Help Me To Remove Malware/virus In My Pc

hi iam dinesh , iam using compaq pressarrio pc with p4(3.06GHZ),1GB ram ,160GB harddisk.
and whenever i open a new window (like my computer etc ) i am getting a message from my avg8.0 free editon resident shield like
" Threat detected
file name c:\WINDOWS\system 32...."
and many more messages from my resident shield .i dont know how to remove this things
and i am having avg and malwarebytes and itried to remove it ,but nothing seems to work for me.
and my computer has been dramatically slowed down even at start ups.

and i had posted the scan results of deckard system scanner and hijack this log file along with it at the bottom


Deckard's System Scanner v20071014.68
Run by mars on 2008-08-07 06:41:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2008-08-07 01:11:30 UTC - RP8 - Deckard's System Scanner Restore Point
7: 2008-08-07 00:07:43 UTC - RP7 - System Checkpoint
6: 2008-08-05 23:37:44 UTC - RP6 - System Checkpoint
5: 2008-08-04 23:28:32 UTC - RP5 - Removed USBCV13
4: 2008-08-04 23:24:52 UTC - RP4 - Installed USBCV13


-- First Restore Point --
1: 2008-08-03 02:07:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as mars.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:32 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\utorrent-1.8-rc6.upx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\setup files\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mars.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: detxbiua.dll - {20618412-C528-C784-C056-C164D1F7C502} - C:\WINDOWS\system32\detxbiua.dll (file missing)
O2 - BHO: ijdybpaw.dll - {2A698452-C5D8-C584-C256-C264C987C5A2} - C:\WINDOWS\system32\ijdybpaw.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: pqzfajke.dll - {60A345CD-ABCD-EFAB-CDEF-ABCD01020306} - C:\WINDOWS\system32\pqzfajke.dll (file missing)
O2 - BHO: zywmgime.dll - {7319A1F1-9410-9654-3201-345FFA349137} - C:\WINDOWS\system32\zywmgime.dll (file missing)
O2 - BHO: (no name) - {813DD04F-261A-428A-8309-3F541B2D2564} - c:\windows\system32\ziaashl.dll
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216438706155
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37B9D-5325-4248-9133-6C46B1F469C4}: NameServer = 218.248.255.146,218.248.240.46
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: tisqdtyu.dll,NTNJXSJTVC.dll,comremo.dll,myasemt.dll,googleons.dll,welycz.dll,jsnoer.dll,ezcron.dll,joliom.dll,fackwir.dll,caotxb.dll,ceshleo.dll,nhmxejkl.dll,woswelc.dll,avgrsstx.dll, mssetd.dll tiplict.dll businesn.dll esceps.dll keyiftp.dll baccops.dll aliens.dll offscrl.dll cmonos.dll wdhotem.dll xpsbos.dll manleu.dll squalle.dll therbrek.dll jolin0.dll
O20 - Winlogon Notify: obklooga - C:\WINDOWS\SYSTEM32\ziaashl.dll
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 10291 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1002&DEV_4374&SUBSYS_2A31103C&REV_80\3&267A616A&0&98
Manufacturer: (Standard USB Host Controller)
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1002&DEV_4374&SUBSYS_2A31103C&REV_80\3&267A616A&0&98
Service:

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1002&DEV_4375&SUBSYS_2A31103C&REV_80\3&267A616A&0&99
Manufacturer: (Standard USB Host Controller)
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1002&DEV_4375&SUBSYS_2A31103C&REV_80\3&267A616A&0&99
Service:

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1002&DEV_4373&SUBSYS_2A31103C&REV_80\3&267A616A&0&9A
Manufacturer: (Standard USB Host Controller)
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1002&DEV_4373&SUBSYS_2A31103C&REV_80\3&267A616A&0&9A
Service:

Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&B4B0D3&0&18A4
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\4&B4B0D3&0&18A4
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Audio Codecs
Device ID: ROOT\MEDIA\MS_MMACM
Manufacturer: (Standard system devices)
Name: Audio Codecs
PNP Device ID: ROOT\MEDIA\MS_MMACM
Service:

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6233
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6233
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 06:43:11 0 d-------- C:\Program Files\Trend Micro
2008-08-07 02:48:28 0 d-------- C:\WINDOWS\LastGood
2008-08-06 18:40:27 0 d-------- C:\WINDOWS\pss
2008-08-05 04:13:10 0 d-------- C:\Documents and Settings\mars\Application Data\zweitgeist
2008-08-04 18:51:22 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-08-04 18:49:47 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-08-04 18:33:02 0 d-------- C:\Program Files\ATI
2008-08-04 18:28:52 0 d-------- C:\Program Files\Realtek
2008-08-04 18:28:36 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-08-04 18:26:17 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-08-04 18:25:29 0 d-------- C:\ATI
2008-08-03 14:04:07 0 d--h----- C:\$AVG8.VAULT$
2008-08-03 07:34:07 18048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
2008-08-03 07:33:49 15872 --a------ C:\WINDOWS\system32\drivers\cdralw.sys
2008-08-03 07:33:48 53248 --a------ C:\WINDOWS\linkinfo.dll
2008-08-03 07:33:40 266240 --a------ C:\WINDOWS\Update.dll
2008-08-03 07:33:07 24576 --a------ C:\WINDOWS\system32\squalle.dll
2008-08-03 07:33:00 24576 --a------ C:\WINDOWS\system32\xpsbos.dll
2008-08-03 07:32:17 28672 --a------ C:\WINDOWS\system32\aliens.dll
2008-08-03 07:32:13 24576 --a------ C:\WINDOWS\system32\baccops.dll
2008-08-03 07:31:56 28672 --a------ C:\WINDOWS\system32\keyiftp.dll
2008-08-03 07:31:35 272384 --ah----- C:\WINDOWS\system32\ddserh.dll
2008-08-03 07:31:19 265216 --ah----- C:\WINDOWS\system32\wzcfsw.dll
2008-08-03 07:31:05 14336 --a------ C:\WINDOWS\system32\mssetdk.exe
2008-08-02 07:39:13 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-08-02 07:36:17 717296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-02 07:36:13 0 d-------- C:\Documents and Settings\mars\Application Data\DAEMON Tools
2008-08-02 06:40:06 0 d-------- C:\Documents and Settings\mars\Application Data\vlc
2008-08-02 06:38:26 0 d-------- C:\Program Files\VideoLAN
2008-07-29 02:25:13 0 d-------- C:\Program Files\uTorrent
2008-07-29 02:25:03 0 d-------- C:\Documents and Settings\mars\Application Data\uTorrent
2008-07-27 06:51:28 0 d-------- C:\Program Files\Microsoft Games
2008-07-26 07:53:19 0 dr-h----- C:\Documents and Settings\mars\Application Data\yahoo!
2008-07-26 06:44:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-26 06:39:39 0 dr------- C:\Program Files\Yahoo!
2008-07-25 05:06:31 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-23 04:46:13 20 --a------ C:\WINDOWS\system32\mhsha1.dat
2008-07-23 03:44:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-22 07:36:23 0 d-------- C:\Program Files\directx
2008-07-22 06:49:56 50688 --a------ C:\Program Files\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2008-07-22 04:11:48 0 dr------- C:\Program Files\SpeedBit Video Accelerator
2008-07-22 04:07:12 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-22 04:06:58 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-07-22 04:06:57 0 dr------- C:\Program Files\DAP
2008-07-21 06:45:37 0 d-------- C:\Documents and Settings\mars\Application Data\Malwarebytes
2008-07-21 06:45:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 06:45:33 0 dr------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 06:44:02 0 d-------- C:\Program Files\setup files
2008-07-20 08:59:39 0 d-------- C:\Program Files\avg and norton extracts
2008-07-20 08:47:43 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-20 08:47:43 0 d-------- C:\Documents and Settings\mars\Application Data\AVGTOOLBAR
2008-07-20 08:47:39 0 dr------- C:\Program Files\AVG
2008-07-20 08:47:39 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-19 17:15:01 0 d-------- C:\Documents and Settings\mars\My Document
2008-07-19 17:04:07 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-19 16:37:02 0 d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-07-19 09:09:04 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-19 08:54:51 24 --a------ C:\WINDOWS\system32\wymxajkl.sys
2008-07-13 18:55:26 0 d-------- C:\Documents and Settings\mars\Application Data\Symantec
2008-07-13 18:55:25 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-13 14:49:26 38048 --a------ C:\WINDOWS\system32\drivers\HBKernel.sys
2008-07-13 10:35:14 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-13 10:35:14 0 d-------- C:\Documents and Settings\NetworkService\Application Data\aomyqlxs
2008-07-12 15:27:26 0 d-------- C:\Documents and Settings\mars\Application Data\Mozilla
2008-07-12 15:27:26 0 d-------- C:\Documents and Settings\mars\Application Data\aomyqlxs
2008-07-12 09:27:45 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-12 09:27:45 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-12 09:27:45 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-12 09:27:45 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-12 09:27:45 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-12 09:27:45 499712 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-12 09:27:45 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-12 09:27:45 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-12 09:27:45 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-12 09:27:45 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-12 09:27:45 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-12 09:27:45 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-12 09:27:45 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-12 09:27:45 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-12 09:27:38 0 d--hs---- C:\WINDOWS\CSC
2008-07-11 21:52:42 8 --a------ C:\WINDOWS\system32\Update.dat
2008-07-11 07:04:51 24 --a------ C:\WINDOWS\system32\pzwlaime.sys
2008-07-11 07:03:31 36 --a------ C:\WINDOWS\system32\ijsgajba.sys
2008-07-10 09:43:48 17144 --a------ C:\Documents and Settings\mars\Application Data\GDIPFONTCACHEV1.DAT
2008-07-09 13:58:46 36 --a------ C:\WINDOWS\system32\qbhxaklo.sys


-- Find3M Report ---------------------------------------------------------------

2008-08-05 16:45:01 5545 --a------ C:\Documents and Settings\mars\Application Data\studio.xnf
2008-08-04 18:33:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-20 16:56:15 0 dr------- C:\Program Files\Common Files\Nokia
2008-07-20 16:55:35 0 dr------- C:\Program Files\Common Files\Real
2008-07-20 16:53:45 0 dr------- C:\Program Files\MSN Gaming Zone
2008-07-20 16:52:59 0 dr------- C:\Program Files\AvRack
2008-07-20 10:33:03 0 dr------- C:\Program Files\GRETECH
2008-07-20 10:31:18 0 dr------- C:\Program Files\Movie Maker
2008-07-20 10:27:09 0 dr------- C:\Program Files\Realtek Sound Manager
2008-07-20 10:26:12 0 dr------- C:\Program Files\Nero
2008-07-20 10:24:34 0 dr------- C:\Program Files\Winamp
2008-07-20 10:23:55 0 dr------- C:\Program Files\Real
2008-07-20 10:22:53 0 dr------- C:\Program Files\Nokia
2008-07-13 18:55:25 0 d-------- C:\Program Files\Common Files
2008-07-13 06:44:13 0 --a------ C:\WINDOWS\Sysvxd.exe
2008-07-12 06:54:55 24 --a------ C:\WINDOWS\system32\pzwmaime.sys
2008-07-12 06:54:54 36 --a------ C:\WINDOWS\system32\ijzhatde.sys
2008-07-05 12:39:01 24 --a------ C:\WINDOWS\system32\sqjsakaq.sys
2008-06-30 10:08:13 186 --a------ C:\MicroSoft.vbs
2008-06-30 10:08:11 30 --a------ C:\MicroSoft.bat
2008-06-27 08:59:59 0 d-------- C:\Documents and Settings\mars\Application Data\WinRAR
2008-06-25 11:43:01 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-06-21 15:26:20 287 --a------ C:\WINDOWS\EReg072.dat
2008-06-21 01:11:36 0 d-------- C:\Documents and Settings\mars\Application Data\Adobe
2008-06-20 08:04:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-17 16:45:43 38384 --a------ C:\Documents and Settings\mars\Application Data\NMM-MetaData.db
2008-06-17 14:10:10 0 d-------- C:\Documents and Settings\mars\Application Data\PC Suite
2008-06-17 11:49:00 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-17 11:48:50 0 d-------- C:\Program Files\DIFX
2008-06-17 11:48:33 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-15 23:04:48 0 d-------- C:\Documents and Settings\mars\Application Data\Google
2008-06-15 10:32:57 0 d-------- C:\Program Files\jvm
2008-06-15 10:32:40 5107041 --a------ C:\Program Files\jvm.zip
2008-06-14 07:33:47 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-12 15:59:18 0 d-------- C:\Documents and Settings\mars\Application Data\Macromedia
2008-06-07 09:22:01 0 d-------- C:\Documents and Settings\mars\Application Data\Ahead
2008-06-07 08:41:34 0 d-------- C:\Documents and Settings\mars\Application Data\CyberLink
2008-06-06 19:58:28 62 --ahs---- C:\Documents and Settings\mars\Application Data\desktop.ini
2008-06-06 14:40:00 0 -rahs---- C:\MSDOS.SYS
2008-06-06 14:40:00 0 -rahs---- C:\IO.SYS
2008-06-06 14:40:00 0 --a------ C:\CONFIG.SYS
2008-06-06 14:40:00 0 --a------ C:\AUTOEXEC.BAT
2008-06-06 14:36:50 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20618412-C528-C784-C056-C164D1F7C502}]
C:\WINDOWS\system32\detxbiua.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A698452-C5D8-C584-C256-C264C987C5A2}]
C:\WINDOWS\system32\ijdybpaw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}]
C:\WINDOWS\system32\pqzfajke.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7319A1F1-9410-9654-3201-345FFA349137}]
C:\WINDOWS\system32\zywmgime.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{813DD04F-261A-428A-8309-3F541B2D2564}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/20/2008 08:47 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/20/2008 08:47 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/07/2005 10:57 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [05/18/2006 11:29 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/06/2008 03:52 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [11/08/2006 01:27 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"WindowsHive"="C:\WINDOWS\system32\rpcc.exe" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/20/2008 08:47 AM]
"3PMmUpdate"="C:\WINDOWS\Update.dll" [08/03/2008 07:33 AM]
"RTHDCPL"="RTHDCPL.EXE" [07/03/2008 04:51 PM C:\WINDOWS\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [06/18/2008 06:01 PM C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [06/19/2008 04:42 PM C:\WINDOWS\alcwzrd.exe]
"Alcmtr"="ALCMTR.EXE" [06/19/2008 04:20 PM C:\WINDOWS\Alcmtr.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2007 10:21 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:26 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [07/24/2008 08:32 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2A698452-C5D8-C584-C256-C264C987C5A2}"= C:\WINDOWS\system32\ijdybpaw.dll [ ]
"{20618412-C528-C784-C056-C164D1F7C502}"= C:\WINDOWS\system32\detxbiua.dll [ ]
"{7319A1F1-9410-9654-3201-345FFA349137}"= C:\WINDOWS\system32\zywmgime.dll [ ]
"{8A041F13-A111-12A3-B0CF-F99818AA68A8}"= C:\WINDOWS\system32\zxmsewin.dll [ ]
"{87FD640A-158F-48AC-FD14-1597F14A9778}"= C:\WINDOWS\system32\mndshsrv.dll [ ]
"{6A908760-8000-4000-A000-9000322145A6}"= C:\WINDOWS\system32\akjsfkaq.dll [ ]
"{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}"= C:\WINDOWS\system32\pqzfajke.dll [ ]
"{5A069845-2036-6084-9054-6087502480A5}"= C:\WINDOWS\system32\ozfyebyt.dll [ ]
"{3D698451-2015-6358-9871-2015987452D3}"= C:\WINDOWS\system32\apzhctde.dll [ ]
"{8C8D1401-A58D-A81C-CD24-A5915C4517C8}"= C:\WINDOWS\system32\mnmhhsrv.dll [ ]
"{45671234-7890-ABCD-CDEF-567801237654}"= C:\WINDOWS\system32\yxcsdhlp.dll [ ]
"{60940F85-F015-14F1-A05F-F69858AC6D06}"= C:\WINDOWS\system32\zptldsys.dll [ ]
"{37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73}"= C:\WINDOWS\system32\zywlcime.dll [ ]
"{4D698451-2015-6358-9871-2015987452D4}"= C:\WINDOWS\system32\apzhdtde.dll [ ]
"{A1954FAC-1023-154F-895A-1458258AD81A}"= C:\WINDOWS\system32\ypdjhbmp.dll [ ]
"{40618412-C528-C784-C056-C164D1F7C504}"= C:\WINDOWS\system32\detxdiua.dll [ ]
"{97FD640A-158F-48AC-FD14-1597F14A9779}"= C:\WINDOWS\system32\mndsisrv.dll [ ]
"{49109876-7619-9101-7012-901938475194}"= C:\WINDOWS\system32\ietzdpaq.dll [ ]
"{6A069845-2036-6084-9054-6087502480A6}"= C:\WINDOWS\system32\ozfyfbyt.dll [ ]
"{8C954872-1230-6541-9548-6541025884C8}"= C:\WINDOWS\system32\fd233ds4f4.dll [ ]
"{9319A1F1-9410-9654-3201-345FFA349139}"= C:\WINDOWS\system32\zywmiime.dll [ ]
"{8FD45A54-9875-698F-E56E-65102358FDF8}"= C:\WINDOWS\system32\apsghjba.dll [ ]
"{50618412-C528-C784-C056-C164D1F7C505}"= C:\WINDOWS\system32\detxeiua.dll [ ]
"{47A924AF-1A5F-CF21-AB1D-1D5CF82A8A74}"= C:\WINDOWS\system32\zywldime.dll [ ]
"{C629FF4F-ACDB-5C90-A098-FACB3456A26C}"= C:\WINDOWS\system32\hdf453d1.dll [ ]
"{48093456-9012-4568-9076-908765467184}"= C:\WINDOWS\system32\tisqdtyu.dll [ ]
"{28766E1C-74B0-4417-8C75-F12AE309EF35}"= C:\WINDOWS\system32\wzcfsw.dll [08/03/2008 07:31 AM 265216]
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"= C:\WINDOWS\system32\ddserh.dll [08/03/2008 07:31 AM 272384]
"{0B846B26-BFE6-4E8E-A948-1DB17B77B483}"= C:\WINDOWS\system32\tdfhex.dll [ ]
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"= C:\WINDOWS\system32\fmcvxy.dll [ ]
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"= C:\WINDOWS\system32\zsdgff.dll [ ]
"{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}"= C:\WINDOWS\system32\zgxfdx.dll [ ]
"{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}"= C:\WINDOWS\system32\dndsaf.dll [ ]
"{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}"= C:\WINDOWS\system32\fsrgeb.dll [ ]
"{57AC9076-C898-B098-D098-A18319080975}"= C:\WINDOWS\system32\nhmxejkl.dll [ ]
"{7914E0AA-ECCB-4311-B584-C49538227824}"= C:\WINDOWS\system32\jhfrxz.dll [ ]
"{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}"= C:\WINDOWS\system32\hhrdxd.dll [ ]
"{8C41B7F7-3168-400D-A702-0E7EFE0BA304}"= C:\WINDOWS\system32\sgdewg.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DesktopWin"= {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll [08/03/2008 07:28 AM 14336]
"ThunderAdvise"= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\obklooga]
ziaashl.dll 08/23/2001 01:00 PM 104448 C:\WINDOWS\system32\ziaashl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=tisqdtyu.dll,NTNJXSJTVC.dll,comremo.dll,myasemt.dll,googleons.dll,welycz.dll,jsnoer.dll,ezcron.dll,joliom.dll,fackwir.dll,caotxb.dll,ceshleo.dll,nhmxejkl.dll,woswelc.dll,avgrsstx.dll, mssetd.dll tiplict.dll businesn.dll esceps.dll keyiftp.dll baccops.dll aliens.dll offscrl.dll cmonos.dll wdhotem.dll xpsbos.dll manleu.dll squalle.dll therbrek.dll jolin0.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhd88.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhx22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winky58.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlg64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv60.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winss42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxt25.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ywdmwmbh


