Registery virus (probably)

N

nemiux

New Member
I've putten a post about registery being denied, malware-antibytes cleaned it, and there wasn't anything on next scan, but it still didin't help, even after restart. So here are the logs.
1. Malware Anti-bytes
Malwarebytes' Anti-Malware 1.38
Database version: 2358
Windows 5.1.2600 Service Pack 3

2009.07.01 19:59:23
mbam-log-2009-07-01 (19-59-23).txt

Scan type: Quick Scan
Objects scanned: 100714
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\onestepsearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\program files\shoppingreport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\program files\shoppingreport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion (Spyware.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\shoppingreport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\home.js (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\onestep.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\readme.html (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\onestepsearch\uninstall.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
c:\program files\premieropinion\pmservice.exe (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
2. HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:07:56, on 2009.07.01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Software602\Print2PDF\PrnPack.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ABBYY Lingvo 12\Lvagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WebMoney Agent\wmagent.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
H:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
h:\ElsaWin\bin\LcSvrAdm.exe
h:\ElsaWin\bin\LcSvrDba.exe
h:\ElsaWin\bin\LcSvrHis.exe
h:\ElsaWin\bin\LcSvrPas.exe
h:\ElsaWin\bin\LcSvrSaz.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
h:\ElsaWin\bin\VSgate.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
h:\ElsaWin\bin\LcSvrAuf.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\svchost.exe
G:\avg_free_stf_en_85_386a1586.exe
C:\DOCUME~1\Tadas\LOCALS~1\Temp\7zS5.tmp\avgsetup.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {2BC712F4-B482-4FD6-B56F-065E19A7B1D5} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Iejimo i Windows Live pagalbos priemone - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrintPack dispatcher] "C:\Program Files\Software602\Print2PDF\PrnPack.exe" /server
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 12\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [UpdatePDRShortCut] "G:\PowerDirector\PowerDirector\MUITransfer\MUIStartMenu.exe" "G:\PowerDirector\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [wmagent.exe] "C:\Program Files\WebMoney Agent\wmagent.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSI ToolBar.lnk = H:\EPC\Toolbar\EPSIBar.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Translate with ABBYY &Lingvo... - res://C:\Program Files\ABBYY Lingvo 12\Lingvo.exe/3000
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - h:\ElsaWin\bin\wiProt.dll
O23 - Service: ABBYY FineReader 9.0 Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - H:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - g:\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: „Google“ atnaujinimo paslauga (gupdate1c9975a28bd7308) (gupdate1c9975a28bd7308) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - h:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - h:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - h:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - h:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - h:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: ELSA APOSpro Server (LcSvrSaz) - Volkswagen AG - h:\ElsaWin\bin\LcSvrSaz.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\system32\spnsrvnt.exe
O23 - Service: ELSA Vaudis Service (VSGate) - Volkswagen AG - h:\ElsaWin\bin\VSgate.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - g:\xampp\service.exe (file missing)

