Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hidden folder virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hidden folder virus

Unread postby luckyguy457321 » October 9th, 2009, 11:05 pm

Hidden folder virus

I think this virus passes on by hardrives and usb
on my admin account the system folders and hidden files are enabled
I was in my documents and their was some hidden files in it
After plugging in my flash drive the hidden folders dissapeared
And i when to control panel to check to see if the hidden files in the folder option was enabled
I tried to anavle it and it looked like it did but when i check to see if the hidden folders are there they aren't
I went back to check the control panel and they were once again disabled
Don't know if it is a virus but i'd like to be abel to re enable the hidden files and folders
The same happened with my friends computer
He has subbmitted a smple to McAfee

Some directories I know that they are viruses:
C:\autorun.inf
C:\w9uxx92.exe
K:\autorun.inf
K:\w9uxx92.exe
D:\autorun.inf
D:\w9uxx92.exe
E:\autorun.inf
E:\w9uxx92.exe
I have tried to delete these files using a simple batch code that i have made:
attrib -r -s -h autorun.inf
attrib -r -s -h w9uxx92.exe
del autorun.inf
del w9uxx92.exe
pause

Even after deleting the files, they reappear again.
How do i know this?
I know this because the batch doesn't have and errors while it is running
also i open the autorun.inf in notpad and this is what was in it:

[AutoRun]
open=vlvtdflx.exe
shell\open\Command=vlvtdflx.exe

Reading this is think that there may be alot of viruses with random names and that they execute when i double click on click on the hardisk or device
so now what i do is rightclick and then click explore to prevent this
despite my efforts they still seem to be there...
i need help
thank-you



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:20 AM, on 10/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
E:\Documents and Settings\Ben Ben\temp\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Free Download Manager\fdm.exe
E:\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TBPanel] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\BenBen\LOCALS~1\Temp\herss.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: README.lnk = E:\README.txt
O4 - User Startup: README.lnk = E:\README.txt
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - E:\Documents and Settings\Ben Ben\temp\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6679 bytes
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia
Advertisement
Register to Remove

Re: Hidden folder virus

Unread postby peku006 » October 14th, 2009, 3:33 am

Hello and welcome to Malware Removal.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

  • If you don't know or understand something please don't hesitate to ask
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - download and run RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Hidden folder virus

Unread postby luckyguy457321 » October 15th, 2009, 6:17 am

Thankyou for your help
I will atempt to follow you instructions asap
I am sorry but I can only do this on the weekends because I am really busy at work during the weekdays
Hope to get it don't before sunday
Regards
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby luckyguy457321 » October 15th, 2009, 6:24 am

I am currently doing a full scan using malwarebytes' Anti-malware
I can't seem to download the RIST.exe from the link that you gave me
Could you please give me another download link?
Last edited by luckyguy457321 on October 15th, 2009, 6:47 am, edited 1 time in total.
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby luckyguy457321 » October 15th, 2009, 6:27 am

McCafee picked up some viruses while Malwarebytes' Anti-Malware was scanning. Is that ok?
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby luckyguy457321 » October 15th, 2009, 6:50 am

WOOPS

I'm doing the scan on the wrong computer...
Sorry I can't do your tasks untill the week ends.
Could you please wait till then?

Regards
luckyguy457321
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby luckyguy457321 » October 17th, 2009, 12:20 am

Weekends now
I am now runing the malwarebytes anti malware and managed to get the rist.exe from your link
Thankyou
I will reply with the information as soon as possible
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby luckyguy457321 » October 17th, 2009, 12:23 am

Yes i know i have utorret but i will uninstall it now
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby luckyguy457321 » October 17th, 2009, 2:03 am

MalwareBytes' Asnti - Malware log:
Malwarebytes' Anti-Malware 1.41
Database version: 2973
Windows 5.1.2600 Service Pack 2

17/10/2009 1:31:42 PM
mbam-log-2009-10-17 (13-31-42).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 386438
Time elapsed: 1 hour(s), 13 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 82