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe




-- Hosts -----------------------------------------------------------------------

202.165.102.205 972.aksjd11.com
202.165.102.205 w3og.cn
203.208.35.100 qazc.fourtw.cn
203.208.35.100 www.aujoy.cn
203.208.35.101 www.hao601.cn
203.208.35.101 www.psp476.cn
72.14.235.99 222.1212l112.net
72.14.235.99 444.1212l112.netn
72.14.235.99 555.1212l112.net
72.14.235.99 111.1212l112.net

9279 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-07 06:45:44 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
CPU 1: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 959.36 MiB / 466.26 MiB
Pagefile Memory (total/avail): 2313.93 MiB / 1885.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.32 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 31.37 GiB free.
D: is Fixed (NTFS) - 37.25 GiB total, 31.36 GiB free.
E: is Fixed (NTFS) - 37.25 GiB total, 31.25 GiB free.
F: is Fixed (NTFS) - 37.28 GiB total, 33.93 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-60NCB1 - 149.05 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 111.79 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Disabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"E:\\age of mythology\\EMPIRES2.EXE"="E:\\age of mythology\\EMPIRES2.EXE:*:Disabled:Age of Empires II"
"C:\\Program Files\\utorrent-1.8-rc6.upx.exe"="C:\\Program Files\\utorrent-1.8-rc6.upx.exe:*:Enabled:µTorrent"
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"="C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe:*:Enabled:VideoAccelerator"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mars\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARS-C47DFC032A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mars
LOGONSERVER=\\MARS-C47DFC032A
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mars\LOCALS~1\Temp
TMP=C:\DOCUME~1\mars\LOCALS~1\Temp
USERDOMAIN=MARS-C47DFC032A
USERNAME=mars
USERPROFILE=C:\Documents and Settings\mars
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

mars (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Grand Theft Auto Vice City --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\setup.exe" -l0x9
GTA2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2987EE84-C4EE-4FF5-8160-32DE00D6ABC6}\Setup.exe" -l0x9
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components --> MsiExec.exe /I{90260409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Nero 7 Essentials --> MsiExec.exe /X{66EBD70F-A42C-475F-AEDF-277378151033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Nokia PC Suite --> MsiExec.exe /I{7B9031F8-6464-4687-893C-472D8D87527B}
PC Connectivity Solution --> MsiExec.exe /I{D8E4A66D-DB68-481F-ABA8-AC622566D4CB}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RoadRash --> C:\WINDOWS\uninst.exe -fe:\roadrash\DeIsL1.isu
SpeedBit Video Accelerator --> C:\PROGRA~1\SPEEDB~1\UNWISE.EXE C:\PROGRA~1\SPEEDB~1\INSTALL.LOG
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WebPAM --> C:\Program Files\InstallShield Installation Information\{EDC5E937-F707-4241-BB2F-111C4B83FF2C}\setup.exe -runfromtemp -l0x0409
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.2 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
XMLinst --> MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0}
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type3544 / Error
Event Submitted/Written: 08/06/2008 06:40:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type3543 / Error
Event Submitted/Written: 08/06/2008 06:40:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application msconfig.exe, version 5.1.2600.2180, faulting module advapi32.dll, version 5.1.2600.2180, fault address 0x00067b91.
Processing media-specific event for [msconfig.exe!ws!]

Event Record #/Type3388 / Error
Event Submitted/Written: 08/04/2008 05:43:29 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rundll32.exe, version 5.1.2600.2180, faulting module advapi32.dll, version 5.1.2600.2180, fault address 0x00067eff.
Processing media-specific event for [rundll32.exe!ws!]

Event Record #/Type3369 / Error
Event Submitted/Written: 08/03/2008 02:53:22 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application gta2.exe, version 9.6.0.0, faulting module unknown, version 0.0.0.0, fault address 0x737816d4.
Processing media-specific event for [gta2.exe!ws!]

Event Record #/Type3366 / Error
Event Submitted/Written: 08/03/2008 11:21:40 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application gta2.exe, version 9.6.0.0, faulting module unknown, version 0.0.0.0, fault address 0x737816d4.
Processing media-specific event for [gta2.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4773 / Warning
Event Submitted/Written: 08/07/2008 06:00:52 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4772 / Warning
Event Submitted/Written: 08/07/2008 04:11:37 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4771 / Warning
Event Submitted/Written: 08/07/2008 03:17:00 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4770 / Warning
Event Submitted/Written: 08/07/2008 02:49:40 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type4764 / Warning
Event Submitted/Written: 08/07/2008 02:35:57 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-08-07 06:45:44 ------------

Directories/Files moved to C:\Deckard\System Scanner\backup

2008-08-04 18:43:25 114688 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\6614.rra
2008-08-04 18:26:53 114688 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\958.rra
2008-08-04 18:39:06 20991 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Arabic.bin
2008-08-05 17:21:14 21176 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\atisketch.bmp
2006-09-19 01:01:40 57656 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Catalyst.bmp
2008-08-04 18:39:06 24321 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Czech.bin
2008-08-04 18:39:06 22794 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Danish.bin
2008-08-04 18:39:06 25758 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Dutch.bin
2008-08-05 17:21:15 21176 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\easpore.bmp
2008-08-04 18:39:06 21944 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\English.bin
2008-08-04 18:31:17 114688 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\ff23.rra
2008-08-04 18:39:06 22868 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Finnish.bin
2008-08-04 18:39:06 27246 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\French.bin
2008-08-05 17:21:17 21176 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\gardasil2.bmp
2008-08-04 18:39:06 25764 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\German.bin
2008-08-05 17:21:17 21176 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\gorving.bmp
2008-08-04 18:39:06 25093 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Greek.bin
2008-08-04 18:39:07 19564 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Hebrew.bin
2008-08-04 18:39:07 26094 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Hungarian.bin
2008-08-06 18:28:01 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT12.xml
2008-08-06 18:28:02 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT13.xml
2008-08-06 18:28:02 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT14.xml
2008-08-06 18:28:07 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT15.xml
2008-08-06 18:28:07 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT16.xml
2008-08-06 18:28:07 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT17.xml
2008-08-06 18:28:22 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT18.xml
2008-08-06 18:28:22 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT19.xml
2008-08-06 18:28:22 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT1A.xml
2008-08-04 17:42:24 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT1D.xml
2008-08-05 17:22:04 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT1E.xml
2008-08-05 17:22:04 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT1F.xml
2008-08-05 17:22:04 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT20.xml
2008-08-04 17:42:55 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT21.xml
2008-08-04 17:42:55 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT22.xml
2008-08-04 18:18:21 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT23.xml
2008-08-04 18:18:21 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT24.xml
2008-08-04 17:42:58 1022 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT25.dtd
2008-08-04 18:18:21 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT25.xml
2008-08-04 18:18:32 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT26.xml
2008-08-04 18:18:32 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT27.xml
2008-08-04 18:18:33 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT28.xml
2008-08-05 03:51:49 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT29.xml
2008-08-05 03:51:49 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT2A.xml
2008-08-05 03:51:49 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT2B.xml
2008-08-04 18:18:39 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT2C.xml
2008-08-05 20:59:48 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT2D.xml
2008-08-05 20:59:48 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT2E.xml
2008-08-06 07:02:07 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT2F.xml
2008-08-06 07:02:07 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT30.xml
2008-08-06 07:02:07 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT31.xml
2008-08-05 03:57:32 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT32.xml
2008-08-05 17:28:43 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT33.xml
2008-08-05 17:28:43 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT34.xml
2008-08-05 17:28:43 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT35.xml
2008-08-05 03:57:36 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT36.xml
2008-08-05 03:57:36 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT37.xml
2008-08-05 21:00:06 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT3B.xml
2008-08-05 21:00:07 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT3C.xml
2008-08-05 21:00:07 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT3D.xml
2008-08-04 17:43:59 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT40.xml
2008-08-04 17:43:59 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT41.xml
2008-08-04 17:44:00 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT42.xml
2008-08-06 18:42:32 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT46.xml
2008-08-06 18:42:32 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT47.xml
2008-08-06 18:42:32 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT48.xml
2008-08-06 18:42:37 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT49.xml
2008-08-06 18:42:37 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT4A.xml
2008-08-06 18:42:37 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT4B.xml
2008-08-06 18:42:40 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT4C.xml
2008-08-06 18:42:40 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT4D.xml
2008-08-06 18:42:40 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT4E.xml
2008-08-06 18:42:43 2232826 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT4F.xml
2008-08-06 18:42:44 1022 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT50.dtd
2008-08-04 18:20:48 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT52.xml
2008-08-05 21:00:22 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT53.xml
2008-08-05 21:00:22 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT54.xml
2008-08-05 21:00:22 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT55.xml
2008-08-04 18:21:15 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT5A.xml
2008-08-04 18:21:15 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT5B.xml
2008-08-04 18:21:15 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT5C.xml
2008-08-04 18:21:32 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT66.xml
2008-08-04 18:21:32 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT67.xml
2008-08-04 18:21:33 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT68.xml
2008-08-04 18:21:38 2232826 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT69.xml
2008-08-04 18:21:38 1022 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT6A.dtd
2008-08-04 18:21:40 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT6B.xml
2008-08-04 18:21:40 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT6C.xml
2008-08-04 18:21:40 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT6D.xml
2008-08-04 18:21:52 2232826 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT6E.xml
2008-08-04 18:21:52 1022 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT6F.dtd
2008-08-04 18:22:05 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT70.xml
2008-08-04 18:22:05 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT71.xml
2008-08-04 18:22:05 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT72.xml
2008-08-04 18:22:10 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT73.xml
2008-08-04 18:22:10 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT74.xml
2008-08-04 18:22:10 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT75.xml
2008-08-06 18:49:54 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT78.xml
2008-08-06 18:49:55 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT79.xml
2008-08-06 18:49:55 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT7A.xml
2008-08-06 18:50:18 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT7C.xml
2008-08-06 18:50:18 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT7D.xml
2008-08-06 18:50:18 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT7E.xml
2008-08-06 18:50:21 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT7F.xml
2008-08-06 18:50:21 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT80.xml
2008-08-06 18:50:21 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT81.xml
2008-08-06 18:50:47 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT8D.xml
2008-08-06 18:50:47 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT8E.xml
2008-08-06 18:50:47 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT8F.xml
2008-08-06 18:51:09 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT91.xml
2008-08-06 18:51:09 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT92.xml
2008-08-06 18:51:09 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT93.xml
2008-08-05 06:09:41 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT94.xml
2008-08-05 06:09:41 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT95.xml
2008-08-05 06:09:41 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMT96.xml
2008-08-06 18:51:49 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA1.xml
2008-08-06 18:51:49 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA2.xml
2008-08-06 18:51:49 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA3.xml
2008-08-06 18:51:51 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA4.xml
2008-08-06 18:51:51 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA5.xml
2008-08-06 18:51:51 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA6.xml
2008-08-06 18:52:07 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA8.xml
2008-08-06 18:52:07 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTA9.xml
2008-08-06 18:52:07 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTAA.xml
2008-08-06 18:52:10 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTAB.xml
2008-08-06 18:52:10 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTAC.xml
2008-08-06 18:52:10 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTAD.xml
2008-08-06 18:52:14 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTAE.xml
2008-08-06 18:52:14 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTAF.xml
2008-08-06 18:52:14 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTB0.xml
2008-08-06 18:52:17 1994 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTB1.xml
2008-08-06 18:52:17 426 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTB2.xml
2008-08-06 18:52:17 707348 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\IMTB3.xml
2008-08-04 18:39:06 27421 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Italian.bin
2008-08-04 18:39:06 24340 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Japanese.bin
2008-08-05 17:21:15 21176 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\jcpenneybts.bmp
2008-08-04 18:39:06 20145 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Korean.bin
2008-08-04 18:39:07 21975 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Norwegian.bin
2008-08-06 06:53:14 0 d-------- C:\DOCUME~1\mars\LOCALS~1\Temp\pft26.tmp
2008-08-06 06:52:27 5310 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\plf24.tmp
2008-08-04 18:39:06 24232 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Polish.bin
2008-08-04 18:39:06 25082 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Portuguese(Brazil).bin
2008-08-04 18:39:06 26271 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Portuguese.bin
2008-08-04 18:39:06 26136 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Russian.bin
2008-08-04 18:39:06 16420 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\SimChin.bin
2008-08-04 18:39:06 27764 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Spanish.bin
2008-08-04 18:39:06 24093 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\SWEDISH.bin
2008-08-04 18:39:06 21987 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Thai.bin
2008-08-05 17:21:15 21176 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\thethread.bmp
2008-08-04 18:39:06 16962 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\TradChin.bin
2008-08-04 18:39:07 22263 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\Turkish.bin
2008-08-05 04:16:00 729651 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\U93ce34489786137829.zip
2008-08-07 06:28:52 5632 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\wmsetup.dll
2008-08-07 02:34:23 0 d-------- C:\DOCUME~1\mars\LOCALS~1\Temp\WPDNSE
2008-08-04 18:50:27 0 d-------- C:\DOCUME~1\mars\LOCALS~1\Temp\{9b94be6f-7ca3-4c40-a266-62667ff746cc}
2008-08-04 17:50:15 16384 --a------ C:\DOCUME~1\mars\LOCALS~1\Temp\~DF2B2B.tmp
2008-08-04 17:50:15 512 --a-----t C:\DOCUME~1\mars\LOCALS~1\Temp\~DF2B36.tmp
2008-08-05 17:23:23 0 --a------ C:\WINDOWS\temp\IMT25.tmp
2008-08-05 17:23:23 0 --a------ C:\WINDOWS\temp\IMT26.tmp
2008-07-20 08:47:14 616448 --ahs---- C:\WINDOWS\temp\jnfg9ysu.TMP
2008-08-03 07:34:01 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

