\RGSCLauncher.exe
AddRemove-Battlefield Pirates 2 - f:\jie heng's things\JIE HENG GAMES\bf2\mods\BFP2\Battlefield 2\BFP2uninstaller.exe
AddRemove-Bet on Soldier_is1 - e:\jie heng's things\JIE HENG GAMES\bos\Bet on Soldier\unins000.exe
AddRemove-CCleaner - e:\jie heng's things\jie heng programs\ccleaner\uninst.exe
AddRemove-Combat Mission Shock Force_is1 - e:\jie heng's things\JIE HENG GAMES\combat mission\Combat Mission Shock Force\unins000.exe
AddRemove-Earth 2160 - e:\jiehen~1\JIAA3F~1\EARTH2~1\EARTH2~1\Uninstall_Earth2160.exe
AddRemove-Electronic Arts Game Updater - c:\program files\EACom\Update\Uninst.isu
AddRemove-Frets on Fire - e:\jie heng's things\JIE HENG GAMES\fretsonfire\Frets on Fire\Uninstall.exe
AddRemove-Game Cam - e:\jie heng's things\jie heng programs\gamecam\Game Cam V2\uninst.exe
AddRemove-Grand Theft Auto IV_is1 - e:\jie heng's things\JIE HENG GAMES\gta4\Grand Theft Auto IV\unins000.exe
AddRemove-Gunz - e:\jie heng's things\JIE HENG GAMES\gunz\Uninstall.exe
AddRemove-Half-Life 2 Portal_is1 - e:\jie heng's things\JIE HENG GAMES\halflife 2\Half-Life 2 Portal\unins000.exe
AddRemove-Little Fighter 2.5 - v2.0 - e:\jie heng's things\JIE HENG GAMES\rlf2\LF2_v1.9c\Uninstal.exe
AddRemove-Nations at War5.0 - e:\jie heng's things\JIE HENG GAMES\bf2\mods\naw\Uninstall\MOD\N.A.W
AddRemove-PoE:2 - e:\jie heng's things\JIE HENG GAMES\bf2\mods\poe2\uninstall.exe
AddRemove-Rome - Total War & Barbarian Invasion_is1 - e:\rome - total war\unins000.exe
AddRemove-Soldat_is1 - e:\jie heng's things\JIE HENG GAMES\soldat\Soldat\unins000.exe
AddRemove-SopCast - e:\jie heng's things\JIE HENG GAMES\sopcast\uninst.exe
AddRemove-Sword of the Stars - e:\jie heng's things\JIE HENG GAMES\sword of the stars\Uninstall.exe
AddRemove-TmSunrise_is1 - e:\jie heng's things\JIE HENG GAMES\TM SUNRISE\TrackMania Sunrise\unins000.exe
AddRemove-World Series of Poker TOC - e:\jie heng's things\JIE HENG GAMES\world series poker tournament\World Series of Poker TOC\Uninstall.exe
AddRemove-{45DB5C4F-5C49-42EA-A4F9-8B26F449B2AC}_is1 - e:\gtr2\Support\unins000.exe
AddRemove-¾©Áú-ÏÀµÁÁÔ³µIII - e:\jiehen~1\JIAA3F~1\GTA3~1\Gta3\UNWISE.EXE
AddRemove-ijji.com - c:\ijji\ENGLISH\ijjiUninstall.exe
AddRemove-Warcraft III - c:\windows\War3Unin.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-07-22 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\EFValdation.INI 219 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\CZQ21.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1547161642-725345543-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,b3,06,08,d2,cb,03,1c,d4,12,b5,46,8d,8f,db,2f,54,79,49,bd,b8,ea,b3,
52,5a,9b,41,77,76,7d,98,18,6e,e4,b1,5c,2c,84,8a,e5,92,72,ae,6f,40,0f,2f,1d,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1060284298-1547161642-725345543-1007\Software\SecuROM\License information*]
"datasecu"=hex:7e,98,7f,44,7c,6f,5a,c9,75,5e,3b,a6,36,af,d8,ee,12,d5,1b,ed,61,
35,ec,45,e6,0e,89,af,cc,1c,7b,45,f4,e8,ba,52,47,4c,fb,60,d6,24,58,be,53,68,\
"rkeysecu"=hex:e9,8d,ff,fe,b1,74,c6,6f,48,31,49,f7,be,e2,3e,41