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\2o1ajagt.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\3yalgc.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\cqb6wo.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\t2hjo0.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\vlvtdflx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\wrsf.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\BenBen\Local Settings\Temp\cvasds2.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mum&Grandma\Local Settings\Temp\cvasds0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mum&Grandma\Local Settings\Temp\cvasds1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mum&Grandma\Local Settings\Temp\herss.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018585.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018598.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018613.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018626.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018669.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018820.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP45\A0024417.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024437.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024438.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024453.exe (Worm.Taterf) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024552.exe (Worm.Taterf) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024566.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP48\A0024870.exe (Worm.Taterf) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP48\A0025006.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP49\A0025714.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP51\A0026925.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP51\A0027085.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\2o1ajagt.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\3yalgc.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\cqb6wo.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\t2hjo0.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\vlvtdflx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\wrsf.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018587.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018601.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018615.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018628.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018671.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018822.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP45\A0024419.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024439.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024455.exe (Worm.Taterf) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024554.exe (Worm.Taterf) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024568.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP48\A0024872.exe (Worm.Taterf) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP48\A0025008.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP49\A0025716.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP51\A0026927.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP51\A0027087.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP51\A0027263.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\2o1ajagt.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\3yalgc.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\cqb6wo.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\t2hjo0.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\vlvtdflx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\wrsf.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ben Ben\Application Data\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018589.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018603.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018617.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018630.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018673.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP44\A0018824.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP45\A0024421.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024441.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024457.exe (Worm.Taterf) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024556.exe (Worm.Taterf) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP46\A0024570.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP48\A0024874.exe (Worm.Taterf) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP48\A0025011.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP48\A0025168.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP49\A0025718.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP51\A0026929.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{365BBDC4-8272-4274-B1F9-EFBB1747BF42}\RP51\A0027089.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\s3ek.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\sp1jensi.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\mje12tni.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\w9uxx92.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\cvasds0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\cvasds1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\BenBen\Local Settings\Temp\cvasds1.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\Documents and Settings\Admin\Local Settings\Temp\herss.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Rist Log.txt:
Logfile of random's system information tool 1.06 (written by random/random)
Run by BenBen at 2009-10-17 13:59:14
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 38 GB (76%) free of 50 GB
Total RAM: 3326 MB (84% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:25 PM, on 17/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
E:\Documents and Settings\Ben Ben\temp\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\Ben Ben\Desktop\RSIT.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
E:\Downloads\BenBen.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer - Trinh Family Trust
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TBPanel] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: README.lnk = E:\README.txt
O4 - User Startup: README.lnk = E:\README.txt
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - E:\Documents and Settings\Ben Ben\temp\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6930 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{CC5B68AB-112A-46A0-92A3-2E4D362CA911}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}]
FDMIECookiesBHO Class - C:\Program Files\Free Download Manager\iefdm2.dll [2008-12-30 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2004-07-14 705808]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-08-20 16384512]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"TBPanel"=C:\Program Files\XpertVision\TBPanel.exe [2008-01-29 2157064]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-01-09 8523776]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-01-09 81920]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"CAP3ON"=C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE [2002-07-19 22528]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2006-02-28 15360]
"Steam"=d:\games\steam\steam.exe -silent []
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"NVIDIA nTune"=C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdoosoft]
C:\DOCUME~1\BenBen\LOCALS~1\Temp\herss.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2006-02-28 208952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2006-02-28 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2006-02-28 455168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Canon LASER SHOT LBP-1120 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

E:\Documents and Settings\Ben Ben\Start Menu\Programs\Startup
README.lnk - E:\README.txt