-*- End of Logfile -*-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:49 AM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\utorrent-1.8-rc6.upx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: detxbiua.dll - {20618412-C528-C784-C056-C164D1F7C502} - C:\WINDOWS\system32\detxbiua.dll (file missing)
O2 - BHO: ijdybpaw.dll - {2A698452-C5D8-C584-C256-C264C987C5A2} - C:\WINDOWS\system32\ijdybpaw.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: pqzfajke.dll - {60A345CD-ABCD-EFAB-CDEF-ABCD01020306} - C:\WINDOWS\system32\pqzfajke.dll (file missing)
O2 - BHO: zywmgime.dll - {7319A1F1-9410-9654-3201-345FFA349137} - C:\WINDOWS\system32\zywmgime.dll (file missing)
O2 - BHO: (no name) - {813DD04F-261A-428A-8309-3F541B2D2564} - c:\windows\system32\ziaashl.dll
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216438706155
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37B9D-5325-4248-9133-6C46B1F469C4}: NameServer = 218.248.255.146,218.248.240.46
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: tisqdtyu.dll,NTNJXSJTVC.dll,comremo.dll,myasemt.dll,googleons.dll,welycz.dll,jsnoer.dll,ezcron.dll,joliom.dll,fackwir.dll,caotxb.dll,ceshleo.dll,nhmxejkl.dll,woswelc.dll,avgrsstx.dll, mssetd.dll tiplict.dll businesn.dll esceps.dll keyiftp.dll baccops.dll aliens.dll offscrl.dll cmonos.dll wdhotem.dll xpsbos.dll manleu.dll squalle.dll therbrek.dll jolin0.dll,
O20 - Winlogon Notify: obklooga - C:\WINDOWS\SYSTEM32\ziaashl.dll
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll (file missing)
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 10334 bytes



please help me to fix this problem ,if you need any more informations tell me in your reply

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). I am still in training, so my responses to you must be checked by a coach.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
• If you do not understand any step(s) provided, please do not hesitate to ask. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it may not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

hi thanks for repliying me,
my pc has turned vulnerable please help me to recover.

Hello dinesh4260. You've got a lot of baddies in there .

Backdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Disable Realtime Protection
Realtime security programs are important for keeping out malware. However, they can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Backup Registry with ERUNT

• Please download erunt-setup.exe to your desktop.
• Double click erunt-setup.exe. Follow the prompts and allow Erunt to be installed with the settings at default. You can delete the installation file after use.
• Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

Fix HijackThis Entries

• Double click the HijackThis icon on your desktop.
• Close all other open windows.
• Select Do a System Scan Only.
• Wait a few moments for the list to be compiled.
• To the left of each entry you will see a check box. Check the box next to the following entries:
  
  O2 - BHO: detxbiua.dll - {20618412-C528-C784-C056-C164D1F7C502} - C:\WINDOWS\system32\detxbiua.dll (file missing)
  O2 - BHO: ijdybpaw.dll - {2A698452-C5D8-C584-C256-C264C987C5A2} - C:\WINDOWS\system32\ijdybpaw.dll (file missing)
  O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)
  O2 - BHO: (no name) - {813DD04F-261A-428A-8309-3F541B2D2564} - c:\windows\system32\ziaashl.dll
  O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
  O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main
  O20 - AppInit_DLLs: tisqdtyu.dll,NTNJXSJTVC.dll,comremo.dll,myasemt.dll............
  O20 - Winlogon Notify: obklooga - C:\WINDOWS\SYSTEM32\ziaashl.dll
  O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (file missing)
  O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll
  
  
  If you no longer see some of the entries, don't worry. It is possible that the uninstaller or removal tool already took care of it. If it is marked " (file missing) ", put a check mark next to its box anyways.
  
• Close all open windows except HijackThis.
• Click and OK at the prompt.
• The screen will clear itself.
• Close out of HijackThis.

Apply Registry Fix

• Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
  "appinit_dlls"="avgrsstx.dll"
  

• Click File, then Save As... .
• Click Desktop on the left.
• Under the Save as type dropdown, select All Files.
• In the box File Name, input fix.reg.
• Hit OK.

When done properly, the icon should look like for a .reg.

Double click fix.reg and answer Yes to the prompts. You should recieve a message that the entries have been successfully merged. Delete the file after.

Download and Run OTMoveIT

• Please download OTMoveIt2 by OldTimerto your desktop.
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  
  Winhd88
  Winhx22
  Winky58
  Winlg64
  Winqv60
  Winss42
  Winxt25
  ywdmwmbh
  eth8023
  cdralw
  wymxajkl
  pzwlaime
  ijsgajba
  qbhxaklo
  pzwmaime
  ijzhatde
  sqjsakaq
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhd88.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhx22.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winky58.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlg64.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqv60.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winss42.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxt25.sys
  C:\WINDOWS\system32\drivers\eth8023.sys
  C:\WINDOWS\system32\drivers\cdralw.sys
  C:\WINDOWS\Update.dll
  C:\WINDOWS\system32\squalle.dll
  C:\WINDOWS\system32\xpsbos.dll
  C:\WINDOWS\system32\aliens.dll
  C:\WINDOWS\system32\baccops.dll
  C:\WINDOWS\system32\keyiftp.dll
  C:\WINDOWS\system32\ddserh.dll
  C:\WINDOWS\system32\wzcfsw.dll
  C:\WINDOWS\system32\mssetdk.exe
  C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
  C:\WINDOWS\system32\wymxajkl.sys
  C:\Documents and Settings\NetworkService\Application Data\aomyqlxs
  C:\Documents and Settings\mars\Application Data\aomyqlxs
  C:\WINDOWS\system32\pzwlaime.sys
  C:\WINDOWS\system32\ijsgajba.sys
  C:\WINDOWS\system32\qbhxaklo.sys
  C:\WINDOWS\system32\pzwmaime.sys
  C:\WINDOWS\system32\ijzhatde.sys
  C:\WINDOWS\system32\sqjsakaq.sys
  C:\MicroSoft.vbs
  C:\MicroSoft.bat
  C:\WINDOWS\Sysvxd.exe
  
  

• Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main Select Files to Delete choose: Select All.
• Click the Empty Selected button.

If you use Firefox browser also...

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser also...

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky Scanner page.
• Click on Accept and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.
-----------------
Please post back with:
-the OtMoveIt log
-the Kaspersky log
-a new DSS log (only the main.txt will appear this time)

Also comment on if your computer is running any better.

With Regards,
The Panda

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Hello.

Topic is reopened. Please ignore the instructions given in my previous post.

Delete your copy of DSS.exe on your desktop.

Download and Run RSIT

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and
  info.txt (<<will be minimized)

With Regards,
The Panda

hi thanks for replying me,
info.txt logfile of random's system information tool 2008-09-05 16:40:25

Uninstall list

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9B94BE6F-7CA3-4C40-A266-62667FF746CC}\setup.exe"
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Download Accelerator Plus (DAP)-->C:\PROGRA~1\DAP\DAPREMOVE.EXE
GOM Player-->"C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
IGI 2-->C:\WINDOWS\unvise32.exe e:\project igi 2\uninstal.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components-->MsiExec.exe /I{90260409-6000-11D3-8CFE-0050048383C9}
Microsoft Rise Of Nations-->"E:\Rise Of Nations\UNINSTAL.EXE" /runtemp /addremove
Microsoft User-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero 7 Essentials-->MsiExec.exe /X{66EBD70F-A42C-475F-AEDF-277378151033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nokia Connectivity Cable Driver-->MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Nokia PC Suite-->MsiExec.exe /I{7B9031F8-6464-4687-893C-472D8D87527B}
PC Connectivity Solution-->MsiExec.exe /I{D8E4A66D-DB68-481F-ABA8-AC622566D4CB}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Rise of Nations Thrones and Patriots-->"C:\Program Files\Microsoft Games\Rise of Nations\UNINSTLX.EXE" /runtemp /uninstall
Update for Windows Internet Explorer 7 (KB928089)-->"C:\WINDOWS\ie7updates\KB928089\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.6d-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WebPAM-->C:\Program Files\InstallShield Installation Information\{EDC5E937-F707-4241-BB2F-111C4B83FF2C}\setup.exe -runfromtemp -l0x0409
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip 11.2-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
XMLinst-->MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0}
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

Hosts File

127.0.0.1 localhost
202.165.102.205 972.aksjd11.com
202.165.102.205 w3og.cn
203.208.35.100 qazc.fourtw.cn
203.208.35.100 www.aujoy.cn
203.208.35.101 www.hao601.cn
203.208.35.101 www.psp476.cn
72.14.235.99 222.1212l112.net
72.14.235.99 444.1212l112.netn
72.14.235.99 555.1212l112.net