--
End of file - 14718 bytes
 
H drive is a hard drive, partition, 199GB, NTFS, here's the combofix log
ComboFix 09-07-01.04 - Tadas 2009.07.02 14:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.2029.1414 [GMT 3:00]
Running from: G:\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\PurpleBean.exe
c:\windows\Installer\16560c8.msi
c:\windows\system32\mlfcache.dat
H:\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-01 17:26 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-01 17:26 . 2009-03-24 13:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-01 17:26 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-01 17:26 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-01 17:26 . 2009-07-01 17:26 -------- d-----w- c:\program files\Avira
2009-07-01 17:26 . 2009-07-01 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-01 17:07 . 2009-07-01 17:07 -------- d-----w- c:\program files\Trend Micro
2009-07-01 11:20 . 2009-07-01 11:20 -------- d-----w- c:\documents and settings\Tadas\Application Data\AVG8
2009-06-29 18:36 . 2009-06-29 18:36 -------- d-----w- c:\program files\VSTplugins
2009-06-29 18:31 . 2009-06-29 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-06-29 18:31 . 2009-06-29 18:31 -------- d-----w- c:\program files\Sony Setup
2009-06-28 20:17 . 2009-06-28 20:17 -------- d-----w- c:\program files\DB Software
2009-06-23 17:35 . 2009-06-23 17:35 -------- d-----w- C:\Bosch
2009-06-21 20:42 . 2009-06-21 20:43 -------- d-----w- c:\documents and settings\Tadas\Application Data\Restorer
2009-06-19 18:35 . 2007-06-04 15:57 62480 ----a-w- c:\windows\system\rbserial.dll
2009-06-19 18:25 . 2004-04-23 09:37 127488 ----a-w- c:\windows\system32\awn32b.dll
2009-06-19 18:25 . 2003-03-19 01:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-06-19 18:25 . 2001-12-19 20:03 36864 ---ha-w- c:\windows\system32\psvince.dll
2009-06-18 14:06 . 2008-05-01 02:28 1654869 ----a-w- c:\documents and settings\All Users\Application Data\DynuEncrypt.dll
2009-06-17 22:45 . 2009-06-17 22:45 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
2009-06-17 21:59 . 2003-02-14 13:31 655360 ----a-w- c:\windows\system32\dslang32.dll
2009-06-17 21:59 . 2000-02-01 12:45 327680 ----a-w- c:\windows\system32\ldf251.dll
2009-06-17 21:58 . 2009-06-17 21:58 -------- d-----w- C:\ESI
2009-06-17 15:32 . 2009-03-12 09:53 483422 ----a-w- c:\windows\sttray.exe
2009-06-17 15:32 . 2009-03-12 09:53 171520 ----a-w- c:\windows\system32\st322000.dll
2009-06-17 14:50 . 2009-06-17 14:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\CyberLink
2009-06-16 23:12 . 2009-06-26 22:52 397312 ----a-w- c:\windows\esi_kl01.dat
2009-06-16 23:12 . 2009-06-26 23:08 -------- d-----w- c:\program files\Common Files\Spielberg DMS
2009-06-16 23:11 . 2005-01-19 12:42 557056 ----a-w- c:\windows\system32\snbd10dm.dll
2009-06-16 23:11 . 2005-01-19 12:42 526336 ----a-w- c:\windows\system32\snbd8w98.dll
2009-06-16 23:11 . 2005-01-19 12:42 86528 ----a-w- c:\windows\system32\Igsncx22.dll
2009-06-13 17:29 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-13 17:29 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-11 17:24 . 2009-06-11 17:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-06-11 16:23 . 2009-06-17 09:54 -------- d-----w- c:\documents and settings\Tadas\Application Data\Xfire
2009-06-11 16:20 . 2008-07-08 07:16 807936 ----a-w- c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\extensions\[email protected]\plugins\solidnm.exe
2009-06-11 16:20 . 2008-07-08 07:16 122880 ----a-w- c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\extensions\[email protected]\plugins\npssn.dll
2009-06-10 08:59 . 2009-06-10 08:59 -------- d-----w- c:\program files\PonyProg2000
2009-06-10 08:59 . 2000-06-29 14:24 3584 ----a-w- c:\windows\system32\drivers\DLPORTIO.SYS
2009-06-10 08:59 . 2000-06-29 14:24 34816 ----a-w- c:\windows\system32\DLPORTIO.DLL
2009-06-03 17:53 . 2009-06-03 14:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-06-03 17:49 . 2009-06-03 17:52 -------- d-----w- c:\windows\vf_hip
2009-06-03 17:49 . 2009-06-03 17:52 -------- d-----w- c:\program files\Hide IP Platinum
2009-06-03 17:44 . 2009-06-03 17:44 -------- d-----w- c:\program files\Hide IP NG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 11:15 . 2008-06-13 14:09 -------- d-----w- c:\documents and settings\Tadas\Application Data\Skype
2009-07-02 11:13 . 2008-07-23 16:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-02 11:11 . 2009-04-27 15:33 -------- d-----w- c:\documents and settings\Tadas\Application Data\Free Download Manager