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"D:\Games\Steam\steamapps\benben321\garrysmod\hl2.exe"="D:\Games\Steam\steamapps\benben321\garrysmod\hl2.exe:*:Enabled:hl2"
"D:\Games\Steam\steamapps\common\crayon physics deluxe demo\launcher.exe"="D:\Games\Steam\steamapps\common\crayon physics deluxe demo\launcher.exe:*:Enabled:Crayon Physics Deluxe Demo"
"C:\Program Files\Free Download Manager\fdmwi.exe"="C:\Program Files\Free Download Manager\fdmwi.exe:*:Disabled:fdmwi"
"K:\Games\Steam\steamapps\benben321\garrysmod\hl2.exe"="K:\Games\Steam\steamapps\benben321\garrysmod\hl2.exe:*:Enabled:hl2"
"K:\Games\Steam\Steam.exe"="K:\Games\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\TeamViewer\Version4\TeamViewer.exe"="C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application"
"K:\Games\Steam\steamapps\common\peggle extreme\PeggleExtreme.exe"="K:\Games\Steam\steamapps\common\peggle extreme\PeggleExtreme.exe:*:Enabled:Peggle Extreme"
"K:\Games\Steam\steamapps\common\cities xl\runme.exe"="K:\Games\Steam\steamapps\common\cities xl\runme.exe:*:Enabled:Cities XL - Limited Edition"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cdef897-4dcf-11de-a018-806d6172696f}]
shell\AutoRun\command - K:\mje12tni.exe
shell\open\command - K:\mje12tni.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df32cb20-79d0-11de-8730-002018a21f20}]
shell\AutoRun\command - K:\ZensUsb.exe
shell\Lock or Unlock USB\command - K:\LOCK.bat
shell\Run Startup Program\command - K:\ZensUsb.exe
shell\This Usb Belongs to Zen Ly\command - K:\README.txt


======List of files/folders created in the last 1 months======

2009-10-17 13:42:32 ----D---- C:\Program Files\Tweak Manager
2009-10-17 12:18:08 ----D---- C:\rsit
2009-10-17 12:16:24 ----D---- E:\Documents and Settings\Ben Ben\Application Data\Malwarebytes
2009-10-17 12:16:19 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-17 12:16:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-12 19:48:54 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2009-10-12 19:48:54 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2009-10-12 19:48:54 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2009-10-12 19:48:53 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2009-10-12 19:48:53 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2009-10-12 19:48:53 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2009-10-12 19:48:52 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2009-10-12 19:48:52 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2009-10-12 19:48:51 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2009-10-12 19:48:51 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2009-10-12 19:48:51 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2009-10-12 19:48:34 ----D---- C:\WINDOWS\Logs
2009-10-06 16:56:52 ----D---- C:\Program Files\TeamViewer
2009-10-05 12:37:26 ----D---- C:\Program Files\SEGA
2009-10-03 17:34:11 ----D---- E:\Documents and Settings\Ben Ben\Application Data\TeamViewer
2009-10-03 12:48:34 ----D---- C:\Program Files\TC Digital
2009-10-03 12:14:58 ----D---- C:\Program Files\Unity
2009-09-28 13:18:08 ----D---- E:\Documents and Settings\Ben Ben\Application Data\Desktopicon
2009-09-26 18:32:29 ----D---- C:\WINDOWS\pss