Security center information

AV: AVG Anti-Virus Free

Environment variables

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------



Logfile of random's system information tool (written by random/random)
Run by mars at 2008-09-05 16:40:08
Microsoft Windows XP Professional Service Pack 2
System drive C: has 31 GB (82%) free of 38 GB
Total RAM: 959 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:18 PM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\mars\Favorites\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\mars.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {813DD04F-261A-428A-8309-3F541B2D2564} - c:\windows\system32\ziaashl.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216438706155
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37B9D-5325-4248-9133-6C46B1F469C4}: NameServer = 218.248.255.146,218.248.240.46
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: obklooga - C:\WINDOWS\SYSTEM32\ziaashl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8540 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\ErrorSmart Scheduled Scan.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-07-20 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2007-12-13 222448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{813DD04F-261A-428A-8309-3F541B2D2564}]
c:\windows\system32\ziaashl.dll [2001-08-23 104448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-20 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-06-06 1123840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-06-06 1123840]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-20 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-05-18 49152]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2006-11-08 222208]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"WindowsHive"=C:\WINDOWS\system32\rpcc.exe []
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-07-20 1232152]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-07-03 16876032]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2008-06-18 77824]
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2008-06-19 2808832]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-01 153136]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-06-03 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\obklooga]
C:\WINDOWS\system32\ziaashl.dll [2001-08-23 104448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2A698452-C5D8-C584-C256-C264C987C5A2}"= []
"{20618412-C528-C784-C056-C164D1F7C502}"= []
"{7319A1F1-9410-9654-3201-345FFA349137}"= []
"{8A041F13-A111-12A3-B0CF-F99818AA68A8}"=C:\WINDOWS\system32\zxmsewin.dll []
"{87FD640A-158F-48AC-FD14-1597F14A9778}"= []
"{6A908760-8000-4000-A000-9000322145A6}"=C:\WINDOWS\system32\akjsfkaq.dll []
"{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}"= []
"{5A069845-2036-6084-9054-6087502480A5}"=C:\WINDOWS\system32\ozfyebyt.dll []
"{3D698451-2015-6358-9871-2015987452D3}"=C:\WINDOWS\system32\apzhctde.dll []
"{8C8D1401-A58D-A81C-CD24-A5915C4517C8}"=C:\WINDOWS\system32\mnmhhsrv.dll []
"{45671234-7890-ABCD-CDEF-567801237654}"=C:\WINDOWS\system32\yxcsdhlp.dll []
"{60940F85-F015-14F1-A05F-F69858AC6D06}"=C:\WINDOWS\system32\zptldsys.dll []
"{37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73}"=C:\WINDOWS\system32\zywlcime.dll []
"{4D698451-2015-6358-9871-2015987452D4}"=C:\WINDOWS\system32\apzhdtde.dll []
"{A1954FAC-1023-154F-895A-1458258AD81A}"=C:\WINDOWS\system32\ypdjhbmp.dll []
"{40618412-C528-C784-C056-C164D1F7C504}"=C:\WINDOWS\system32\detxdiua.dll []
"{97FD640A-158F-48AC-FD14-1597F14A9779}"=C:\WINDOWS\system32\mndsisrv.dll []
"{49109876-7619-9101-7012-901938475194}"=C:\WINDOWS\system32\ietzdpaq.dll []
"{6A069845-2036-6084-9054-6087502480A6}"=C:\WINDOWS\system32\ozfyfbyt.dll []
"{8C954872-1230-6541-9548-6541025884C8}"=C:\WINDOWS\system32\fd233ds4f4.dll []
"{9319A1F1-9410-9654-3201-345FFA349139}"=C:\WINDOWS\system32\zywmiime.dll []
"{8FD45A54-9875-698F-E56E-65102358FDF8}"=C:\WINDOWS\system32\apsghjba.dll []
"{50618412-C528-C784-C056-C164D1F7C505}"=C:\WINDOWS\system32\detxeiua.dll []
"{47A924AF-1A5F-CF21-AB1D-1D5CF82A8A74}"=C:\WINDOWS\system32\zywldime.dll []
"{C629FF4F-ACDB-5C90-A098-FACB3456A26C}"=C:\WINDOWS\system32\hdf453d1.dll []
"{48093456-9012-4568-9076-908765467184}"=C:\WINDOWS\system32\tisqdtyu.dll []
"{28766E1C-74B0-4417-8C75-F12AE309EF35}"=C:\WINDOWS\system32\wzcfsw.dll []
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"= []
"{0B846B26-BFE6-4E8E-A948-1DB17B77B483}"= []
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"= []
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"=C:\WINDOWS\system32\zsdgff.dll []
"{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}"=C:\WINDOWS\system32\zgxfdx.dll []
"{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}"=C:\WINDOWS\system32\dndsaf.dll []
"{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}"=C:\WINDOWS\system32\fsrgeb.dll []
"{57AC9076-C898-B098-D098-A18319080975}"=C:\WINDOWS\system32\nhmxejkl.dll []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhd88.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhx22.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winky58.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winlg64.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winqv60.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winss42.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winxt25.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\drivers\svchost.exe"="C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\DAP\DAP.exe"="C:\Program Files\DAP\DAP.exe:*:Disabled:Download Accelerator Plus (DAP)"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"E:\age of mythology\EMPIRES2.EXE"="E:\age of mythology\EMPIRES2.EXE:*:Disabled:Age of Empires II"
"C:\Program Files\utorrent-1.8-rc6.upx.exe"="C:\Program Files\utorrent-1.8-rc6.upx.exe:*:Enabled:µTorrent"
"C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe:*:Enabled:VideoAccelerator"
"E:\Rise Of Nations\game\rise.exe"="E:\Rise Of Nations\game\rise.exe:*:Disabled:Rise of Nations"
"E:\Rise Of Nations\game\thrones.exe"="E:\Rise Of Nations\game\thrones.exe:*:Enabled:Rise of Nations"
"C:\Program Files\Microsoft Games\Rise of Nations\rise.exe"="C:\Program Files\Microsoft Games\Rise of Nations\rise.exe:*:Enabled:Rise of Nations"
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe"="C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations"
"E:\Rise Of Nations\rise.exe"="E:\Rise Of Nations\rise.exe:*:Disabled:Rise of Nations"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\Auto\command - sxs.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\Auto\command - sxs.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\Auto\command - sxs.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
shell\AutoRun\command - H:\RoNsetup.exe /autorun