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7F13F4A5D3FD3A87D01773B38115B704548384BF6117FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA9C6AECB7A5D1407A6A0AC4980AC793387EE99D49CA7306A1346C10224E097682866B461A508726ADBB159329FF3C4BFC56018EEEA38F64C4B865CE47DE67F26C9A55AD870F04C4889CEA23E630C85C9815591802232A0346B130453A5293C5C2B36E0216119D4D2FEA971F95A42C2620904091F192B0CA01F88FE9664F28207F1BFF655CAA738A80113F6EF85353C68DF8355E61F5A2E50C569E87AF1379C687DCB1C117567B52B8ABC3A2E59A8477E3BCF2077F49C1348749AB250FD8C69055C49A5F79A459F8148BF13C73D064B0C86CAE9754D74564F71669F6B28AB5C27538B3B2EE9D6DE941B96B0538D57C43CDFB80487D385A8F1B8F7462688737959DBC65C5E07D1EE931AA094EB984E447E9AC096D9A497CF82786215DBA8E55B6F2216D6B60811DC718CA194AFA43D6E063C709B1B519AA591169BC8ED07A8327D067951E67812CC62F240DAC1E81DF94900B76200DD9D977AA87B77C194843E5C1D5144A6D6FA77E0FB096348910A3503546A8CC0435525D77A40083EB7E8D72A2FE5FBAD1710A6AC0F6A02EDBE437E345B429117EE1B65898C0B35514B6767C7B86098BB9FBE3BC6C4385B6183AB4B9E6B5A3C43C2EB01B492E1916A9CB56AD8EACE9110CB1326F4EAA9E9D5694DA2C910B3AB0A1369B541F1ADFD006DAD76C8A9A42CF26A41704283D97B026AD223010733D1B229D654DA48BBB388734DAF438D3808ABBE20B3FB434AB09F798C7AD2C321F608409D42F1E3BDBE825A36CF3A634314097E2A22B4155B01ED77EDEE93EAA8B35A0C4BF73AC9C8FD6DBE2E26E1AA6496DD5700FBC314D6B4AFBE90D7D958DB78FC3111042D305625CEB39F94B49A1EA67DE5E11A4114E56A2B1AAD22009BAD08484742070603C3BDAFBE98926E98563243BD39678C191A92AAC9264DA574F77818DB59B6C461D2A11B594BA7914358798B670FE3475EE475FD037FED2FDB7634CAEFF25CAC9FA80123710C74E1E9521239DB932158CF20AAF6EB5FACC1FA48FAC4F74E54C744CE5FDA6AD62C6A915764B00B19C8680F85216CA112454A3273606DDED211E18C3216DC994792F573DBACDCD8969367F2341AB9348908F69160C7AF0108178AE5A54F44482102177A3BFC2B1A26520704B0AB3CA7D7583AE05BEF7D2E1B0016F45C0BB2B5C86AA34835388C9C0868BC7F6140D7F2B431CC1B14E5C82CDCF71D12721E4D924A4D33326998779C9ECB43D69293F104FC1C296D1F8B88344242FA4662AFBA07D1C1A3BE612AE44FF00A1831F23976B930BA8E3BF4193A73E3B24FD38F3BA82A327016AB05CDD2DAA9407E6616"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7836)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\Rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Razer\razerofa.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\3M\PSNLite\PSNGive.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-22 18:55:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-22 10:55

Pre-Run: 12,121,518,080 bytes free
Post-Run: 12,658,991,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C517A2986FCC8F5B7923272A34951B95