======List of files/folders modified in the last 1 months======

2009-10-17 13:59:08 ----D---- C:\WINDOWS\Temp
2009-10-17 13:59:08 ----A---- C:\WINDOWS\DFC.INI
2009-10-17 13:57:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-17 13:57:00 ----D---- E:\Documents and Settings\Ben Ben\Application Data\Free Download Manager
2009-10-17 13:42:44 ----D---- C:\WINDOWS\Prefetch
2009-10-17 13:42:33 ----D---- C:\WINDOWS\system32
2009-10-17 13:42:32 ----RD---- C:\Program Files
2009-10-17 13:30:11 ----D---- C:\WINDOWS\CAVTemp
2009-10-17 12:23:50 ----D---- E:\Documents and Settings\Ben Ben\Application Data\uTorrent
2009-10-17 12:16:20 ----D---- C:\WINDOWS\system32\drivers
2009-10-17 11:36:16 ----D---- C:\WINDOWS\Internet Logs
2009-10-15 18:14:48 ----HD---- C:\WINDOWS
2009-10-12 20:25:06 ----SHD---- C:\WINDOWS\Installer
2009-10-12 20:24:55 ----D---- C:\WINDOWS\WinSxS
2009-10-12 19:48:54 ----HD---- C:\WINDOWS\inf
2009-10-12 19:48:37 ----D---- C:\WINDOWS\system32\DirectX
2009-10-12 12:46:13 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-08 20:17:18 ----D---- E:\Documents and Settings\Ben Ben\Application Data\Microsoft
2009-10-07 20:33:26 ----A---- C:\WINDOWS\ODBC.INI
2009-10-03 19:40:46 ----HD---- C:\Downloads
2009-09-28 14:25:47 ----D---- C:\Program Files\Unlocker
2009-09-28 13:12:32 ----D---- E:\Documents and Settings\Ben Ben\Application Data\TortoiseSVN
2009-09-26 18:33:08 ----RSH---- C:\boot.ini
2009-09-26 18:33:08 ----A---- C:\WINDOWS\win.ini
2009-09-26 18:33:08 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\WINDOWS\system32\drivers\VETFDDNT.sys [2009-05-31 114856]
R1 VET-FILT;VET File System Filter; C:\WINDOWS\system32\drivers\VET-FILT.sys [2004-05-28 21605]
R1 VETMONNT;VET File and Macro Monitor; C:\WINDOWS\system32\drivers\VETMONNT.sys [2009-05-31 896472]
R1 VET-REC;VET File System Recognizer; C:\WINDOWS\system32\drivers\VET-REC.sys [2004-05-28 15668]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2004-07-14 270672]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R2 nvcap;nVidia WDM Video Capture (universal); C:\WINDOWS\system32\DRIVERS\nvcap.sys [2005-02-01 141246]
R2 NVXBAR;nVidia WDM A/V Crossbar; C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2005-02-01 16176]
R2 TBPanel;TBPanel; C:\WINDOWS\system32\drivers\TBPanel.sys [2007-03-16 12256]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2006-02-28 60800]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-08-28 4609024]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2006-02-28 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-01-09 7434336]
R3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS\nvoclock.sys []
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-02-28 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-02-28 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-02-28 17024]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-02-28 26496]
S3 Cardex;Cardex; \??\C:\WINDOWS\system32\drivers\TBPANEL.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 RsFx0102;RsFx0102 Driver; C:\WINDOWS\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CAISafe;CA ISafe; C:\WINDOWS\system32\ZoneLabs\isafe.exe [2004-05-28 184320]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [2008-07-11 40999448]
R2 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-09-04 131072]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-01-09 155716]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-07-10 98840]
R2 TeamViewer4;TeamViewer 4; E:\Documents and Settings\Ben Ben\temp\TeamViewer\Version4\TeamViewer_Service.exe [2009-09-30 185640]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2004-07-14 918792]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service; C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS); C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
S4 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-07-10 258072]

-----------------EOF-----------------

Rist info.txt:
info.txt logfile of random's system information tool 1.06 2009-10-17 12:18:18