File associations

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

List of files/folders created in the last three months

2008-09-05 04:55:13 ----D---- C:\rsit
2008-08-24 18:47:46 ----D---- C:\Scenario
2008-08-23 19:04:20 ----A---- C:\Interop.Shell32.dll
2008-08-23 19:04:10 ----A---- C:\dotnetfx.exe
2008-08-23 15:07:06 ----D---- C:\WINDOWS\system32\appmgmt
2008-08-23 15:01:10 ----D---- C:\Documents and Settings\mars\Application Data\ErrorSmart
2008-08-23 14:56:36 ----D---- C:\Program Files\MSXML 4.0
2008-08-23 08:21:22 ----D---- C:\Documents and Settings\mars\Application Data\Microsoft Games
2008-08-22 23:31:27 ----A---- C:\WINDOWS\unvise32.exe
2008-08-19 06:55:45 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-08-19 06:55:44 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-08-19 06:54:12 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803$
2008-08-19 05:59:26 ----HD---- C:\WINDOWS\PIF
2008-08-17 07:42:11 ----D---- C:\Documents and Settings\mars\Application Data\Astro Gemini Software
2008-08-13 06:11:03 ----A---- C:\WINDOWS\system32\xmltok.dll
2008-08-13 06:11:03 ----A---- C:\WINDOWS\system32\xmlparse.dll
2008-08-13 06:11:03 ----A---- C:\WINDOWS\system32\xmlinst.exe
2008-08-13 06:11:02 ----D---- C:\Program Files\Ubisoft
2008-08-13 06:11:02 ----A---- C:\WINDOWS\system32\VB5DB.DLL
2008-08-11 07:49:59 ----D---- C:\_OTMoveIt
2008-08-09 06:31:48 ----D---- C:\Program Files\ATI Technologies
2008-08-07 06:43:11 ----D---- C:\Program Files\Trend Micro
2008-08-07 06:41:30 ----D---- C:\WINDOWS\ERDNT
2008-08-07 06:39:41 ----D---- C:\Program Files\Deckard
2008-08-06 18:40:27 ----D---- C:\WINDOWS\pss
2008-08-05 04:13:10 ----D---- C:\Documents and Settings\mars\Application Data\zweitgeist
2008-08-04 18:49:47 ----N---- C:\WINDOWS\system32\ati2sgag.exe
2008-08-04 18:33:02 ----D---- C:\Program Files\ATI
2008-08-04 18:31:42 ----A---- C:\WINDOWS\SkyTel.exe
2008-08-04 18:28:52 ----D---- C:\Program Files\Realtek
2008-08-04 18:28:36 ----A---- C:\WINDOWS\HideWin.exe
2008-08-04 18:26:17 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-08-04 18:25:29 ----D---- C:\ATI
2008-08-03 14:04:07 ----HD---- C:\$AVG8.VAULT$
2008-08-02 07:39:13 ----D---- C:\Program Files\DAEMON Tools Lite
2008-08-02 07:36:13 ----D---- C:\Documents and Settings\mars\Application Data\DAEMON Tools
2008-08-02 06:40:06 ----D---- C:\Documents and Settings\mars\Application Data\vlc
2008-08-02 06:38:26 ----D---- C:\Program Files\VideoLAN
2008-07-29 02:25:13 ----D---- C:\Program Files\uTorrent
2008-07-29 02:25:03 ----D---- C:\Documents and Settings\mars\Application Data\uTorrent
2008-07-29 02:24:45 ----A---- C:\Program Files\utorrent-1.8-rc6.upx.exe
2008-07-27 06:51:28 ----D---- C:\Program Files\Microsoft Games
2008-07-26 07:53:19 ----RHD---- C:\Documents and Settings\mars\Application Data\yahoo!
2008-07-26 06:44:37 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-26 06:40:12 ----A---- C:\YServer.txt
2008-07-26 06:39:39 ----RD---- C:\Program Files\Yahoo!
2008-07-26 04:46:40 ----D---- C:\WINDOWS\ie7updates
2008-07-25 05:10:02 ----D---- C:\WINDOWS\WBEM
2008-07-25 05:10:00 ----D---- C:\WINDOWS\system32\en-US
2008-07-25 05:08:29 ----HDC---- C:\WINDOWS\ie7
2008-07-25 05:07:50 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-07-25 05:07:19 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-07-25 05:06:32 ----HDC---- C:\WINDOWS\$NtUninstallKB915865$
2008-07-25 05:06:31 ----HD---- C:\WINDOWS\$hf_mig$
2008-07-25 05:06:22 ----N---- C:\WINDOWS\system32\xmllite.dll
2008-07-24 04:27:03 ----A---- C:\WINDOWS\IE4 Error Log.txt
2008-07-23 03:44:29 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-22 07:36:23 ----D---- C:\Program Files\directx
2008-07-22 06:49:56 ----A---- C:\Program Files\ATF-Cleaner.exe
2008-07-22 04:07:12 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-22 04:06:58 ----A---- C:\WINDOWS\system32\wbhelp2.dll
2008-07-22 04:06:57 ----RD---- C:\Program Files\DAP
2008-07-21 06:49:28 ----A---- C:\WINDOWS\SIERRA.INI
2008-07-21 06:45:37 ----D---- C:\Documents and Settings\mars\Application Data\Malwarebytes
2008-07-21 06:45:34 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 06:45:33 ----RD---- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 06:44:02 ----D---- C:\Program Files\setup files
2008-07-20 08:59:39 ----D---- C:\Program Files\avg and norton extracts
2008-07-20 08:47:48 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-07-20 08:47:43 ----D---- C:\Documents and Settings\mars\Application Data\AVGTOOLBAR
2008-07-20 08:47:39 ----RD---- C:\Program Files\AVG
2008-07-20 08:47:39 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-19 17:04:07 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-19 17:04:06 ----RD---- C:\Program Files\WinZip
2008-07-19 09:09:04 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-07-13 18:55:26 ----D---- C:\Documents and Settings\mars\Application Data\Symantec
2008-07-13 18:55:25 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-07-13 16:34:32 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2008-07-12 15:27:26 ----D---- C:\Documents and Settings\mars\Application Data\Mozilla
2008-07-12 09:27:38 ----SHD---- C:\WINDOWS\CSC
2008-07-12 09:27:33 ----A---- C:\WINDOWS\ntbtlog.txt
2008-06-27 08:59:59 ----D---- C:\Documents and Settings\mars\Application Data\WinRAR
2008-06-26 15:35:49 ----RD---- C:\Program Files\WinRAR
2008-06-25 11:43:01 ----D---- C:\Program Files\Common Files\SWF Studio
2008-06-21 01:47:08 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-06-21 01:46:06 ----D---- C:\WINDOWS\system32\NtmsData
2008-06-21 01:22:56 ----D---- C:\1b80debab6108af0eaeb25ea
2008-06-20 12:33:51 ----D---- C:\Documents and Settings\mars\Application Data\Adobe
2008-06-20 08:04:30 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-20 08:04:26 ----RD---- C:\Program Files\Adobe
2008-06-20 08:04:26 ----D---- C:\Program Files\Common Files\Adobe
2008-06-17 23:15:31 ----A---- C:\WINDOWS\uninst.exe
2008-06-17 14:10:10 ----D---- C:\Documents and Settings\mars\Application Data\PC Suite
2008-06-17 12:13:47 ----A---- C:\WINDOWS\ModemLog_Nokia 6233 USB Modem.txt
2008-06-17 11:55:18 ----HDC---- C:\WINDOWS\$NtUninstallWudf01005$
2008-06-17 11:49:10 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-17 11:48:58 ----RD---- C:\Program Files\Common Files\Nokia
2008-06-17 11:48:58 ----D---- C:\Program Files\Common Files\PCSuite
2008-06-17 11:48:50 ----D---- C:\Program Files\DIFX
2008-06-17 11:48:32 ----D---- C:\Program Files\PC Connectivity Solution
2008-06-17 11:48:24 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-06-17 11:48:24 ----A---- C:\WINDOWS\system32\nmwcdlog.dll
2008-06-17 11:48:24 ----A---- C:\WINDOWS\system32\nmwcdcocls.dll
2008-06-17 11:48:08 ----A---- C:\WINDOWS\system32\nmwcdcls.dll
2008-06-17 11:48:07 ----RD---- C:\Program Files\Nokia
2008-06-16 09:30:15 ----A---- C:\WINDOWS\system32\javaee.dll
2008-06-15 23:04:48 ----D---- C:\Documents and Settings\mars\Application Data\Google
2008-06-15 10:33:14 ----A---- C:\WINDOWS\system32\jit.dll
2008-06-15 10:33:14 ----A---- C:\WINDOWS\setdebug.exe
2008-06-15 10:33:13 ----A---- C:\WINDOWS\system32\dx3j.dll
2008-06-15 10:33:10 ----A---- C:\WINDOWS\system32\wjview.exe
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\vmhelper.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\msjdbc10.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\msjava.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\msawt.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\jview.exe
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\jdbgmgr.exe
2008-06-15 10:33:08 ----A---- C:\WINDOWS\system32\javart.dll
2008-06-15 10:33:08 ----A---- C:\WINDOWS\system32\javaprxy.dll
2008-06-15 10:33:08 ----A---- C:\WINDOWS\system32\javacypt.dll
2008-06-15 10:33:07 ----A---- C:\WINDOWS\system32\clspack.exe
2008-06-15 10:32:57 ----D---- C:\Program Files\jvm
2008-06-14 07:34:11 ----HDC---- C:\WINDOWS\$NtUninstallKB926239$
2008-06-14 07:34:05 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-06-14 07:34:01 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-06-14 07:33:46 ----D---- C:\Program Files\Windows Media Connect 2
2008-06-14 07:33:37 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-06-14 07:33:06 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-06-14 07:32:46 ----D---- C:\WINDOWS\system32\LogFiles
2008-06-14 07:32:38 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-06-14 07:32:11 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-12 15:59:18 ----D---- C:\Documents and Settings\mars\Application Data\Macromedia
2008-06-08 23:42:45 ----A---- C:\WINDOWS\RtlRack.ini
2008-06-07 09:10:04 ----A---- C:\WINDOWS\NeroDigital.ini
2008-06-07 08:45:38 ----SHD---- C:\RECYCLER
2008-06-07 08:41:34 ----D---- C:\Documents and Settings\mars\Application Data\CyberLink
2008-06-07 08:39:53 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-06 20:27:12 ----D---- C:\WINDOWS\system32\Lang
2008-06-06 20:25:23 ----D---- C:\WINDOWS\system32\RTCOM
2008-06-06 20:25:18 ----A---- C:\WINDOWS\system32\ksuser.dll
2008-06-06 20:24:48 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-06-06 20:24:47 ----HDC---- C:\WINDOWS\$NtUninstallKB888111WXPSP2$
2008-06-06 20:24:40 ----A---- C:\WINDOWS\RtlUpd.exe
2008-06-06 20:24:24 ----A---- C:\WINDOWS\RTLCPL.exe
2008-06-06 20:23:45 ----A---- C:\WINDOWS\RTHDCPL.exe
2008-06-06 20:23:37 ----A---- C:\WINDOWS\MicCal.exe
2008-06-06 20:23:22 ----A---- C:\WINDOWS\alcwzrd.exe
2008-06-06 20:23:19 ----A---- C:\WINDOWS\Alcmtr.exe
2008-06-06 20:23:02 ----A---- C:\WINDOWS\RtlExUpd.dll
2008-06-06 20:22:07 ----A---- C:\WINDOWS\system32\atiiiexx.dll
2008-06-06 20:04:10 ----A---- C:\WINDOWS\system32\h323log.txt
2008-06-06 20:00:08 ----A---- C:\WINDOWS\system32\usbui.dll
2008-06-06 19:59:02 ----A---- C:\WINDOWS\imsins.BAK
2008-06-06 19:59:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-06-06 19:58:59 ----SHD---- C:\WINDOWS\Installer
2008-06-06 19:58:59 ----D---- C:\Program Files\Common Files\ODBC
2008-06-06 19:58:59 ----A---- C:\WINDOWS\ODBCINST.INI
2008-06-06 19:58:55 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-06-06 19:58:54 ----RD---- C:\Program Files
2008-06-06 19:58:54 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-06-06 19:58:54 ----D---- C:\Program Files\Common Files
2008-06-06 19:58:51 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2008-06-06 19:58:51 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2008-06-06 19:58:51 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdur.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdru.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2008-06-06 19:58:49 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2008-06-06 19:58:47 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2008-06-06 19:58:47 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2008-06-06 19:58:47 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2008-06-06 19:58:47 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2008-06-06 19:58:47 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2008-06-06 19:58:47 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2008-06-06 19:58:47 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2008-06-06 19:58:45 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2008-06-06 19:58:45 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2008-06-06 19:58:45 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2008-06-06 19:58:45 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2008-06-06 19:58:45 ----RA---- C:\WINDOWS\system32\kbdest.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdro.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2008-06-06 19:58:43 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2008-06-06 19:58:41 ----A---- C:\WINDOWS\system32\irclass.dll
2008-06-06 19:58:41 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2008-06-06 19:58:40 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-06-06 19:58:40 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2008-06-06 19:58:40 ----A---- C:\WINDOWS\system32\dgsetup.dll
2008-06-06 19:58:38 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2008-06-06 19:58:38 ----A---- C:\WINDOWS\TASKMAN.EXE
2008-06-06 19:58:38 ----A---- C:\WINDOWS\system32\batt.dll
2008-06-06 19:58:37 ----A---- C:\WINDOWS\NOTEPAD.EXE
2008-06-06 19:58:36 ----A---- C:\WINDOWS\system32\storprop.dll
2008-06-06 19:58:28----ASH----C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-06-06 19:58:24 ----RA---- C:\WINDOWS\SET8.tmp
2008-06-06 19:58:21 ----RA---- C:\WINDOWS\SET4.tmp
2008-06-06 19:58:19 ----RA---- C:\WINDOWS\SET3.tmp
2008-06-06 19:58:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-06-06 19:58:15 ----D---- C:\WINDOWS\system32\CatRoot
2008-06-06 19:58:09 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-06-06 19:57:49 ----A---- C:\WINDOWS\setuplog.txt
2008-06-06 19:57:46 ----D---- C:\Documents and Settings
2008-06-06 19:57:45 ----SHD---- C:\System Volume Information
2008-06-06 19:56:55 ----SH---- C:\boot.ini
2008-06-06 19:50:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-06-06 19:50:44 ----RSD---- C:\WINDOWS\Fonts
2008-06-06 19:50:44 ----RD---- C:\WINDOWS\Web
2008-06-06 19:50:44 ----HD---- C:\WINDOWS\inf
2008-06-06 19:50:44 ----D---- C:\WINDOWS\WinSxS
2008-06-06 19:50:44 ----D---- C:\WINDOWS\twain_32
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Temp
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\wins
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\wbem
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\usmt
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\spool
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\ShellExt
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\Setup
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\ras
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\oobe
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\npp
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\mui
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\inetsrv
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\IME
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\icsxml
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\ias
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\export
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\drivers
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\dhcp
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\config
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\3com_dmi
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\3076
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\2052
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1054
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1042
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1041
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1037
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1033
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1031
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1028
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32\1025
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system32
2008-06-06 19:50:44 ----D---- C:\WINDOWS\system
2008-06-06 19:50:44 ----D---- C:\WINDOWS\security
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Resources
2008-06-06 19:50:44 ----D---- C:\WINDOWS\repair
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Provisioning
2008-06-06 19:50:44 ----D---- C:\WINDOWS\PeerNet
2008-06-06 19:50:44 ----D---- C:\WINDOWS\pchealth
2008-06-06 19:50:44 ----D---- C:\WINDOWS\mui
2008-06-06 19:50:44 ----D---- C:\WINDOWS\msapps
2008-06-06 19:50:44 ----D---- C:\WINDOWS\msagent
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Media
2008-06-06 19:50:44 ----D---- C:\WINDOWS\java
2008-06-06 19:50:44 ----D---- C:\WINDOWS\ime
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Help
2008-06-06 19:50:44 ----D---- C:\WINDOWS\ehome
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Driver Cache
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Debug
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Cursors
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Connection Wizard
2008-06-06 19:50:44 ----D---- C:\WINDOWS\Config
2008-06-06 19:50:44 ----D---- C:\WINDOWS\AppPatch
2008-06-06 19:50:44 ----D---- C:\WINDOWS\addins
2008-06-06 19:50:44 ----D---- C:\WINDOWS
2008-06-06 16:02:43 ----A---- C:\WINDOWS\IsUninst.exe
2008-06-06 15:56:54 ----RD---- C:\Program Files\Realtek Sound Manager
2008-06-06 15:56:49 ----RD---- C:\Program Files\AvRack
2008-06-06 15:56:49 ----N---- C:\WINDOWS\avrack.ini
2008-06-06 15:56:43 ----A---- C:\WINDOWS\system32\ChCfg.exe
2008-06-06 15:56:43 ----A---- C:\WINDOWS\SoundMan.exe
2008-06-06 15:56:35 ----N---- C:\WINDOWS\system32\RTLCPL.exe
2008-06-06 15:56:17 ----N---- C:\WINDOWS\alcupd.exe
2008-06-06 15:56:17 ----N---- C:\WINDOWS\alcrmv.exe
2008-06-06 15:55:14 ----D---- C:\WINDOWS\OPTIONS
2008-06-06 15:53:20 ----A---- C:\WINDOWS\cdplayer.ini
2008-06-06 15:52:51 ----D---- C:\Program Files\Common Files\xing shared
2008-06-06 15:52:38 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-06-06 15:52:33 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-06-06 15:52:33 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-06-06 15:52:32 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-06-06 15:52:30 ----RD---- C:\Program Files\Common Files\Real
2008-06-06 15:52:28 ----RD---- C:\Program Files\Real
2008-06-06 15:51:57 ----D---- C:\Documents and Settings\mars\Application Data\Real
2008-06-06 15:49:58 ----N---- C:\WINDOWS\system32\msxml3a.dll
2008-06-06 15:49:21 ----HD---- C:\Program Files\InstallShield Installation Information
2008-06-06 15:49:19 ----D---- C:\Program Files\CyberLink
2008-06-06 15:49:08 ----D---- C:\Program Files\Common Files\InstallShield
2008-06-06 15:43:40 ----D---- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-06-06 15:43:37 ----D---- C:\Documents and Settings\mars\Application Data\GRETECH
2008-06-06 15:43:27 ----RD---- C:\Program Files\GRETECH
2008-06-06 15:42:32 ----A---- C:\WINDOWS\system32\msvcr71.dll
2008-06-06 15:42:32 ----A---- C:\WINDOWS\system32\msvcp71.dll
2008-06-06 15:30:32 ----N---- C:\WINDOWS\system32\vxblock.dll
2008-06-06 15:30:32 ----N---- C:\WINDOWS\system32\pxwave.dll
2008-06-06 15:30:32 ----N---- C:\WINDOWS\system32\pxmas.dll
2008-06-06 15:30:32 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2008-06-06 15:30:32 ----N---- C:\WINDOWS\system32\pxdrv.dll
2008-06-06 15:30:32 ----N---- C:\WINDOWS\system32\px.dll
2008-06-06 15:30:10 ----RD---- C:\Program Files\Winamp
2008-06-06 15:30:10 ----A---- C:\WINDOWS\winamp.ini
2008-06-06 15:24:58 ----D---- C:\Documents and Settings\mars\Application Data\Ahead
2008-06-06 15:24:44 ----D---- C:\Documents and Settings\All Users\Application Data\Ahead
2008-06-06 15:18:26 ----RD---- C:\Program Files\Nero
2008-06-06 15:18:26 ----D---- C:\Program Files\Common Files\Ahead
2008-06-06 15:18:26 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-06 15:17:30 ----D---- C:\WINDOWS\RegisteredPackages
2008-06-06 15:15:45 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2008-06-06 15:15:43 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-06-06 15:13:26 ----D---- C:\Program Files\Google
2008-06-06 15:12:10 ----A---- C:\WINDOWS\ODBC.INI
2008-06-06 15:11:32 ----D---- C:\Program Files\Microsoft ActiveSync
2008-06-06 15:11:01 ----D---- C:\Program Files\Common Files\Designer
2008-06-06 15:09:31 ----D---- C:\WINDOWS\ShellNew
2008-06-06 15:09:27 ----D---- C:\Program Files\Microsoft Office
2008-06-06 14:47:21 ----D---- C:\TempEI4
2008-06-06 14:44:44 ----D---- C:\Documents and Settings\mars\Application Data\Identities
2008-06-06 14:44:42 ----HD---- C:\Program Files\Uninstall Information
2008-06-06 14:44:37 ----SD---- C:\Documents and Settings\mars\Application Data\Microsoft
2008-06-06 14:44:37 ----ASH---- C:\Documents and Settings\mars\Application Data\desktop.ini
2008-06-06 14:43:45 ----D---- C:\WINDOWS\SoftwareDistribution
2008-06-06 14:43:43 ----SD---- C:\WINDOWS\system32\Microsoft
2008-06-06 14:43:43 ----D---- C:\WINDOWS\Prefetch
2008-06-06 14:43:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-06-06 14:40:17 ----D---- C:\WINDOWS\system32\xircom
2008-06-06 14:40:17 ----D---- C:\Program Files\xerox
2008-06-06 14:40:17 ----D---- C:\Program Files\microsoft frontpage
2008-06-06 14:40:00 ----A---- C:\WINDOWS\control.ini
2008-06-06 14:40:00 ----A---- C:\AUTOEXEC.BAT
2008-06-06 14:39:50 ----A---- C:\WINDOWS\OEWABLog.txt
2008-06-06 14:39:47 ----A---- C:\WINDOWS\system32\mapi32.dll
2008-06-06 14:39:00 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-06-06 14:39:00 ----RD---- C:\WINDOWS\Offline Web Pages
2008-06-06 14:39:00 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-06-06 14:38:54 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-06-06 14:38:50 ----HD---- C:\Program Files\WindowsUpdate
2008-06-06 14:38:30 ----D---- C:\WINDOWS\system32\DirectX
2008-06-06 14:38:08 ----A---- C:\WINDOWS\system32\atrace.dll
2008-06-06 14:38:05 ----A---- C:\WINDOWS\system32\desktop.ini
2008-06-06 14:38:05 ----A---- C:\WINDOWS\desktop.ini
2008-06-06 14:37:59 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2008-06-06 14:37:58 ----A---- C:\WINDOWS\system32\acctres.dll
2008-06-06 14:37:57 ----D---- C:\Program Files\Common Files\Services
2008-06-06 14:37:55 ----SD---- C:\WINDOWS\Tasks
2008-06-06 14:37:55 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2008-06-06 14:37:54 ----D---- C:\Program Files\Common Files\MSSoap
2008-06-06 14:37:49 ----D---- C:\WINDOWS\srchasst
2008-06-06 14:37:48 ----D---- C:\WINDOWS\system32\Macromed
2008-06-06 14:37:45 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-06-06 14:37:45 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-06-06 14:37:45 ----A---- C:\WINDOWS\system32\wuauserv.dll
2008-06-06 14:37:45 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2008-06-06 14:37:44 ----A---- C:\WINDOWS\system32\wups.dll
2008-06-06 14:37:44 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-06-06 14:37:44 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2008-06-06 14:37:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-06-06 14:37:44 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-06-06 14:37:43 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2008-06-06 14:37:43 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-06-06 14:37:43 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2008-06-06 14:37:43 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2008-06-06 14:37:38 ----RD---- C:\Program Files\Movie Maker
2008-06-06 14:37:34 ----A---- C:\WINDOWS\system32\safrslv.dll
2008-06-06 14:37:34 ----A---- C:\WINDOWS\system32\safrdm.dll
2008-06-06 14:37:34 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2008-06-06 14:37:34 ----A---- C:\WINDOWS\system32\racpldlg.dll
2008-06-06 14:37:29 ----A---- C:\WINDOWS\system32\fltMc.exe
2008-06-06 14:37:29 ----A---- C:\WINDOWS\system32\fltlib.dll
2008-06-06 14:37:28 ----D---- C:\WINDOWS\system32\Restore
2008-06-06 14:37:28 ----A---- C:\WINDOWS\system32\srsvc.dll
2008-06-06 14:37:28 ----A---- C:\WINDOWS\system32\srrstr.dll
2008-06-06 14:37:28 ----A---- C:\WINDOWS\system32\srclient.dll
2008-06-06 14:37:28 ----A---- C:\WINDOWS\system32\ils.dll
2008-06-06 14:37:27 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2008-06-06 14:37:27 ----A---- C:\WINDOWS\system32\msconf.dll
2008-06-06 14:37:27 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2008-06-06 14:37:27 ----A---- C:\WINDOWS\system32\mnmdd.dll
2008-06-06 14:37:27 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2008-06-06 14:37:24 ----D---- C:\Program Files\NetMeeting
2008-06-06 14:37:24 ----A---- C:\WINDOWS\system32\msoert2.dll
2008-06-06 14:37:24 ----A---- C:\WINDOWS\system32\msoeacct.dll
2008-06-06 14:37:23 ----A---- C:\WINDOWS\system32\inetres.dll
2008-06-06 14:37:23 ----A---- C:\WINDOWS\system32\inetcomm.dll
2008-06-06 14:37:20 ----D---- C:\Program Files\Outlook Express
2008-06-06 14:37:20 ----A---- C:\WINDOWS\system32\schedsvc.dll
2008-06-06 14:37:20 ----A---- C:\WINDOWS\system32\mstinit.exe
2008-06-06 14:37:20 ----A---- C:\WINDOWS\system32\mstask.dll
2008-06-06 14:37:20 ----A---- C:\WINDOWS\system32\icwphbk.dll
2008-06-06 14:37:19 ----A---- C:\WINDOWS\system32\isign32.dll
2008-06-06 14:37:19 ----A---- C:\WINDOWS\system32\inetcfg.dll
2008-06-06 14:37:19 ----A---- C:\WINDOWS\system32\icwdial.dll
2008-06-06 14:37:13 ----D---- C:\Program Files\Common Files\System
2008-06-06 14:37:12 ----RD---- C:\Program Files\Internet Explorer
2008-06-06 14:36:41 ----D---- C:\Program Files\ComPlus Applications
2008-06-06 14:36:39 ----A---- C:\WINDOWS\vbaddin.ini
2008-06-06 14:36:39 ----A---- C:\WINDOWS\vb.ini
2008-06-06 14:36:35 ----D---- C:\WINDOWS\Registration
2008-06-06 14:36:29 ----RD---- C:\Program Files\Windows Media Player
2008-06-06 14:36:29 ----D---- C:\Program Files\Online Services
2008-06-06 14:36:19 ----RD---- C:\Program Files\MSN Gaming Zone
2008-06-06 14:36:19 ----A---- C:\WINDOWS\system32\write.exe
2008-06-06 14:36:11 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-06-06 14:36:10 ----A---- C:\WINDOWS\system32\winchat.exe
2008-06-06 14:36:10 ----A---- C:\WINDOWS\system32\hticons.dll
2008-06-06 14:36:10 ----A---- C:\WINDOWS\system32\avwav.dll
2008-06-06 14:36:10 ----A---- C:\WINDOWS\system32\avtapi.dll
2008-06-06 14:36:10 ----A---- C:\WINDOWS\system32\avmeter.dll
2008-06-06 14:36:04 ----A---- C:\WINDOWS\system32\getuname.dll
2008-06-06 14:36:03 ----A---- C:\WINDOWS\system32\winmine.exe
2008-06-06 14:36:03 ----A---- C:\WINDOWS\system32\sol.exe
2008-06-06 14:36:03 ----A---- C:\WINDOWS\system32\charmap.exe
2008-06-06 14:36:03 ----A---- C:\WINDOWS\system32\calc.exe
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\tslabels.ini
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\tskill.exe
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\tscon.exe
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\reset.exe
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-06-06 14:36:02 ----A---- C:\WINDOWS\system32\freecell.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\shadow.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\rwinsta.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\regini.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\qwinsta.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\qappsrv.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\msg.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\logoff.exe
2008-06-06 14:36:01 ----A---- C:\WINDOWS\system32\cdmodem.dll
2008-06-06 14:36:00 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2008-06-06 14:36:00 ----A---- C:\WINDOWS\system32\mtxex.dll
2008-06-06 14:36:00 ----A---- C:\WINDOWS\system32\mtxdm.dll
2008-06-06 14:36:00 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2008-06-06 14:36:00 ----A---- C:\WINDOWS\system32\comrepl.dll
2008-06-06 14:36:00 ----A---- C:\WINDOWS\system32\comaddin.dll
2008-06-06 14:35:59 ----A---- C:\WINDOWS\system32\stclient.dll
2008-06-06 14:35:59 ----A---- C:\WINDOWS\system32\comsnap.dll
2008-06-06 14:35:54 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2008-06-06 14:35:34 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-06-06 14:35:33 ----A---- C:\WINDOWS\system32\sndrec32.exe
2008-06-06 14:35:33 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-06-06 14:35:33 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-06-06 14:35:32 ----D---- C:\Program Files\Windows NT
2008-06-06 14:35:32 ----A---- C:\WINDOWS\system32\spider.exe
2008-06-06 14:35:32 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-06-06 14:35:32 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-06-06 14:35:31 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2008-06-06 14:35:31 ----A---- C:\WINDOWS\system32\mstscax.dll
2008-06-06 14:35:31 ----A---- C:\WINDOWS\system32\mstsc.exe
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\remotepg.dll
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\rdshost.exe
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2008-06-06 14:35:30 ----A---- C:\WINDOWS\system32\rdchost.dll
2008-06-06 14:35:29 ----D---- C:\WINDOWS\system32\MsDtc
2008-06-06 14:35:29 ----A---- C:\WINDOWS\system32\rdpclip.exe
2008-06-06 14:35:29 ----A---- C:\WINDOWS\system32\qprocess.exe
2008-06-06 14:35:29 ----A---- C:\WINDOWS\system32\mtxoci.dll
2008-06-06 14:35:29 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2008-06-06 14:35:29 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2008-06-06 14:35:29 ----A---- C:\WINDOWS\system32\icaapi.dll
2008-06-06 14:35:29 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2008-06-06 14:35:28 ----A---- C:\WINDOWS\system32\xolehlp.dll
2008-06-06 14:35:28 ----A---- C:\WINDOWS\system32\msdtctm.dll
2008-06-06 14:35:28 ----A---- C:\WINDOWS\system32\msdtclog.dll
2008-06-06 14:35:28 ----A---- C:\WINDOWS\system32\msdtc.exe
2008-06-06 14:35:27 ----D---- C:\WINDOWS\system32\Com
2008-06-06 14:35:27 ----A---- C:\WINDOWS\system32\colbact.dll
2008-06-06 14:35:27 ----A---- C:\WINDOWS\system32\clbcatex.dll
2008-06-06 14:35:27 ----A---- C:\WINDOWS\system32\catsrvut.dll
2008-06-06 14:35:27 ----A---- C:\WINDOWS\system32\catsrvps.dll
2008-06-06 14:35:26 ----A---- C:\WINDOWS\system32\comuid.dll
2008-06-06 14:35:26 ----A---- C:\WINDOWS\system32\comsvcs.dll
2008-06-06 14:35:26 ----A---- C:\WINDOWS\system32\catsrv.dll
2008-06-06 14:35:25 ----A---- C:\WINDOWS\system32\clbcatq.dll
2008-06-06 14:35:18 ----A---- C:\WINDOWS\system32\servdeps.dll
2008-06-06 14:35:18 ----A---- C:\WINDOWS\system32\mmfutil.dll
2008-06-06 14:35:18 ----A---- C:\WINDOWS\system32\licwmi.dll
2008-06-06 14:35:18 ----A---- C:\WINDOWS\system32\cmprops.dll