2009-07-02 11:04 . 2008-06-13 14:10 -------- d-----w- c:\documents and settings\Tadas\Application Data\skypePM
2009-07-01 17:23 . 2008-10-26 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 15:05 . 2009-02-25 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-29 21:39 . 2008-08-04 20:24 2432 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-29 18:31 . 2008-08-05 10:27 -------- d-----w- c:\program files\Sony
2009-06-28 18:16 . 2009-01-19 23:18 -------- d-----w- c:\program files\Sprint-Layout50 (Demo)
2009-06-27 21:20 . 2008-06-13 14:54 -------- d-----w- c:\documents and settings\Tadas\Application Data\uTorrent
2009-06-27 18:38 . 2008-06-29 23:40 -------- d-----w- c:\program files\Opera
2009-06-26 17:16 . 2008-07-10 10:45 34 ----a-w- c:\documents and settings\Tadas\jagex_runescape_preferences.dat
2009-06-23 18:24 . 2009-02-28 17:55 26 ----a-w- c:\windows\popcinfo.dat
2009-06-18 19:32 . 2009-01-30 12:44 3532 ----a-w- C:\drmHeader.bin
2009-06-17 15:32 . 2009-02-03 15:12 -------- d-----w- c:\program files\IDT
2009-06-17 15:22 . 2008-06-05 11:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-17 09:02 . 2008-06-09 23:49 93920 ----a-w- c:\documents and settings\Tadas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 13:40 . 2009-04-29 17:00 -------- d-----w- c:\program files\Gunz
2009-06-14 14:58 . 2008-09-17 18:49 -------- d-----w- c:\program files\ABBYY FineReader 9.0
2009-06-11 17:33 . 2009-04-29 17:07 -------- d--h--w- c:\documents and settings\Tadas\Application Data\ijjigame
2009-06-11 17:33 . 2008-09-05 01:32 558552 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PLauncher.exe
2009-06-10 13:39 . 2009-04-30 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-06-03 17:44 . 2008-06-21 19:32 -------- d-----w- c:\documents and settings\Tadas\Application Data\Hide IP NG
2009-05-31 19:39 . 2009-05-31 19:39 -------- d-----w- c:\program files\Youtube Downloader HD
2009-05-31 19:20 . 2009-05-31 19:20 -------- d-----w- c:\program files\CodeGazer
2009-05-29 12:32 . 2009-05-29 12:32 -------- d-----w- c:\program files\AnalogX
2009-05-29 12:32 . 2009-05-29 12:28 -------- d-----w- c:\program files\ProxyWay
2009-05-29 11:50 . 2009-05-29 11:50 -------- d-----w- c:\documents and settings\Tadas\Application Data\tor
2009-05-25 19:20 . 2008-06-27 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-05-20 13:45 . 2009-04-27 17:56 -------- d-----w- c:\documents and settings\Tadas\Application Data\GetRightToGo
2009-05-20 12:39 . 2008-06-13 15:39 -------- d-----w- c:\program files\mIRC
2009-05-19 16:41 . 2009-05-19 16:41 -------- d-----w- c:\program files\ProtectDisc Driver Installer
2009-05-19 16:39 . 2009-05-19 16:39 -------- d-----w- c:\program files\ECA
2009-05-19 12:19 . 2008-07-23 17:45 -------- d-----w- c:\program files\Google
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\program files\MProg 3.0a
2009-05-19 10:24 . 2009-05-19 10:22 -------- d-----w- c:\program files\Hpmbcalc
2009-05-19 06:58 . 2009-04-06 17:42 -------- d-----w- c:\program files\Windows Desktop Search
2009-05-15 15:28 . 2009-05-15 14:47 -------- d-----w- c:\program files\RealArcade
2009-05-15 14:51 . 2009-05-15 14:51 -------- d-----w- c:\documents and settings\Tadas\Application Data\iWin
2009-05-13 05:15 . 2008-05-11 08:59 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 17:48 . 2009-04-29 17:03 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-11 20:35 . 2008-09-02 21:59 68 --sh--r- C:\modiog.sys
2009-05-10 11:05 . 2009-05-10 11:04 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-05-10 10:58 . 2009-01-28 21:34 -------- d-----w- c:\documents and settings\Tadas\Application Data\DivX
2009-05-09 18:44 . 2009-05-09 18:44 782795312 ----a-w- c:\documents and settings\Tadas\Application Data\ijjigame\DriftCity_Setup.exe
2009-05-09 18:31 . 2009-05-09 18:31 -------- d-----w- c:\documents and settings\Tadas\Application Data\NPLUTO Corporation
2009-05-07 15:32 . 2008-04-14 04:41 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:05 . 2009-03-18 19:46 1 ----a-w- c:\documents and settings\Tadas\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-04 22:02 . 2009-03-24 17:33 -------- d-----w- c:\program files\Silca Software
2009-05-04 19:47 . 2008-11-19 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-30 15:28 . 2009-04-30 15:47 480688 ----a-w- c:\documents and settings\Tadas\Application Data\ijjigame\ijjistarter2FxB.exe
2009-04-30 15:26 . 2009-04-30 15:26 52105 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\uninst.exe
2009-04-29 21:18 . 2009-04-29 21:18 2368 ----a-w- c:\windows\system32\SVKP.sys