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Age of Chivalry Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/17515
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Canon LASER SHOT LBP-1120-->C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3UNIK.EXE
Chaotic-->MsiExec.exe /I{D1BA4778-61DB-4405-AD57-03C939080E19}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Cities XL - Limited Edition-->"K:\Games\Steam\steam.exe" steam://uninstall/35500
Crayon Physics Deluxe Demo-->"D:\games\Steam\steam.exe" steam://uninstall/26910
D.I.P.R.I.P. Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/17535
Dark Messiah Might and Magic Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/2145
Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/5
DMIView B7.0108.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EE1008C-11A1-4F4F-8DB7-27573924DE78}\setup.exe" -l0x9 -removeonly
ESForces-->K:\Games\Steam\Steamapps\sourceMods\ESForces\esf_openbeta\uninstall.exe
Face_Wizard B07.0509.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E76FCE6B-9999-4250-8C75-B2DA4AD41268}\setup.exe" -l0x9 -removeonly
Free Download Manager 3.0-->"C:\Program Files\Free Download Manager\unins000.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\DOCUME~1\Admin\LOCALS~1\Temp\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB945282)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946040)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946308)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946344)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947540)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947789)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB948127)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB951708)-->C:\WINDOWS\system32\msiexec.exe /package {DD622B1D-A78E-3FE8-9C8C-246F5764B0D0} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Office (KB950278)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {FED55BA1-5A70-44B4-8EB1-E72274AED780}
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
i-Cool-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28184E01-D57A-4933-A09B-F65403F16D82}\setup.exe" -l0x9 -uninst -removeonly
Insurgency Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/17705
Iron Man-->MsiExec.exe /X{26D8D185-F70E-4311-A511-22E979A036C5}
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
Left 4 Dead Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/510
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visual Web Developer 2007-->MsiExec.exe /X{90120000-0021-0000-0000-0000000FF1CE}
Microsoft Office Visual Web Developer MUI (English) 2007-->MsiExec.exe /X{90120000-0021-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Search Enhancement Pack-->MsiExec.exe /I{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 2008 Browser-->MsiExec.exe /X{C688457E-03FD-4941-923B-A27F4D42A7DD}
Microsoft SQL Server 2008 Common Files-->MsiExec.exe /I{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}
Microsoft SQL Server 2008 Common Files-->MsiExec.exe /I{4A6F34E2-09E5-4616-B227-4A26A488A6F9}
Microsoft SQL Server 2008 Database Engine Services-->MsiExec.exe /I{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}
Microsoft SQL Server 2008 Database Engine Services-->MsiExec.exe /I{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}
Microsoft SQL Server 2008 Database Engine Shared-->MsiExec.exe /I{4815BD99-96A4-49FE-A885-DCF06E9E4E78}
Microsoft SQL Server 2008 Database Engine Shared-->MsiExec.exe /I{F3494AB6-6900-41C6-AF57-823626827ED8}
Microsoft SQL Server 2008 Management Objects-->MsiExec.exe /I{F5E87B12-3C27-452F-8E78-21D42164FD83}
Microsoft SQL Server 2008 Native Client-->MsiExec.exe /I{D9D937B0-E842-4130-9588-B948E876904A}
Microsoft SQL Server 2008 RsFx Driver-->MsiExec.exe /I{F1DC7648-8623-442F-92B7-E118DF61872E}
Microsoft SQL Server 2008 Setup Support Files (English)-->MsiExec.exe /X{9D6D76A6-4328-49E8-97A7-531A74841DA5}
Microsoft SQL Server 2008-->"C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x86\SetupARP.exe" /X86
Microsoft SQL Server 2008-->"C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x86\SetupARP.exe" /x86
Microsoft SQL Server Compact 3.5 SP1 Design Tools English-->MsiExec.exe /X{0C19D563-5F25-4621-BF10-01F741BD283F}
Microsoft SQL Server Compact 3.5 SP1 English-->MsiExec.exe /I{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}
Microsoft SQL Server Database Publishing Wizard 1.3-->MsiExec.exe /I{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}
Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
Microsoft Text-to-Speech Engine 4.0 (English)-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSs22.inf, Uninstall
Microsoft Visual Basic 2008 Express Edition with SP1 - ENU-->C:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual Basic 2008 Express Edition with SP1 - ENU\setup.exe
Microsoft Visual Basic 2008 Express Edition with SP1 - ENU-->MsiExec.exe /X{DD622B1D-A78E-3FE8-9C8C-246F5764B0D0}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}
Microsoft Visual Studio Web Authoring Component-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISUALWEBDEVELOPER /dll OSETUP.DLL
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu-->MsiExec.exe /X{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32-->MsiExec.exe /X{044F9133-B8D7-4d11-BF39-803FA20F5C8B}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
muveeNow 2.1-->C:\Program Files\InstallShield Installation Information\{B4A3B14A-1C4B-47B9-A5B5-BF429237D568}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA nTune-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033
NVIDIA WDM Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\setup.exe"
Peggle Extreme-->"K:\Games\Steam\steam.exe" steam://uninstall/3483
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x9 -removeonly
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Sql Server Customer Experience Improvement Program-->MsiExec.exe /I{C965F01C-76EA-4BD7-973E-46236AE312D7}
SQL Server System CLR Types-->MsiExec.exe /I{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synergy Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/17525
Team Fortress 2 Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/310
TeamViewer 4-->C:\Program Files\TeamViewer\Version4\uninstall.exe
The Ship Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/2403
TortoiseSVN 1.5.7.15182 (32 bit)-->MsiExec.exe /X{27968397-2FC3-4D79-BD5D-E6AC44A263FE}
Unity Web Player-->C:\Program Files\Unity\WebPlayer\Uninstall.exe
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Unreal Tournament 3-->"D:\games\Steam\steam.exe" steam://uninstall/13210
Update for Microsoft Visual Studio Web Authoring Component (KB945140)-->msiexec /package {90120000-0021-0000-0000-0000000FF1CE} /uninstall {F9DE79A2-9049-4589-9787-815147371581}
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_6FE44FCD212D4A086C7BC0C98B9A619782073FB7\amdk8.inf
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Photo Gallery-->MsiExec.exe /X{3C52E7DA-C431-4239-B66B-1BF703D5B194}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}
Windows Live Toolbar-->MsiExec.exe /X{995F1E2E-F542-4310-8E1D-9926F5A279B3}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XpertVision 6.1-->"C:\Program Files\XpertVision\unins000.exe"
Zombie Panic! Source Dedicated Server-->"D:\games\Steam\steam.exe" steam://uninstall/17505
ZoneAlarm Security Suite-->C:\Program Files\Zone Labs\ZoneAlarm\bbuninst.exe