List of drivers

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-06-03 3100160]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-07-03 4745216]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 SMBios;Intel ® System Management BIOS Service; C:\WINDOWS\system32\DRIVERS\SMBios.sys [2004-06-07 36484]
S3 aev2dito;aev2dito; C:\WINDOWS\system32\drivers\aev2dito.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-10-10 9216]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-10-10 12800]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-10-10 138240]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-10-10 12800]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
S3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

List of services

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-06-03 552960]
R2 ATIWebPAM;ATI WebPAM; C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe [2003-09-29 110592]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-20 231192]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-01 271920]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-06-02 593920]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2006-11-06 210432]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

hi i want ask you something that,
my usb port is not working,my cd drive not working properly and my ups also not working .and some of files in controlpanel also not opening it shows some error message.do these all due to trojan on my pc . help me to fix all these

Hello Dinesh4260.

We will attend to the damage caused by the malware after.

Reset Hosts File
Some infections will put malicious lines into your hosts files. We will reset your hosts file with HostsXpert.

• Please down load HostsXpert.zip to your desktop and unzip the contents.
• A folder named HostsXpert will be created. Open it and run HostsXpert.exe by double clicking it.
• Click on the botton Make Writeable? .
• Click Restore Microsoft's Hosts File.
• Close out of the window.

If you have added modifications to your hosts file, they will need to be re-added

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

• Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


Download and Run OTMoveIT

• Please download OTMoveIt2 by OldTimer to your desktop.
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{813DD04F-261A-428A-8309-3F541B2D2564}
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E
  HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WindowsHive
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\obklooga
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhd88.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhx22.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winky58.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winlg64.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winqv60.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winss42.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winxt25.sys
  C:\WINDOWS\SYSTEM32\ziaashl.dll
  

• Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

• Download gmer.zip and save to your desktop.
• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Click on Settings, then check the first five settings:
  • System Protection and Tracing
  • Processes
  • Save created processes to the log
  • Drivers
  • Save loaded drivers to the log
• You will be prompted to restart your computer. Please do so.

After the reboot, run Gmer again and click on the Rootkit tab.

• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
• Click on the Scan and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
• When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

-------------------------
Please post back with:
-the OTMoveIt log
-the GMER logs
-a new RSIT log

With Regards,
The Panda

hi thanks for repliying again,
iam still having utorrent and i opened all ports but i didnt downloaded anything after that.what you want me to do with that.

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{813DD04F-261A-428A-8309-3F541B2D2564} >
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{813DD04F-261A-428A-8309-3F541B2D2564}\\ .
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F\\ deleted successfully.
< HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WindowsHive >
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WindowsHive deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\obklooga >
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\obklooga\\ .
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhd88.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhd88.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhx22.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhx22.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winky58.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winky58.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winlg64.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winlg64.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winqv60.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winqv60.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winss42.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winss42.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winxt25.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winxt25.sys\\ deleted successfully.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\ziaashl.dll
C:\WINDOWS\SYSTEM32\ziaashl.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\ziaashl.dll scheduled to be moved on reboot.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09072008_031209

Files moved on Reboot...
LoadLibrary failed for C:\WINDOWS\SYSTEM32\ziaashl.dll
C:\WINDOWS\SYSTEM32\ziaashl.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\ziaashl.dll scheduled to be moved on reboot.


26Logfile of random's system information tool (written by random/random)
Run by mars at 2008-09-07 03:36:40
Microsoft Windows XP Professional Service Pack 2
System drive C: has 31 GB (81%) free of 38 GB
Total RAM: 959 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:51 AM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\mars\Favorites\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\mars.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {813DD04F-261A-428A-8309-3F541B2D2564} - c:\windows\system32\ziaashl.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216438706155
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37B9D-5325-4248-9133-6C46B1F469C4}: NameServer = 218.248.255.146,218.248.240.46
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: obklooga - C:\WINDOWS\SYSTEM32\ziaashl.dll





GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-07 03:32:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spuz.sys ZwCreateKey [0xF733C0E0]
SSDT HBKernel.sys ZwCreateThread [0xF757307F]
SSDT spuz.sys ZwEnumerateKey [0xF735ACA2]
SSDT spuz.sys ZwEnumerateValueKey [0xF735B030]
SSDT spuz.sys ZwOpenKey [0xF733C0C0]
SSDT spuz.sys ZwQueryKey [0xF735B108]
SSDT spuz.sys ZwQueryValueKey [0xF735AF88]
SSDT spuz.sys ZwSetValueKey [0xF735B19A]

INT 0x62 ? 85967BF8
INT 0x73 ? 85967BF8
INT 0x82 ? 85967BF8
INT 0x83 ? 85967BF8
INT 0x83 ? 85967BF8

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BA2A9 7 Bytes JMP 859A9138
? spuz.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\HBKernel.sys Access is denied.
.text a2u3rayz.SYS F6486386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text a2u3rayz.SYS F64863AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a2u3rayz.SYS F64863C4 3 Bytes [ 00, 70, 02 ]
.text a2u3rayz.SYS F64863C9 1 Byte [ 2E ]
.text a2u3rayz.SYS F64863CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 00084EA7
.text C:\Documents and Settings\mars\Local Settings\Temp\wzdb57\gmer.exe[204] Advapi32.dll!CreateServiceA 77E37071 5 Bytes JMP 00144EA7
.text C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe[508] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 00094EA7
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 00084EA7
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 00084EA7
.text ...
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3452] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3452] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3452] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3452] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3452] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3452] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3452] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[3500] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 00084EA7
.text C:\PROGRA~1\WINZIP\winzip32.exe[4044] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 00144EA7

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F733D040] spuz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F733D13C] spuz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F733D0BE] spuz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F733D7FC] spuz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F733D6D2] spuz.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F734D048] spuz.sys
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a2u3rayz.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 859661F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 859D81F8
Device \Driver\dmio \Device\DmControl\DmConfig 859D81F8
Device \Driver\dmio \Device\DmControl\DmPnP 859D81F8
Device \Driver\dmio \Device\DmControl\DmInfo 859D81F8
Device \Driver\PCI_PNP8870 \Device\00000045 spuz.sys
Device \Driver\sptd \Device\337716370 spuz.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 859681F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 859681F8
Device \Driver\Cdrom \Device\CdRom0 857451F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 859681F8
Device \Driver\atapi \Device\Ide\IdePort0 859671F8
Device \Driver\atapi \Device\Ide\IdePort1 859671F8
Device \Driver\atapi \Device\Ide\IdePort2 859671F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 859671F8
Device \Driver\atapi \Device\Ide\IdePort3 859671F8
Device \Driver\atapi \Device\Ide\IdePort4 859671F8
Device \Driver\atapi \Device\Ide\IdePort5 859671F8
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-16 859671F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 859681F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 856E6500
Device \Driver\NetBT \Device\NetbiosSmb 856E6500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 856C11F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 856C11F8
Device \Driver\Ftdisk \Device\FtControl 859681F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F2C37B9D-5325-4248-9133-6C46B1F469C4} 856E6500
Device \Driver\a2u3rayz \Device\Scsi\a2u3rayz1 857161F8
Device \FileSystem\Cdfs \Cdfs 85778500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1F 0x2C 0x33 0x46 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x05 0xE4 0xAB 0x72 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0xE7 0x92 0xEF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x94 0xAB 0xA1 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x82 0xC6 0xBC 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2F 0x37 0xFD 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1F 0x2C 0x33 0x46 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x05 0xE4 0xAB 0x72 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0xE7 0x92 0xEF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x94 0xAB 0xA1 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x82 0xC6 0xBC 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2F 0x37 0xFD 0x8A ...

---- EOF - GMER 1.0.14 ----

Hello Denish.

Are you sure that is the whole RSIT log? Part is it seems to be missing. Please post the contents of C:\RSIT\log.txt.