2009-04-29 17:07 . 2009-04-30 11:13 480688 ----a-w- c:\documents and settings\Tadas\Application Data\ijjigame\ijjistarter2.exe
2009-04-17 12:26 . 2008-04-14 00:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 04:42 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 19:28 . 2008-11-22 21:07 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-01-07 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"PrintPack dispatcher"="c:\program files\Software602\Print2PDF\PrnPack.exe" [2007-11-23 73728]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-03-30 503808]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"Lingvo Launcher"="c:\program files\ABBYY Lingvo 12\Lvagent.exe" [2006-12-13 258048]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-11-27 2169368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"UpdatePDRShortCut"="g:\powerdirector\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"wmagent.exe"="c:\program files\WebMoney Agent\wmagent.exe" [2008-10-01 209376]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-02 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\Tadas\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= avnotify.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"g:\\Zaidimai\\Need For Speed Underground 2 [RIP]\\Underground 2 [Caged]\\Underground 2\\speed2.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\mIRC\\uninstall.exe _=C\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"g:\\Zaidimai\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enGB-downloader.exe"=
"g:\\Zaidimai\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enGB-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\zMule\\zmule.exe"=
"g:\\Zaidimai\\World of Warcraft\\Launcher.exe"=
"g:\\Zaidimai\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=
"g:\\Visokie softai\\NRPG RatioMaster.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Gunz\\Gunz.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"g:\\Zaidimai\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCP:Diablo II
"443:TCP"= 443:TCP:SSL
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"20978:TCP"= 20978:TCP:Torrent
"15082:TCP"= 15082:TCP:*:Disabled:SolidNetworkManager
"15082:UDP"= 15082:UDP:*:Disabled:SolidNetworkManager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008.06.18 02:28 39472]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008.05.11 12:02 143360]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [2007.09.25 00:11 566560]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008.01.23 11:19 501560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009.07.01 20:26 108289]
R2 COSIDS_TB;COSIDS_TB;h:\progra~1\COSIDS\BIN\TbMux32.exe [2008.09.05 19:21 165376]
R2 LcSvrAdm;ELSA Administration Service;h:\elsawin\bin\LcSvrAdm.exe [2008.10.30 00:28 147456]
R2 LcSvrDba;ELSA DBA Server;h:\elsawin\bin\LcSvrDba.exe [2008.10.30 00:28 241664]
R2 LcSvrHis;ELSA Historie Server;h:\elsawin\bin\LcSvrHis.exe [2008.10.30 00:28 217088]
R2 LcSvrPAS;ELSA PASS Server;h:\elsawin\bin\LcSvrPas.exe [2008.10.30 00:28 368640]
R2 LcSvrSaz;ELSA APOSpro Server;h:\elsawin\bin\LcSvrSaz.exe [2009.06.15 11:51 249856]
R2 NSHE;Guardant Emulator Driver;c:\windows\system32\drivers\NSHE.SYS [2009.02.11 02:56 97792]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009.04.30 00:18 2368]
R2 VSGate;ELSA Vaudis Service;h:\elsawin\bin\VSGate.exe [2008.10.30 00:28 81920]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;h:\elsawin\bin\LcSvrAuf.exe [2008.10.30 00:28 1306624]
S0 pxark;pxark; [x]
S2 gupdate1c9975a28bd7308;„Google“ atnaujinimo paslauga (gupdate1c9975a28bd7308);c:\program files\Google\Update\GoogleUpdate.exe [2009.02.25 18:03 133104]
S2 XAMPP;XAMPP Service;g:\xampp\service.exe --> g:\xampp\service.exe [?]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.SYS [2009.06.10 11:59 3584]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006.08.28 23:54 10664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009.01.14 23:00 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009.01.14 23:00 8320]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TpUsb;TpUsb Driver (TpUsb.sys);c:\windows\system32\Drivers\TpUsb.sys --> c:\windows\system32\Drivers\TpUsb.sys [?]
S3 XDva120;XDva120;\??\c:\windows\system32\XDva120.sys --> c:\windows\system32\XDva120.sys [?]
S3 XDva234;XDva234;\??\c:\windows\system32\XDva234.sys --> c:\windows\system32\XDva234.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-25 14:08]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 15:03]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-25 15:03]

2009-07-02 c:\windows\Tasks\User_Feed_Synchronization-{B4194F27-6ED5-427D-90A3-6E765ADA04B3}.job
- c:\windows\system32\msfeedssync.exe [2008-05-11 01:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2BC712F4-B482-4FD6-B56F-065E19A7B1D5} - (no file)
HKCU-Run-ProxyWay - c:\program files\ProxyWay\proxyway.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.lt/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Translate with ABBYY &Lingvo... - c:\program files\ABBYY Lingvo 12\Lingvo.exe/3000
IE: {{5B7027AD-AA6D-40df-8F56-9560F277D2A5} - {E4ABF418-CB30-470C-BFF7-674AC0FC564F} - c:\program files\Software602\Print2PDF\Print602.dll
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
FF - ProfilePath - c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.lt/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\extensions\[email protected]\components\BkMrkExt.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\Tadas\Application Data\Mozilla\Firefox\Profiles\8m1ngrzz.default\extensions\[email protected]\plugins\npssn.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\NPDocBox.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 14:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-2000478354-1177238915-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0C0DB6AA-1A4B-39C4-882B-CAD9576C5D32}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abjnaonphncjalmkockjjpccnhglhglfid"=hex:61,61,00,00
"maknlndcanndkealpbminkjnog"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1957994488-2000478354-1177238915-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:55,af,eb,fb,90,ff,b4,79,03,d4,9d,b9,96,ec,5c,e7,ad,bf,0a,8e,16,7d,96,
9c,bb,56,30,8b,d6,82,92,3d,45,0b,fe,de,78,5b,f0,15,39,5c,c1,64,cf,ab,6f,b1,\
"??"=hex:03,19,76,33,70,8c,2e,19,d1,71,a8,71,bc,15,cf,05

[HKEY_LOCAL_MACHINE\software\Classes\.asc\PersistentHandler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\program files\ABBYY Lingvo 12\LvHook.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\IntelXPV_v103\WDM\stacsv.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2009-07-02 14:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 11:17

Pre-Run: 6.451.372.032 bytes free
Post-Run: 6.721.200.128 bytes free

362 --- E O F --- 2009-06-13 21:32
 
WOW
It's fixed, I've posted this problem in general software before, and i did 2 screens, i won't try with avg, cause i have avira now, but winxp manager works, i think it helped me. Thank you
 
You must log in or register to reply here.
Back
Top