======Security center information======

AV: ZoneAlarm Security Suite Antivirus (outdated)
FW: ZoneAlarm Security Suite Firewall

======System event log======

Computer Name: ZHOMECOM
Event Code: 1002
Message: The IP address lease 192.168.2.2 for the Network Card with network address 002018A21F20 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Record Number: 5679
Source Name: Dhcp
Time Written: 20090925013551.000000+480
Event Type: error
User:

Computer Name: ZHOMECOM
Event Code: 16
Message: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Record Number: 5675
Source Name: Windows Update Agent
Time Written: 20090923184853.000000+480
Event Type: error
User:

Computer Name: ZHOMECOM
Event Code: 7000
Message: The Cardex service failed to start due to the following error:
Cannot create a file when that file already exists.


Record Number: 5642
Source Name: Service Control Manager
Time Written: 20090923134744.000000+480
Event Type: error
User:

Computer Name: ZHOMECOM
Event Code: 7000
Message: The Cardex service failed to start due to the following error:
Cannot create a file when that file already exists.


Record Number: 5597
Source Name: Service Control Manager
Time Written: 20090922071221.000000+480
Event Type: error
User:

Computer Name: ZHOMECOM
Event Code: 16
Message: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Record Number: 5576
Source Name: Windows Update Agent
Time Written: 20090921143416.000000+480
Event Type: error
User:

=====Application event log=====

Computer Name: ZHOMECOM
Event Code: 1517
Message: Windows saved user ZHOMECOM\Mum&Grandma registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 6180
Source Name: Userenv
Time Written: 20090925191318.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZHOMECOM
Event Code: 1517
Message: Windows saved user ZHOMECOM\Mum&Grandma registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 6110
Source Name: Userenv
Time Written: 20090925022300.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZHOMECOM
Event Code: 1517
Message: Windows saved user ZHOMECOM\Mum&Grandma registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5978
Source Name: Userenv
Time Written: 20090922202736.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZHOMECOM
Event Code: 1517
Message: Windows saved user ZHOMECOM\Mum&Grandma registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5893
Source Name: Userenv
Time Written: 20090921145210.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZHOMECOM
Event Code: 1517
Message: Windows saved user ZHOMECOM\Mum&Grandma registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5852
Source Name: Userenv
Time Written: 20090920202942.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\TortoiseSVN\bin;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=x86 Family 16 Model 2 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0202
"NUMBER_OF_PROCESSORS"=4
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby luckyguy457321 » October 17th, 2009, 2:07 am

The hidden folder can now be enabled again!
I enabled the hidden and system files again and when I went into the c: drive i clicked on explorer istead of open
The viruses where still there so i selected all of them and deleted them (shift+del) and also the autorun.inf
Repeated for the rest of the drives
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby peku006 » October 17th, 2009, 2:45 am

Hi luckyguy457321

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Hidden folder virus

Unread postby luckyguy457321 » October 18th, 2009, 4:29 am

Here is that combofix log.txt:

ComboFix 09-10-16.09 - BenBen 18/10/2009 15:23.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.61.1033.18.3326.2753 [GMT 8:00]
Running from: e:\documents and settings\Ben Ben\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2385910262-2861015473-1258039522-1000
e:\documents and settings\Ben Ben\Application Data\Desktopicon