The Panda

sorry if i posted wrongly .here is the complete est log,


Logfile of random's system information tool (written by random/random)
Run by mars at 2008-09-07 05:59:23
Microsoft Windows XP Professional Service Pack 2
System drive C: has 31 GB (81%) free of 38 GB
Total RAM: 959 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:34 AM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mars\Favorites\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\mars.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {813DD04F-261A-428A-8309-3F541B2D2564} - c:\windows\system32\ziaashl.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216438706155
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C37B9D-5325-4248-9133-6C46B1F469C4}: NameServer = 218.248.255.146,218.248.240.46
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: obklooga - C:\WINDOWS\SYSTEM32\ziaashl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6433 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\ErrorSmart Scheduled Scan.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-07-20 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{813DD04F-261A-428A-8309-3F541B2D2564}]
c:\windows\system32\ziaashl.dll [2001-08-23 104448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-20 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-06-06 1123840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-06-06 1123840]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-20 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-05-18 49152]
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2006-11-08 222208]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-07-20 1232152]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-07-03 16876032]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2008-06-18 77824]
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2008-06-19 2808832]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-01 153136]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-06-03 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\obklooga]
C:\WINDOWS\system32\ziaashl.dll [2001-08-23 104448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2A698452-C5D8-C584-C256-C264C987C5A2}"= []
"{20618412-C528-C784-C056-C164D1F7C502}"= []
"{7319A1F1-9410-9654-3201-345FFA349137}"= []
"{8A041F13-A111-12A3-B0CF-F99818AA68A8}"=C:\WINDOWS\system32\zxmsewin.dll []
"{87FD640A-158F-48AC-FD14-1597F14A9778}"= []
"{6A908760-8000-4000-A000-9000322145A6}"=C:\WINDOWS\system32\akjsfkaq.dll []
"{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}"= []
"{5A069845-2036-6084-9054-6087502480A5}"=C:\WINDOWS\system32\ozfyebyt.dll []
"{3D698451-2015-6358-9871-2015987452D3}"=C:\WINDOWS\system32\apzhctde.dll []
"{8C8D1401-A58D-A81C-CD24-A5915C4517C8}"=C:\WINDOWS\system32\mnmhhsrv.dll []
"{45671234-7890-ABCD-CDEF-567801237654}"=C:\WINDOWS\system32\yxcsdhlp.dll []
"{60940F85-F015-14F1-A05F-F69858AC6D06}"=C:\WINDOWS\system32\zptldsys.dll []
"{37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73}"=C:\WINDOWS\system32\zywlcime.dll []
"{4D698451-2015-6358-9871-2015987452D4}"=C:\WINDOWS\system32\apzhdtde.dll []
"{A1954FAC-1023-154F-895A-1458258AD81A}"=C:\WINDOWS\system32\ypdjhbmp.dll []
"{40618412-C528-C784-C056-C164D1F7C504}"=C:\WINDOWS\system32\detxdiua.dll []
"{97FD640A-158F-48AC-FD14-1597F14A9779}"=C:\WINDOWS\system32\mndsisrv.dll []
"{49109876-7619-9101-7012-901938475194}"=C:\WINDOWS\system32\ietzdpaq.dll []
"{6A069845-2036-6084-9054-6087502480A6}"=C:\WINDOWS\system32\ozfyfbyt.dll []
"{8C954872-1230-6541-9548-6541025884C8}"=C:\WINDOWS\system32\fd233ds4f4.dll []
"{9319A1F1-9410-9654-3201-345FFA349139}"=C:\WINDOWS\system32\zywmiime.dll []
"{8FD45A54-9875-698F-E56E-65102358FDF8}"=C:\WINDOWS\system32\apsghjba.dll []
"{50618412-C528-C784-C056-C164D1F7C505}"=C:\WINDOWS\system32\detxeiua.dll []
"{47A924AF-1A5F-CF21-AB1D-1D5CF82A8A74}"=C:\WINDOWS\system32\zywldime.dll []
"{C629FF4F-ACDB-5C90-A098-FACB3456A26C}"=C:\WINDOWS\system32\hdf453d1.dll []
"{48093456-9012-4568-9076-908765467184}"=C:\WINDOWS\system32\tisqdtyu.dll []
"{28766E1C-74B0-4417-8C75-F12AE309EF35}"=C:\WINDOWS\system32\wzcfsw.dll []
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"= []
"{0B846B26-BFE6-4E8E-A948-1DB17B77B483}"= []
"{73AE86E6-7F03-4C3B-8980-FB1DA157D3C7}"= []
"{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"=C:\WINDOWS\system32\zsdgff.dll []
"{6E6CA8A1-81BC-4707-A54C-F4903DD70BAD}"=C:\WINDOWS\system32\zgxfdx.dll []
"{259BF3CF-194D-4FE6-9ADB-DE6544B098B6}"=C:\WINDOWS\system32\dndsaf.dll []
"{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6}"=C:\WINDOWS\system32\fsrgeb.dll []
"{57AC9076-C898-B098-D098-A18319080975}"=C:\WINDOWS\system32\nhmxejkl.dll []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\drivers\svchost.exe"="C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\DAP\DAP.exe"="C:\Program Files\DAP\DAP.exe:*:Disabled:Download Accelerator Plus (DAP)"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"E:\age of mythology\EMPIRES2.EXE"="E:\age of mythology\EMPIRES2.EXE:*:Disabled:Age of Empires II"
"C:\Program Files\utorrent-1.8-rc6.upx.exe"="C:\Program Files\utorrent-1.8-rc6.upx.exe:*:Enabled:µTorrent"
"C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe:*:Enabled:VideoAccelerator"
"E:\Rise Of Nations\game\rise.exe"="E:\Rise Of Nations\game\rise.exe:*:Disabled:Rise of Nations"
"E:\Rise Of Nations\game\thrones.exe"="E:\Rise Of Nations\game\thrones.exe:*:Enabled:Rise of Nations"
"C:\Program Files\Microsoft Games\Rise of Nations\rise.exe"="C:\Program Files\Microsoft Games\Rise of Nations\rise.exe:*:Enabled:Rise of Nations"
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe"="C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations"
"E:\Rise Of Nations\rise.exe"="E:\Rise Of Nations\rise.exe:*:Disabled:Rise of Nations"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
shell\AutoRun\command - H:\RoNsetup.exe /autorun


File associations

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

List of files/folders created in the last three months

2008-09-07 03:17:28 ----A---- C:\WINDOWS\gmer.ini
2008-09-07 03:17:27 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-09-07 03:17:27 ----A---- C:\WINDOWS\gmer.exe
2008-09-07 03:17:27 ----A---- C:\WINDOWS\gmer.dll
2008-09-07 03:07:13 ----RASHD---- C:\autorun.inf
2008-09-07 03:06:28 ----A---- C:\Program Files\Flash_Disinfector.exe
2008-09-07 03:01:51 ----D---- C:\Program Files\WinZip
2008-09-05 04:55:13 ----D---- C:\rsit
2008-08-24 18:47:46 ----D---- C:\Scenario
2008-08-23 19:04:20 ----A---- C:\Interop.Shell32.dll
2008-08-23 19:04:10 ----A---- C:\dotnetfx.exe
2008-08-23 15:07:06 ----D---- C:\WINDOWS\system32\appmgmt
2008-08-23 15:01:10 ----D---- C:\Documents and Settings\mars\Application Data\ErrorSmart
2008-08-23 14:56:36 ----D---- C:\Program Files\MSXML 4.0
2008-08-23 08:21:22 ----D---- C:\Documents and Settings\mars\Application Data\Microsoft Games
2008-08-22 23:31:27 ----A---- C:\WINDOWS\unvise32.exe
2008-08-19 06:55:45 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-08-19 06:55:44 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-08-19 06:54:12 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803$
2008-08-19 05:59:26 ----HD---- C:\WINDOWS\PIF
2008-08-17 07:42:11 ----D---- C:\Documents and Settings\mars\Application Data\Astro Gemini Software
2008-08-13 06:11:03 ----A---- C:\WINDOWS\system32\xmltok.dll
2008-08-13 06:11:03 ----A---- C:\WINDOWS\system32\xmlparse.dll
2008-08-13 06:11:03 ----A---- C:\WINDOWS\system32\xmlinst.exe
2008-08-13 06:11:02 ----D---- C:\Program Files\Ubisoft
2008-08-13 06:11:02 ----A---- C:\WINDOWS\system32\VB5DB.DLL
2008-08-11 07:49:59 ----D---- C:\_OTMoveIt
2008-08-09 06:31:48 ----D---- C:\Program Files\ATI Technologies
2008-08-07 06:43:11 ----D---- C:\Program Files\Trend Micro
2008-08-07 06:41:30 ----D---- C:\WINDOWS\ERDNT
2008-08-07 06:39:41 ----D---- C:\Program Files\Deckard
2008-08-06 18:40:27 ----D---- C:\WINDOWS\pss
2008-08-05 04:13:10 ----D---- C:\Documents and Settings\mars\Application Data\zweitgeist
2008-08-04 18:49:47 ----N---- C:\WINDOWS\system32\ati2sgag.exe
2008-08-04 18:33:02 ----D---- C:\Program Files\ATI
2008-08-04 18:31:42 ----A---- C:\WINDOWS\SkyTel.exe
2008-08-04 18:28:52 ----D---- C:\Program Files\Realtek
2008-08-04 18:28:36 ----A---- C:\WINDOWS\HideWin.exe
2008-08-04 18:26:17 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-08-04 18:25:29 ----D---- C:\ATI
2008-08-03 14:04:07 ----HD---- C:\$AVG8.VAULT$
2008-08-02 07:39:13 ----D---- C:\Program Files\DAEMON Tools Lite
2008-08-02 07:36:13 ----D---- C:\Documents and Settings\mars\Application Data\DAEMON Tools
2008-08-02 06:40:06 ----D---- C:\Documents and Settings\mars\Application Data\vlc
2008-08-02 06:38:26 ----D---- C:\Program Files\VideoLAN
2008-07-29 02:25:13 ----D---- C:\Program Files\uTorrent
2008-07-29 02:25:03 ----D---- C:\Documents and Settings\mars\Application Data\uTorrent
2008-07-29 02:24:45 ----A---- C:\Program Files\utorrent-1.8-rc6.upx.exe
2008-07-27 06:51:28 ----D---- C:\Program Files\Microsoft Games
2008-07-26 07:53:19 ----RHD---- C:\Documents and Settings\mars\Application Data\yahoo!
2008-07-26 06:44:37 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-26 06:40:12 ----A---- C:\YServer.txt
2008-07-26 06:39:39 ----D---- C:\Program Files\Yahoo!
2008-07-26 04:46:40 ----D---- C:\WINDOWS\ie7updates
2008-07-25 05:10:02 ----D---- C:\WINDOWS\WBEM
2008-07-25 05:10:00 ----D---- C:\WINDOWS\system32\en-US
2008-07-25 05:08:29 ----HDC---- C:\WINDOWS\ie7
2008-07-25 05:07:50 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-07-25 05:07:19 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-07-25 05:06:32 ----HDC---- C:\WINDOWS\$NtUninstallKB915865$
2008-07-25 05:06:31 ----HD---- C:\WINDOWS\$hf_mig$
2008-07-25 05:06:22 ----N---- C:\WINDOWS\system32\xmllite.dll
2008-07-24 04:27:03 ----A---- C:\WINDOWS\IE4 Error Log.txt
2008-07-23 03:44:29 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-22 07:36:23 ----D---- C:\Program Files\directx
2008-07-22 06:49:56 ----A---- C:\Program Files\ATF-Cleaner.exe
2008-07-22 04:07:12 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-22 04:06:58 ----A---- C:\WINDOWS\system32\wbhelp2.dll
2008-07-22 04:06:57 ----RD---- C:\Program Files\DAP
2008-07-21 06:49:28 ----A---- C:\WINDOWS\SIERRA.INI
2008-07-21 06:45:37 ----D---- C:\Documents and Settings\mars\Application Data\Malwarebytes
2008-07-21 06:45:34 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 06:45:33 ----RD---- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 06:44:02 ----D---- C:\Program Files\setup files
2008-07-20 08:59:39 ----D---- C:\Program Files\avg and norton extracts
2008-07-20 08:47:48 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-07-20 08:47:43 ----D---- C:\Documents and Settings\mars\Application Data\AVGTOOLBAR
2008-07-20 08:47:39 ----RD---- C:\Program Files\AVG
2008-07-20 08:47:39 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-19 17:04:07 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-19 09:09:04 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-07-13 18:55:26 ----D---- C:\Documents and Settings\mars\Application Data\Symantec
2008-07-13 18:55:25 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-07-13 16:34:32 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2008-07-12 15:27:26 ----D---- C:\Documents and Settings\mars\Application Data\Mozilla
2008-07-12 09:27:38 ----SHD---- C:\WINDOWS\CSC
2008-07-12 09:27:33 ----A---- C:\WINDOWS\ntbtlog.txt
2008-06-27 08:59:59 ----D---- C:\Documents and Settings\mars\Application Data\WinRAR
2008-06-26 15:35:49 ----RD---- C:\Program Files\WinRAR
2008-06-25 11:43:01 ----D---- C:\Program Files\Common Files\SWF Studio
2008-06-21 01:47:08 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-06-21 01:46:06 ----D---- C:\WINDOWS\system32\NtmsData
2008-06-21 01:22:56 ----D---- C:\1b80debab6108af0eaeb25ea
2008-06-20 12:33:51 ----D---- C:\Documents and Settings\mars\Application Data\Adobe
2008-06-20 08:04:30 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-20 08:04:26 ----RD---- C:\Program Files\Adobe
2008-06-20 08:04:26 ----D---- C:\Program Files\Common Files\Adobe
2008-06-17 23:15:31 ----A---- C:\WINDOWS\uninst.exe
2008-06-17 14:10:10 ----D---- C:\Documents and Settings\mars\Application Data\PC Suite
2008-06-17 12:13:47 ----A---- C:\WINDOWS\ModemLog_Nokia 6233 USB Modem.txt
2008-06-17 11:55:18 ----HDC---- C:\WINDOWS\$NtUninstallWudf01005$
2008-06-17 11:49:10 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-17 11:48:58 ----RD---- C:\Program Files\Common Files\Nokia
2008-06-17 11:48:58 ----D---- C:\Program Files\Common Files\PCSuite
2008-06-17 11:48:50 ----D---- C:\Program Files\DIFX
2008-06-17 11:48:32 ----D---- C:\Program Files\PC Connectivity Solution
2008-06-17 11:48:24 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-06-17 11:48:24 ----A---- C:\WINDOWS\system32\nmwcdlog.dll
2008-06-17 11:48:24 ----A---- C:\WINDOWS\system32\nmwcdcocls.dll
2008-06-17 11:48:08 ----A---- C:\WINDOWS\system32\nmwcdcls.dll
2008-06-17 11:48:07 ----RD---- C:\Program Files\Nokia
2008-06-16 09:30:15 ----A---- C:\WINDOWS\system32\javaee.dll
2008-06-15 23:04:48 ----D---- C:\Documents and Settings\mars\Application Data\Google
2008-06-15 10:33:14 ----A---- C:\WINDOWS\system32\jit.dll
2008-06-15 10:33:14 ----A---- C:\WINDOWS\setdebug.exe
2008-06-15 10:33:13 ----A---- C:\WINDOWS\system32\dx3j.dll
2008-06-15 10:33:10 ----A---- C:\WINDOWS\system32\wjview.exe
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\vmhelper.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\msjdbc10.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\msjava.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\msawt.dll
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\jview.exe
2008-06-15 10:33:09 ----A---- C:\WINDOWS\system32\jdbgmgr.exe
2008-06-15 10:33:08 ----A---- C:\WINDOWS\system32\javart.dll
2008-06-15 10:33:08 ----A---- C:\WINDOWS\system32\javaprxy.dll
2008-06-15 10:33:08 ----A---- C:\WINDOWS\system32\javacypt.dll
2008-06-15 10:33:07 ----A---- C:\WINDOWS\system32\clspack.exe
2008-06-15 10:32:57 ----D---- C:\Program Files\jvm
2008-06-14 07:34:11 ----HDC---- C:\WINDOWS\$NtUninstallKB926239$
2008-06-14 07:34:05 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-06-14 07:34:01 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-06-14 07:33:46 ----D---- C:\Program Files\Windows Media Connect 2
2008-06-14 07:33:37 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-06-14 07:33:06 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-06-14 07:32:46 ----D---- C:\WINDOWS\system32\LogFiles
2008-06-14 07:32:38 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-06-14 07:32:11 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-12 15:59:18 ----D---- C:\Documents and Settings\mars\Application Data\Macromedia
2008-06-08 23:42:45 ----A---- C:\WINDOWS\RtlRack.ini

List of drivers

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\system32\System32\Drivers\avgldx86.sys []
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\system32\System32\Drivers\avgmfx86.sys []
R1 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-07 85969]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-06-03 3100160]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-07-03 4745216]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 SMBios;Intel ® System Management BIOS Service; C:\WINDOWS\system32\DRIVERS\SMBios.sys [2004-06-07 36484]
S3 a2u3rayz;a2u3rayz; C:\WINDOWS\system32\drivers\a2u3rayz.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-10-10 9216]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-10-10 12800]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-10-10 138240]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-10-10 12800]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
S3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

List of services

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-06-03 552960]
R2 ATIWebPAM;ATI WebPAM; C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe [2003-09-29 110592]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-20 231192]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-01 271920]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-06-02 593920]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2006-11-06 210432]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

hi,
iam still using utorrent ,do you want me to stop all downloading and close all ports that i had opened and then uninstall utorrent .


please tell me because i dont know what to do with that.