**smackk** · 07-22-2010 06:03 AM

sorry this is the full combofix scan

ComboFix 10-07-21.02 - jie heng 07/22/2010 18:39:11.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1586 [GMT 8:00]
Running from: c:\documents and settings\jie heng.COMPUTER\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jie heng.COMPUTER\Application Data\.#
c:\windows\settings.reg
c:\windows\system32\Data
c:\windows\system32\skinboxer43.dll
c:\windows\system32\Temp
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-18 15:55 . 2010-07-18 15:55 -------- d-----w- c:\documents and settings\jie heng.COMPUTER\Local Settings\Application Data\iRinger
2010-07-18 13:19 . 2010-07-18 13:19 -------- d-----w- c:\program files\iPod
2010-07-18 13:19 . 2010-07-18 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-18 13:16 . 2010-07-18 13:17 -------- d-----w- c:\program files\QuickTime
2010-07-18 13:15 . 2010-07-18 13:15 -------- d-----w- c:\program files\Apple Software Update
2010-07-18 13:12 . 2010-07-18 13:12 -------- d-----w- c:\program files\Bonjour
2010-07-18 04:13 . 2010-07-18 04:13 -------- d-----w- c:\program files\Trend Micro
2010-07-18 04:13 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-18 04:13 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 13:24 . 2008-03-30 14:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-18 13:20 . 2010-02-26 14:03 -------- d-----w- c:\program files\iTunes
2010-07-18 13:19 . 2007-10-09 11:51 -------- d-----w- c:\program files\Common Files\Apple
2010-07-06 15:47 . 2009-09-06 11:08 -------- d-----w- c:\documents and settings\jie heng.COMPUTER\Application Data\Any Video Converter
2010-06-19 17:20 . 2008-12-25 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-06-19 06:46 . 2008-12-25 16:23 -------- d-----w- c:\program files\Messenger Plus! Live
2010-06-19 00:06 . 2010-06-19 00:06 503808 ----a-w- c:\documents and settings\jie heng.COMPUTER\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3b566d37-n\msvcp71.dll
2010-06-19 00:06 . 2010-06-19 00:06 499712 ----a-w- c:\documents and settings\jie heng.COMPUTER\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3b566d37-n\jmc.dll
2010-06-19 00:06 . 2010-06-19 00:06 348160 ----a-w- c:\documents and settings\jie heng.COMPUTER\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3b566d37-n\msvcr71.dll
2010-06-15 12:01 . 2010-06-15 12:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-15 04:30 . 2010-06-15 04:26 25214 ----a-r- c:\documents and settings\jie heng.COMPUTER\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_29D232B856F0A1CBA486B8.exe
2010-06-15 04:30 . 2010-06-15 04:26 10398 ----a-r- c:\documents and settings\jie heng.COMPUTER\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_3324690356DD71877A1B6A.exe
2010-06-15 04:30 . 2010-06-15 04:26 -------- d-----w- c:\program files\iPhoneBrowser
2010-06-15 03:25 . 2010-06-15 03:25 -------- d-----w- c:\program files\WinSCP
2010-05-18 08:35 . 2010-05-18 08:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 08:35 . 2010-05-18 08:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-03 07:05 . 2010-02-26 14:13 76800 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-29 15:26 . 2010-04-29 15:45 360448 ----a-w- c:\windows\ltsModule.exe
2008-07-10 12:39 . 2008-02-09 14:37 553 ----a-w- c:\program files\FRAPSLOG.TXT
2008-02-09 14:36 . 2008-02-09 14:36 34552 ----a-w- c:\program files\uninstall.exe
2008-01-14 12:53 . 2008-01-14 12:53 913064 ----a-w- c:\program files\fraps.exe
2008-01-14 12:51 . 2008-01-14 12:51 172032 ----a-w- c:\program files\fraps.dll
2008-01-14 12:51 . 2008-01-14 12:51 111616 ----a-w- c:\program files\fraps64.dll
2008-01-14 12:51 . 2008-01-14 12:51 1683968 ----a-w- c:\program files\fraps64.dat
2008-01-14 12:51 . 2008-01-14 12:51 135168 ----a-w- c:\program files\frapslcd.dll
2008-01-14 12:12 . 2008-01-14 12:12 12988 ----a-w- c:\program files\changes.txt
2008-01-14 12:07 . 2008-01-14 12:07 1841 ----a-w- c:\program files\README.HTM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE90C38C-97CF-4696-B290-C7973DC9675E}]
2009-03-11 14:11 806912 ----a-w- c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C3CD744D-2FAE-4640-8297-16B5DA423104}"= "c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll" [2009-03-11 806912]

[HKEY_CLASSES_ROOT\clsid\{c3cd744d-2fae-4640-8297-16b5da423104}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C3CD744D-2FAE-4640-8297-16B5DA423104}"= "c:\program files\Little Fighter 2 Toolbar\v3.3.0.1\Little_Fighter_2_Toolbar.dll" [2009-03-11 806912]

[HKEY_CLASSES_ROOT\clsid\{c3cd744d-2fae-4640-8297-16b5da423104}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-07 149280]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SingTelWCM_McciTrayApp"="c:\program files\SingTelWCM\McciTrayApp.exe" [2007-01-28 935936]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-01-23 223232]
"P17Helper"="P17.dll" [2005-05-03 64512]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"Dimondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\jie heng.COMPUTER\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
RMP2.lnk - c:\documents and settings\jie heng.COMPUTER\My Documents\RMP2\RMP2.exe [2010-5-12 1486848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0autocheck OODBS\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"f:\\jie heng's things\\JIE HENG GAMES\\bf2\\BF2.exe"=
"f:\\jie heng's things\\JIE HENG GAMES\\COD4\\iw3mp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe"=
"f:\\jie heng's things\\JIE HENG GAMES\\AOE 3\\age3.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"48950:TCP"= 48950:TCP:SolidNetworkManager
"48950:UDP"= 48950:UDP:SolidNetworkManager
"47666:TCP"= 47666:TCP:*

isabled:SolidNetworkManager
"47666:UDP"= 47666:UDP:*

isabled:SolidNetworkManager

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/16/2010 1:55 PM 108289]
R2 sensorsview;sensorsview;c:\windows\system32\drivers\sensorsview.sys [2/9/2006 7:54 PM 3136]
S1 amdtools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\amdtools.sys --> c:\windows\system32\DRIVERS\amdtools.sys [?]
S3 adxapie;adxapie;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\adxapie.sys --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\adxapie.sys [?]
S3 BZQXJDKO;BZQXJDKO;c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\BZQXJDKO.exe --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\BZQXJDKO.exe [?]
S3 cpuz;cpuz;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\cpuz.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\CZQ21.tmp --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\CZQ21.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [5/27/2009 9:15 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [5/27/2009 9:15 PM 79360]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/26/2010 10:00 PM 17408]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [6/3/2007 6:47 PM 13225]
S3 RTCore32;RTCore32;\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\Rar$EX00.844\RTCore32.sys --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\Rar$EX00.844\RTCore32.sys [?]
S3 SOLXII;SOLXII;c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\SOLXII.exe --> c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\SOLXII.exe [?]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva052;XDva052;\??\c:\windows\system32\XDva052.sys --> c:\windows\system32\XDva052.sys [?]
S3 XDva098;XDva098;\??\c:\windows\system32\XDva098.sys --> c:\windows\system32\XDva098.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva220;XDva220;\??\c:\windows\system32\XDva220.sys --> c:\windows\system32\XDva220.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva231;XDva231;\??\c:\windows\system32\XDva231.sys --> c:\windows\system32\XDva231.sys [?]
S3 XDva234;XDva234;\??\c:\windows\system32\XDva234.sys --> c:\windows\system32\XDva234.sys [?]
S3 XDva260;XDva260;\??\c:\windows\system32\XDva260.sys --> c:\windows\system32\XDva260.sys [?]
S3 XDva269;XDva269;\??\c:\windows\system32\XDva269.sys --> c:\windows\system32\XDva269.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva295;XDva295;\??\c:\windows\system32\XDva295.sys --> c:\windows\system32\XDva295.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/4/2006 10:34 PM 643072]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\jie heng.COMPUTER\Application Data\Mozilla\Firefox\Profiles\ogo7ag1a.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - Google
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.http - proxy.singnet.com.sg
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\AhnLab\ASP\Components\aosmgr\conflict_221\npaosmgr.dll
FF - plugin: c:\program files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RGSC - e:\jie heng's things\JIE HENG GAMES\gta4\Rockstar Games Social Club\RGSCLauncher.exe
AddRemove-Battlefield Pirates 2 - f:\jie heng's things\JIE HENG GAMES\bf2\mods\BFP2\Battlefield 2\BFP2uninstaller.exe
AddRemove-Bet on Soldier_is1 - e:\jie heng's things\JIE HENG GAMES\bos\Bet on Soldier\unins000.exe
AddRemove-CCleaner - e:\jie heng's things\jie heng programs\ccleaner\uninst.exe
AddRemove-Combat Mission Shock Force_is1 - e:\jie heng's things\JIE HENG GAMES\combat mission\Combat Mission Shock Force\unins000.exe
AddRemove-Earth 2160 - e:\jiehen~1\JIAA3F~1\EARTH2~1\EARTH2~1\Uninstall_Earth2160.exe
AddRemove-Electronic Arts Game Updater - c:\program files\EACom\Update\Uninst.isu
AddRemove-Frets on Fire - e:\jie heng's things\JIE HENG GAMES\fretsonfire\Frets on Fire\Uninstall.exe
AddRemove-Game Cam - e:\jie heng's things\jie heng programs\gamecam\Game Cam V2\uninst.exe
AddRemove-Grand Theft Auto IV_is1 - e:\jie heng's things\JIE HENG GAMES\gta4\Grand Theft Auto IV\unins000.exe
AddRemove-Gunz - e:\jie heng's things\JIE HENG GAMES\gunz\Uninstall.exe
AddRemove-Half-Life 2 Portal_is1 - e:\jie heng's things\JIE HENG GAMES\halflife 2\Half-Life 2 Portal\unins000.exe
AddRemove-Little Fighter 2.5 - v2.0 - e:\jie heng's things\JIE HENG GAMES\rlf2\LF2_v1.9c\Uninstal.exe
AddRemove-Nations at War5.0 - e:\jie heng's things\JIE HENG GAMES\bf2\mods\naw\Uninstall\MOD\N.A.W
AddRemove-PoE:2 - e:\jie heng's things\JIE HENG GAMES\bf2\mods\poe2\uninstall.exe
AddRemove-Rome - Total War & Barbarian Invasion_is1 - e:\rome - total war\unins000.exe
AddRemove-Soldat_is1 - e:\jie heng's things\JIE HENG GAMES\soldat\Soldat\unins000.exe
AddRemove-SopCast - e:\jie heng's things\JIE HENG GAMES\sopcast\uninst.exe
AddRemove-Sword of the Stars - e:\jie heng's things\JIE HENG GAMES\sword of the stars\Uninstall.exe
AddRemove-TmSunrise_is1 - e:\jie heng's things\JIE HENG GAMES\TM SUNRISE\TrackMania Sunrise\unins000.exe
AddRemove-World Series of Poker TOC - e:\jie heng's things\JIE HENG GAMES\world series poker tournament\World Series of Poker TOC\Uninstall.exe
AddRemove-{45DB5C4F-5C49-42EA-A4F9-8B26F449B2AC}_is1 - e:\gtr2\Support\unins000.exe
AddRemove-¾©Áú-ÏÀµÁÁÔ³µIII - e:\jiehen~1\JIAA3F~1\GTA3~1\Gta3\UNWISE.EXE
AddRemove-ijji.com - c:\ijji\ENGLISH\ijjiUninstall.exe
AddRemove-Warcraft III - c:\windows\War3Unin.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-07-22 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\EFValdation.INI 219 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\JIEHEN~1.COM\LOCALS~1\Temp\CZQ21.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet011\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1547161642-725345543-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,b3,06,08,d2,cb,03,1c,d4,12,b5,46,8d,8f,db,2f,54,79,49,bd,b8,ea,b3,
52,5a,9b,41,77,76,7d,98,18,6e,e4,b1,5c,2c,84,8a,e5,92,72,ae,6f,40,0f,2f,1d,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1060284298-1547161642-725345543-1007\Software\SecuROM\License information*]
"datasecu"=hex:7e,98,7f,44,7c,6f,5a,c9,75,5e,3b,a6,36,af,d8,ee,12,d5,1b,ed,61,
35,ec,45,e6,0e,89,af,cc,1c,7b,45,f4,e8,ba,52,47,4c,fb,60,d6,24,58,be,53,68,\
"rkeysecu"=hex:e9,8d,ff,fe,b1,74,c6,6f,48,31,49,f7,be,e2,3e,41

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7F13F4A5D3FD3A87D01773B38115B704548384BF6117FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA9C6AECB7A5D1407A6A0AC4980AC793387EE99D49CA7306A1346C10224E097682866B461A508726ADBB159329FF3C4BFC56018EEEA38F64C4B865CE47DE67F26C9A55AD870F04C4889CEA23E630C85C9815591802232A0346B130453A5293C5C2B36E0216119D4D2FEA971F95A42C2620904091F192B0CA01F88FE9664F28207F1BFF655CAA738A80113F6EF85353C68DF8355E61F5A2E50C569E87AF1379C687DCB1C117567B52B8ABC3A2E59A8477E3BCF2077F49C1348749AB250FD8C69055C49A5F79A459F8148BF13C73D064B0C86CAE9754D74564F71669F6B28AB5C27538B3B2EE9D6DE941B96B0538D57C43CDFB80487D385A8F1B8F7462688737959DBC65C5E07D1EE931AA094EB984E447E9AC096D9A497CF82786215DBA8E55B6F2216D6B60811DC718CA194AFA43D6E063C709B1B519AA591169BC8ED07A8327D067951E67812CC62F240DAC1E81DF94900B76200DD9D977AA87B77C194843E5C1D5144A6D6FA77E0FB096348910A3503546A8CC0435525D77A40083EB7E8D72A2FE5FBAD1710A6AC0F6A02EDBE437E345B429117EE1B65898C0B35514B6767C7B86098BB9FBE3BC6C4385B6183AB4B9E6B5A3C43C2EB01B492E1916A9CB56AD8EACE9110CB1326F4EAA9E9D5694DA2C910B3AB0A1369B541F1ADFD006DAD76C8A9A42CF26A41704283D97B026AD223010733D1B229D654DA48BBB388734DAF438D3808ABBE20B3FB434AB09F798C7AD2C321F608409D42F1E3BDBE825A36CF3A634314097E2A22B4155B01ED77EDEE93EAA8B35A0C4BF73AC9C8FD6DBE2E26E1AA6496DD5700FBC314D6B4AFBE90D7D958DB78FC3111042D305625CEB39F94B49A1EA67DE5E11A4114E56A2B1AAD22009BAD08484742070603C3BDAFBE98926E98563243BD39678C191A92AAC9264DA574F77818DB59B6C461D2A11B594BA7914358798B670FE3475EE475FD037FED2FDB7634CAEFF25CAC9FA80123710C74E1E9521239DB932158CF20AAF6EB5FACC1FA48FAC4F74E54C744CE5FDA6AD62C6A915764B00B19C8680F85216CA112454A3273606DDED211E18C3216DC994792F573DBACDCD8969367F2341AB9348908F69160C7AF0108178AE5A54F44482102177A3BFC2B1A26520704B0AB3CA7D7583AE05BEF7D2E1B0016F45C0BB2B5C86AA34835388C9C0868BC7F6140D7F2B431CC1B14E5C82CDCF71D12721E4D924A4D33326998779C9ECB43D69293F104FC1C296D1F8B88344242FA4662AFBA07D1C1A3BE612AE44FF00A1831F23976B930BA8E3BF4193A73E3B24FD38F3BA82A327016AB05CDD2DAA9407E6616"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7836)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\Rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Razer\razerofa.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\3M\PSNLite\PSNGive.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-07-22 18:55:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-22 10:55

Pre-Run: 12,121,518,080 bytes free
Post-Run: 12,658,991,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C517A2986FCC8F5B7923272A34951B95

**NeonFx** · 07-22-2010 01:01 PM

I'm sorry for delay. I have family visiting and we went to Disneyland yesterday. I will be there most of the day today as well.

If you backed up all the files on your thumbdrive, you should now be able to right click on the drive in "My Computer" and select "Format..." from the menu. You can leave all the dropdown menus as their defaults and you want to have "Quick Format" unchecked. "Volume Label" is the name you want to give the drive and is the name that will appear in My Computer. You can call it anything you want.

Let me know how that goes. Please also do this:

Please run Malwarebytes' Anti-Malware

Update it by clicking on the Update tab and then on the button.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Thread: tr dropper problem

LinkBack

Thread Tools

tr dropper problem