.
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-17 06:15 . 2009-10-17 06:15 -------- d-----w- e:\documents and settings\Mum&Grandma\Application Data\Malwarebytes
2009-10-17 05:42 . 2009-10-17 05:42 -------- d-----w- c:\program files\Tweak Manager
2009-10-17 04:18 . 2009-10-17 04:18 -------- d-----w- C:\rsit
2009-10-17 04:16 . 2009-10-17 04:16 -------- d-----w- e:\documents and settings\Ben Ben\Application Data\Malwarebytes
2009-10-17 04:16 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 04:16 . 2009-10-17 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-17 04:16 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 04:16 . 2009-10-17 04:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 12:03 . 2009-10-12 12:03 -------- d-----w- e:\documents and settings\Ben Ben\Local Settings\Application Data\Monte Cristo
2009-10-12 11:48 . 2008-05-30 06:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2009-10-12 11:48 . 2008-05-30 06:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2009-10-12 11:48 . 2008-05-30 06:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2009-10-12 11:48 . 2008-05-30 06:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-10-12 11:48 . 2008-05-30 06:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-10-12 11:48 . 2008-05-30 06:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-10-12 11:48 . 2008-03-05 08:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-10-12 11:48 . 2008-03-05 08:00 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2009-10-12 11:48 . 2008-03-05 07:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-10-12 11:48 . 2008-03-05 07:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-10-12 11:48 . 2008-02-05 15:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-10-12 11:48 . 2009-10-12 11:48 -------- d-----w- c:\windows\Logs
2009-10-07 14:04 . 2009-10-07 14:17 23 ----a-w- c:\windows\popcinfot.dat
2009-10-06 08:56 . 2009-10-06 08:56 -------- d-----w- c:\program files\TeamViewer
2009-10-05 07:54 . 2009-10-05 07:54 -------- d-----w- e:\documents and settings\Mum&Grandma\Local Settings\Application Data\Apple
2009-10-05 04:37 . 2009-10-05 04:37 -------- d-----w- c:\program files\SEGA
2009-10-03 10:18 . 2009-10-03 10:18 4096 ----a-w- c:\windows\d3dx.dat
2009-10-03 09:34 . 2009-10-03 09:34 -------- d-----w- e:\documents and settings\Ben Ben\Application Data\TeamViewer
2009-10-03 04:48 . 2009-10-03 04:48 -------- d-----w- c:\program files\TC Digital
2009-10-03 04:47 . 2009-10-03 04:47 -------- d-----w- e:\documents and settings\Ben Ben\Local Settings\Application Data\Downloaded Installations
2009-10-03 04:15 . 2009-10-03 04:15 -------- d-----w- e:\documents and settings\Ben Ben\Local Settings\Application Data\Unity
2009-10-03 04:14 . 2009-10-03 04:14 -------- d-----w- c:\program files\Unity
2009-09-26 08:37 . 2009-09-26 08:53 -------- d-----w- e:\documents and settings\Ben Ben\Local Settings\Application Data\Temporary Projects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 07:29 . 2009-07-04 11:03 -------- d-----w- e:\documents and settings\Ben Ben\Application Data\Free Download Manager
2009-10-17 04:23 . 2009-06-07 11:38 -------- d-----w- e:\documents and settings\Ben Ben\Application Data\uTorrent
2009-10-03 12:12 . 2009-07-07 11:29 -------- d-----w- e:\documents and settings\Mum&Grandma\Application Data\Free Download Manager
2009-09-28 06:25 . 2009-06-06 11:39 -------- d-----w- c:\program files\Unlocker
2009-09-28 05:12 . 2009-04-16 08:09 -------- d-----w- e:\documents and settings\Ben Ben\Application Data\TortoiseSVN
2009-09-26 10:40 . 2009-07-05 04:56 -------- d-----w- e:\documents and settings\Admin\Application Data\Free Download Manager
2009-09-26 08:37 . 2009-05-31 06:27 45576 ----a-w- e:\documents and settings\Ben Ben\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 12:29 . 2009-05-03 11:09 -------- d-----w- e:\documents and settings\Mum&Grandma\Application Data\U3
2009-08-18 11:33 . 2009-05-04 11:22 45576 ----a-w- e:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 00:17 . 2009-05-10 11:55 45576 ----a-w- e:\documents and settings\Mum&Grandma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 09:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-13 705808]
"TBPanel"="c:\program files\XpertVision\TBPanel.exe" [2008-01-29 2157064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-08 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2002-07-19 22528]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-20 16384512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-01-08 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