Hello Dinesh4260.

Disable Realtime Protection
To disable AVG:

• Please navigate to the system tray on the bottom right hand corner and look for this sign.
• Right click it-> select Quit Control Center.
• A warning will pop up, click Yes

Install Recovery Console and Run ComboFix
Download Combofix from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System.

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Download the file and save it as it's originally named onto your desktop.
• Close any open windows, including this one.
• Drag the setup package onto ComboFix.exe and drop it.
  
  
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
• At the next prompt, click Yes to run the full ComboFix scan.
  
  
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

---

Post back with the ComboFix log.

Also run GMER again after ComboFix with the same instructions and post back with the logs.

With Regards,
The Panda

here is the two logs(but when i first scanned using combofix i had some problem and so i again scanned it and this is my second log file)






ComboFix 08-09-05.03 - mars 2008-09-07 20:49:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.525 [GMT 5.5:30]
Running from: C:\Documents and Settings\mars\Favorites\Desktop\repair\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-07 03:17 . 2008-09-07 03:26 345 --a------ C:\WINDOWS\gmer.ini
2008-09-07 03:09 . 2008-09-07 03:09 <DIR> d--hs---- C:\Documents and Settings\mars\UserData
2008-09-07 03:06 . 2008-09-07 03:06 132,597 --a------ C:\Program Files\Flash_Disinfector.exe
2008-09-07 02:55 . 2008-09-07 02:59 13,732,834 --a------ C:\Program Files\Winzip PRO 11.2 build 8094 Full with Key.zip
2008-09-05 04:55 . 2008-09-05 16:40 <DIR> d-------- C:\rsit
2008-08-24 18:47 . 2008-08-24 18:47 <DIR> d-------- C:\Scenario
2008-08-23 19:04 . 2008-08-26 20:51 23,510,720 --a------ C:\dotnetfx.exe
2008-08-23 19:04 . 2008-08-26 20:51 53,248 --a------ C:\Interop.Shell32.dll
2008-08-23 15:01 . 2008-08-23 15:01 <DIR> d-------- C:\Documents and Settings\mars\Application Data\ErrorSmart
2008-08-23 14:56 . 2008-08-23 14:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-23 08:21 . 2008-08-23 08:21 <DIR> d-------- C:\Documents and Settings\mars\Application Data\Microsoft Games
2008-08-22 23:31 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-08-19 06:55 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-08-19 05:59 . 2008-08-19 05:59 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-17 08:00 . 2007-12-12 16:23 10,477,568 --a------ C:\WINDOWS\system32\3D Titanic Screensaver.scr
2008-08-17 07:42 . 2008-08-17 07:42 <DIR> d-------- C:\Documents and Settings\mars\Application Data\Astro Gemini Software
2008-08-13 16:40 . 2008-08-13 16:40 1,409 --a------ C:\WINDOWS\system32\tmp79DC2.FOT
2008-08-13 16:40 . 2008-08-13 16:40 1,409 --a------ C:\WINDOWS\system32\tmp6ADC2.FOT
2008-08-13 16:40 . 2008-08-13 16:40 1,409 --a------ C:\WINDOWS\system32\tmp5DDC2.FOT
2008-08-13 16:40 . 2008-08-13 16:40 1,409 --a------ C:\WINDOWS\system32\tmp4FDC2.FOT
2008-08-13 16:40 . 2008-08-13 16:40 1,409 --a------ C:\WINDOWS\system32\tmp40EC2.FOT
2008-08-13 06:11 . 2008-08-13 06:11 <DIR> d-------- C:\Program Files\Ubisoft
2008-08-13 06:11 . 2004-03-09 17:36 140,488 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-08-13 06:11 . 2004-03-09 17:36 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-08-13 06:11 . 2004-03-09 17:36 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-08-13 06:11 . 2004-03-09 17:36 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2008-08-13 06:11 . 2004-03-09 17:36 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2008-08-13 06:11 . 2004-03-09 17:36 35,840 --a------ C:\WINDOWS\system32\comdlg32.oca
2008-08-13 06:11 . 2004-03-09 17:36 26,096 --a------ C:\WINDOWS\system32\xmlinst.exe
2008-08-11 07:49 . 2008-08-11 07:49 <DIR> d-------- C:\_OTMoveIt
2008-08-09 06:31 . 2008-08-09 06:31 <DIR> d-------- C:\Program Files\ATI Technologies
2008-08-07 06:43 . 2008-08-07 06:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 06:39 . 2008-08-07 06:39 <DIR> d-------- C:\Program Files\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 14:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-07 14:33 104,448 ----a-w C:\WINDOWS\system32\wdkntpr.dll
2008-09-07 02:13 --------- d-----w C:\Documents and Settings\mars\Application Data\uTorrent
2008-09-06 21:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-09-06 20:55 --------- d--h--r C:\Documents and Settings\mars\Application Data\yahoo!
2008-09-06 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-02 14:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-02 14:45 --------- d-----w C:\Program Files\Microsoft Games
2008-09-02 14:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-23 21:40 --------- d-----w C:\Program Files\setup files
2008-08-22 22:11 268,592 ----a-w C:\Program Files\utorrent-1.8-rc6.upx.exe
2008-08-22 01:46 --------- d-----r C:\Program Files\Malwarebytes' Anti-Malware
2008-08-19 00:06 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-08-17 09:31 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 09:31 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 22:43 --------- d-----w C:\Documents and Settings\mars\Application Data\zweitgeist
2008-08-04 13:12 --------- d-----w C:\Program Files\ATI
2008-08-04 12:58 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-08-04 12:58 --------- d-----w C:\Program Files\Realtek
2008-08-03 09:51 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-02 02:06 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-02 02:06 --------- d-----w C:\Documents and Settings\mars\Application Data\DAEMON Tools
2008-08-02 01:10 --------- d-----w C:\Documents and Settings\mars\Application Data\vlc
2008-08-02 01:08 --------- d-----w C:\Program Files\VideoLAN
2008-07-28 23:35 --------- d-----w C:\Program Files\uTorrent
2008-07-27 10:46 --------- d-----w C:\Program Files\Yahoo!
2008-07-27 10:45 --------- d-----r C:\Program Files\DAP
2008-07-24 23:28 --------- d-----w C:\Documents and Settings\mars\Application Data\AVGTOOLBAR
2008-07-22 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-22 02:06 --------- d-----w C:\Program Files\directx
2008-07-22 01:19 50,688 ----a-w C:\Program Files\ATF-Cleaner.exe
2008-07-21 22:36 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2008-07-21 01:15 --------- d-----w C:\Documents and Settings\mars\Application Data\Malwarebytes
2008-07-21 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-20 11:26 --------- d-----r C:\Program Files\Common Files\Nokia
2008-07-20 11:25 --------- d-----r C:\Program Files\Common Files\Real
2008-07-20 11:22 --------- d-----r C:\Program Files\AvRack
2008-07-20 05:03 --------- d-----r C:\Program Files\GRETECH
2008-07-20 04:57 --------- d-----r C:\Program Files\Realtek Sound Manager
2008-07-20 04:56 --------- d-----r C:\Program Files\Nero
2008-07-20 04:54 --------- d-----r C:\Program Files\Winamp
2008-07-20 04:53 --------- d-----r C:\Program Files\Real
2008-07-20 04:52 --------- d-----r C:\Program Files\Nokia
2008-07-20 03:34 --------- d-----r C:\Program Files\AVG
2008-07-20 03:30 --------- d-----w C:\Program Files\avg and norton extracts
2008-07-20 03:17 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-20 03:17 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-20 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-19 11:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 07:34 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-19 07:34 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-13 13:25 --------- d-----w C:\Documents and Settings\mars\Application Data\Symantec
2008-07-10 04:13 17,144 ----a-w C:\Documents and Settings\mars\Application Data\GDIPFONTCACHEV1.DAT
2008-07-03 11:21 16,876,032 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-06-25 06:13 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2008-06-19 11:12 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe
2008-06-19 10:57 9,715,200 ----a-w C:\WINDOWS\RTLCPL.exe
2008-06-19 10:50 57,344 ----a-w C:\WINDOWS\Alcmtr.exe
2008-06-18 12:31 77,824 ----a-w C:\WINDOWS\SoundMan.exe
2008-06-15 05:03 155,995 ----a-w C:\WINDOWS\java\Packages\GAVNPJZX.ZIP
2008-06-15 05:02 5,107,041 ----a-w C:\Program Files\jvm.zip
2004-08-08 01:34 3,640 --sh--w C:\WINDOWS\system32\ictxaiua.sys
2004-08-08 01:35 520 --sh--w C:\WINDOWS\system32\nttzapaq.sys
2004-08-08 01:34 1,040 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 23:21 3,640 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
2004-08-08 12:12 2,080 --sh--w C:\WINDOWS\system32\xscqbhlp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{813DD04F-261A-428A-8309-3F541B2D2564}]
2008-09-07 20:03 104448 --a------ c:\windows\system32\ziaashl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-20 1232152]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 C:\WINDOWS\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 C:\WINDOWS\alcwzrd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\utorrent-1.8-rc6.upx.exe"=
"E:\\Rise Of Nations\\game\\rise.exe"=
"E:\\Rise Of Nations\\rise.exe"=

R0 wezkcnbu;wezkcnbu;C:\WINDOWS\system32\drivers\wezkcnbu.sys [2001-08-23 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-20 96520]
R2 ATIWebPAM;ATI WebPAM;C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe [2003-09-29 110592]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-20 231192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\RoNsetup.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\setup.exe /autorun
\Shell\setup\command - I:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.co.in/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 -: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 -: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 -: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O17 -: HKLM\CCS\Interface\{F2C37B9D-5325-4248-9133-6C46B1F469C4}: NameServer = 218.248.255.146,218.248.240.46
O18 -: Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAP\dapie.dll
O18 -: Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAP\dapie.dll

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 20:50:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-07 20:51:25
ComboFix-quarantined-files.txt 2008-09-07 15:21:19
ComboFix2.txt 2008-09-07 15:04:49
ComboFix3.txt 2008-09-07 14:36:04

Pre-Run: 33,558,802,432 bytes free
Post-Run: 33,548,746,752 bytes free

198







GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-07 21:06:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spwt.sys ZwCreateKey [0xF733C0E0]
SSDT spwt.sys ZwEnumerateKey [0xF735ACA2]
SSDT spwt.sys ZwEnumerateValueKey [0xF735B030]
SSDT spwt.sys ZwOpenKey [0xF733C0C0]
SSDT spwt.sys ZwQueryKey [0xF735B108]
SSDT spwt.sys ZwQueryValueKey [0xF735AF88]
SSDT spwt.sys ZwSetValueKey [0xF735B19A]

INT 0x62 ? 85967BF8
INT 0x73 ? 85967BF8
INT 0x82 ? 85967BF8
INT 0x83 ? 85967BF8
INT 0x83 ? 85967BF8

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BA2A9 7 Bytes JMP 859AA150
? spwt.sys The system cannot find the file specified. !
.text ammqmy6x.SYS F6B38386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text ammqmy6x.SYS F6B383AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ammqmy6x.SYS F6B383C4 3 Bytes [ 00, 70, 02 ]
.text ammqmy6x.SYS F6B383C9 1 Byte [ 2E ]
.text ammqmy6x.SYS F6B383CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3296] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3296] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3296] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3296] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3296] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3296] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3296] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F733D040] spwt.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F733D13C] spwt.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F733D0BE] spwt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F733D7FC] spwt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F733D6D2] spwt.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F734D048] spwt.sys
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\ammqmy6x.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 859661F8
Device \Driver\sptd \Device\3542491154 spwt.sys
Device \Driver\PCI_PNP3654 \Device\00000045 spwt.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 859D81F8
Device \Driver\dmio \Device\DmControl\DmConfig 859D81F8
Device \Driver\dmio \Device\DmControl\DmPnP 859D81F8
Device \Driver\dmio \Device\DmControl\DmInfo 859D81F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 859681F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 859681F8
Device \Driver\Cdrom \Device\CdRom0 857F11F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 859681F8
Device \Driver\atapi \Device\Ide\IdePort0 859671F8
Device \Driver\atapi \Device\Ide\IdePort1 859671F8
Device \Driver\atapi \Device\Ide\IdePort2 859671F8
Device \Driver\atapi \Device\Ide\IdePort3 859671F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 859671F8
Device \Driver\atapi \Device\Ide\IdePort4 859671F8
Device \Driver\atapi \Device\Ide\IdePort5 859671F8
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-16 859671F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 859681F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 856D7318
Device \Driver\NetBT \Device\NetbiosSmb 856D7318
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 857391F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 857391F8
Device \Driver\Ftdisk \Device\FtControl 859681F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F2C37B9D-5325-4248-9133-6C46B1F469C4} 856D7318
Device \Driver\ammqmy6x \Device\Scsi\ammqmy6x1 857051F8
Device \FileSystem\Cdfs \Cdfs 85615500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1F 0x2C 0x33 0x46 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x05 0xE4 0xAB 0x72 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0xE7 0x92 0xEF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x94 0xAB 0xA1 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x82 0xC6 0xBC 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2F 0x37 0xFD 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1F 0x2C 0x33 0x46 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x05 0xE4 0xAB 0x72 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0xE7 0x92 0xEF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x94 0xAB 0xA1 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x82 0xC6 0xBC 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x2F 0x37 0xFD 0x8A ...

---- EOF - GMER 1.0.14 ----