e:\documents and settings\Admin\Start Menu\Programs\Startup\
README.lnk - E:\README.txt [2009-7-5 143]

e:\documents and settings\Mum&Grandma\Start Menu\Programs\Startup\
README.lnk - E:\README.txt [2009-7-5 143]

e:\documents and settings\Ben Ben\Start Menu\Programs\Startup\
README.lnk - E:\README.txt [2009-7-5 143]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon LASER SHOT LBP-1120 Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [2009-5-31 30720]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

R2 TeamViewer4;TeamViewer 4;e:\documents and settings\Ben Ben\temp\TeamViewer\Version4\TeamViewer_Service.exe [30/09/2009 3:10 PM 185640]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 8:28 AM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 8:28 AM 369688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cdef890-4dcf-11de-a018-806d6172696f}]
\Shell\AutoRun\command - J:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{CC5B68AB-112A-46A0-92A3-2E4D362CA911}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: imslsp.dll
LSP: c:\windows\system32\ZoneLabs\vetredir.dll
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Steam - d:\games\steam\steam.exe
AddRemove-ESForces - k:\games\Steam\Steamapps\sourceMods\ESForces\esf_openbeta\uninstall.exe
AddRemove-HijackThis - c:\docume~1\Admin\LOCALS~1\Temp\HijackThis.exe
AddRemove-Steam App 13210 - d:\games\Steam\steam.exe
AddRemove-Steam App 17505 - d:\games\Steam\steam.exe
AddRemove-Steam App 17515 - d:\games\Steam\steam.exe
AddRemove-Steam App 17525 - d:\games\Steam\steam.exe
AddRemove-Steam App 17535 - d:\games\Steam\steam.exe
AddRemove-Steam App 17705 - d:\games\Steam\steam.exe
AddRemove-Steam App 2145 - d:\games\Steam\steam.exe
AddRemove-Steam App 2403 - d:\games\Steam\steam.exe
AddRemove-Steam App 26910 - d:\games\Steam\steam.exe
AddRemove-Steam App 310 - d:\games\Steam\steam.exe
AddRemove-Steam App 3483 - k:\games\Steam\steam.exe
AddRemove-Steam App 35500 - k:\games\Steam\steam.exe
AddRemove-Steam App 5 - d:\games\Steam\steam.exe
AddRemove-Steam App 510 - d:\games\Steam\steam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 15:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(240)
c:\windows\system32\imslsp.dll
c:\windows\system32\libeay32_0.9.6l.dll
c:\windows\system32\ZoneLabs\vetredir.dll
c:\windows\system32\ZoneLabs\isafeif.dll

- - - - - - - > 'explorer.exe'(3036)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-10-18 15:31
ComboFix-quarantined-files.txt 2009-10-18 07:31

Pre-Run: 39,603,834,880 bytes free
Post-Run: 39,548,559,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /NOEXECUTE=OPTIN /FASTDETECT /USEPMTIMER

228
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby peku006 » October 18th, 2009, 4:48 am

Hi luckyguy457321

Looking good :)
Let's make sure we got everything

1 - Clean temp files

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scanner report
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Hidden folder virus

Unread postby luckyguy457321 » October 18th, 2009, 5:07 am

I am currently doing the scan
This reply is done on my tablet pc
Things have seem to be running normal on the desktop computer
Do you think that my laptop count also be infected with the virus?
I used my HDD to transfer data
luckyguy457321
Regular Member
 
Posts: 56
Joined: September 2nd, 2009, 10:16 am
Location: Perth,Western Australia

Re: Hidden folder virus

Unread postby peku006 » October 18th, 2009, 5:41 am

Hi luckyguy457321

Do you think that my laptop count also be infected with the virus?
I used my HDD to transfer data

I'm not sure..........we can take your laptop next...but first we need to clean up this machine ;)
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 361 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware