Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Psw.onlinegames.2.u Infection?


  • This topic is locked This topic is locked
13 replies to this topic

#1 NBP11

NBP11

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 01 October 2008 - 02:01 AM

Hello all,

Thanks in advance for helping me out.

3 weeks or so ago I plugged in my microSD card into my computer and AVG 8.0 resident shield popped up telling me it had detected 2 infected files: "j3ewro.exe" and "jwedsfdo0.dll", both located in my Windows/system32 folder. Here is a screen capture of the message: http://i36.tinypic.com/nygsaf.jpg

I had followed the "Preparation Guide before posting a HijackThis log section": ran updated Adaware/Spybot Searcjh & Destroy/Windows Defender, and additionally, Spyware Terminator/AVG 8.0/Malwarebytes' Anti-Malware (all up-to-date) but nothing was found , safe for some tracking cookies. As for online scanners, I used 1)Bitdefender (found nothing) 2)Panda Active Scan (found a "Generic Trojan in file "C:\Windows\FixCamera.exe" as shown here: http://i34.tinypic.com/dvj2nb.jpg ) 3) Trend Micro Housecall (found adware_memwatcher but I think it's the altered host file written by Spybot: http://i34.tinypic.com/14421cz.jpg )

Upon searching for the file "j3ewro.exe" on Google, I only found limited info. on a site called Prevx (apparently a anti-malware manufacturer) that said it's a malware/trojan/worm. I also found this link from Trendmicro
http://www.trendmicro.com/vinfo/virusencyc...BPS&VSect=T
and upon checking my own registry and confirmed the same changes reportedly made by those 2 files as described from the link. I am worried my computer's security had been compensated but nothing was found with any of the above scanners. Looks like "j3ewro.exe" and "jwedsfdo0.dll" had deleted themselves after altering my registry and possibly created some other files in my system....

Please have a look at my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:37 PM, on 10/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe" VMUVC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [LME_IR4TM.exe] C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205658240390
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...381/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAF0F9AB-08AA-4398-BEFD-E1C371D9C79E}: NameServer = 203.198.23.208,205.252.144.126
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11125 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:31 AM

Posted 10 October 2008 - 11:01 AM

Hi ,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

I see some minor things on the log but no serious threat. We are going to dig a little deeper to make sure.
  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

      Note 1:The logs will be created in this folder: C:\rsit

      Note 2:The tool takes not more than one minute to scan the system.
  • Could you provide me the first AVG log, I need to see the date an possibly the time those trojan files are detected. It should be found under the log section. If the files are in Quarantine there could be some more specification 9date and time).

  • Tell me about the current condition of your computer and if you have noticed anything unusual.

  • Tell me if you have restored the registry values to its default value.


#3 NBP11

NBP11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 13 October 2008 - 02:19 AM

Hello farbar,

Thanks for replying and offering your help! I greatly appreciate it.

I followed your instructions and ran rsit; here's the log.txt file:

Logfile of random's system information tool 1.04 (written by random/random)
Run by user at 2008-10-13 14:49:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 10 GB (8%) free of 120 GB
Total RAM: 1023 MB (29% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:02 PM, on 10/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe" VMUVC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [LME_IR4TM.exe] C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205658240390
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...381/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAF0F9AB-08AA-4398-BEFD-E1C371D9C79E}: NameServer = 203.198.23.208,205.252.144.126
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11377 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
C:\PROGRA~1\Crawler\ctbr.dll [2008-06-19 1190912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-02-01 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-29 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4B3803EA-5230-4DC3-A7FC-33638F3D3542} - &Crawler Toolbar - C:\PROGRA~1\Crawler\ctbr.dll [2008-06-19 1190912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-01-09 8523776]
"nwiz"=nwiz.exe /install []
"SpywareTerminator"=C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe [2008-08-26 1783808]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-11-30 16858624]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-01-09 81920]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"SecurDisc"=C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [2007-05-15 1628208]
"InCD"=C:\Program Files\Nero\Nero 7\InCD\InCD.exe [2007-05-15 1057328]
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"VMonitorVMUVC"=C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe [2007-04-13 114688]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"ProfilerU"=C:\Program Files\Saitek\SD6\Software\ProfilerU.exe [2007-10-02 233472]
"SaiMfd"=C:\Program Files\Saitek\SD6\Software\SaiMfd.exe [2007-10-02 131072]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-29 1234712]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2008-09-27 162304]
"LME_IR4TM.exe"=C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe [2008-05-17 212992]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"= []
"Aim6"= []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe [2006-05-08 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:Torrent"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\PPStream\PPStream.exe"="C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPS"
"C:\Program Files\PPStream\PPSAP.exe"="C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS "
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\ArcSoft\TotalMedia 3.5\TotalMedia.exe"="C:\Program Files\ArcSoft\TotalMedia 3.5\TotalMedia.exe:LocalSubNet:Enabled:ArcSoft TotalMedia 3.5"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04c56463-0f5a-11dd-a5e0-001e9077e09d}]
shell\AutoRun\command - F:\cjrp8.com
shell\explore\command - F:\cjrp8.com
shell\open\command - F:\cjrp8.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d23723-3f9e-11dd-b932-001e9077e09d}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d23724-3f9e-11dd-b932-001e9077e09d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe


======File associations======

.js - open - %SystemRoot%\System32\CScript.exe "%1" %*
.vbs - open - %SystemRoot%\System32\CScript.exe "%1" %*

======List of files/folders created in the last 3 months======

2008-10-13 14:49:45 ----D---- C:\rsit
2008-09-22 13:27:06 ----D---- C:\Program Files\Trend Micro
2008-09-15 17:00:10 ----D---- C:\Program Files\Lavasoft
2008-09-15 17:00:09 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-15 16:59:20 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-14 13:34:02 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-09-14 13:33:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 13:33:59 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 23:11:32 ----D---- C:\WINDOWS\McAfee.com
2008-09-11 00:20:57 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-11 00:20:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-08-24 14:37:43 ----A---- C:\WINDOWS\system32\wnaspi32.dll
2008-08-24 13:01:23 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2008-08-24 13:01:23 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2008-08-24 13:01:21 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2008-08-24 13:01:21 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2008-08-24 13:01:20 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2008-08-24 13:01:20 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2008-08-24 13:01:19 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2008-08-24 13:01:19 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2008-08-24 13:01:11 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-08-24 13:01:11 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-08-24 13:01:10 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-08-24 13:01:09 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-08-24 13:01:09 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-08-24 13:01:08 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-08-24 13:01:08 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-08-24 13:01:07 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-08-13 18:40:48 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-13 18:40:42 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-13 18:40:36 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-13 18:40:29 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-13 18:38:30 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-13 18:38:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-13 18:37:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-11 22:43:30 ----D---- C:\Documents and Settings\All Users\Application Data\BlazeVideo
2008-08-11 22:43:28 ----A---- C:\WINDOWS\system32\systeminfo.dll
2008-08-07 22:26:25 ----D---- C:\Documents and Settings\All Users\Application Data\ArcSoft
2008-08-07 22:26:19 ----D---- C:\Documents and Settings\user\Application Data\ArcSoft
2008-08-07 22:25:03 ----D---- C:\Program Files\ArcSoft
2008-08-07 22:25:02 ----D---- C:\Program Files\Common Files\ArcSoft
2008-08-07 22:04:17 ----A---- C:\WINDOWS\system32\PsisDecd.dll
2008-08-06 16:16:16 ----A---- C:\WINDOWS\system32\javaws.exe
2008-08-06 16:16:16 ----A---- C:\WINDOWS\system32\javaw.exe
2008-08-06 16:16:16 ----A---- C:\WINDOWS\system32\java.exe
2008-07-26 16:33:30 ----HDC---- C:\WINDOWS\$NtUninstallWdf01005$

======List of files/folders modified in the last 3 months======

2008-10-13 14:50:02 ----D---- C:\WINDOWS\Temp
2008-10-13 14:50:00 ----D---- C:\WINDOWS\Prefetch
2008-10-13 14:47:34 ----D---- C:\WINDOWS\Internet Logs
2008-10-13 14:41:06 ----D---- C:\Program Files\Crawler
2008-10-13 14:39:52 ----D---- C:\Program Files\Spyware Terminator
2008-10-13 14:39:52 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-10-13 11:00:23 ----D---- C:\Documents and Settings\user\Application Data\Spyware Terminator
2008-10-13 04:23:41 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-13 01:42:56 ----D---- C:\Documents and Settings\user\Application Data\Skype
2008-10-13 00:09:11 ----D---- C:\Documents and Settings\user\Application Data\skypePM
2008-10-11 19:31:05 ----D---- C:\Documents and Settings\user\Application Data\uTorrent
2008-10-10 22:18:27 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-10 22:18:25 ----SD---- C:\WINDOWS\Tasks
2008-10-10 22:16:57 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-04 18:10:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-03 21:26:20 ----D---- C:\Program Files\eMule
2008-10-03 12:12:20 ----SHD---- C:\WINDOWS\Installer
2008-10-03 01:35:43 ----D---- C:\Program Files\ALZip
2008-10-03 00:50:55 ----A---- C:\WINDOWS\avisplitter.INI
2008-10-01 22:10:11 ----D---- C:\WINDOWS
2008-10-01 01:11:41 ----D---- C:\Program Files\Internet Explorer
2008-10-01 01:02:16 ----D---- C:\WINDOWS\system32\drivers
2008-10-01 00:11:30 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-30 12:12:12 ----HD---- C:\WINDOWS\inf
2008-09-30 12:12:11 ----D---- C:\Program Files\Panda Security
2008-09-30 02:37:57 ----D---- C:\WINDOWS\BDOSCAN8
2008-09-22 13:27:06 ----RD---- C:\Program Files
2008-09-21 17:40:42 ----D---- C:\WINDOWS\Minidump
2008-09-15 18:56:07 ----D---- C:\WINDOWS\system32
2008-09-15 18:51:48 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-15 18:48:31 ----SHD---- C:\System Volume Information
2008-09-15 16:59:20 ----D---- C:\Program Files\Common Files
2008-09-14 16:46:26 ----D---- C:\WINDOWS\Debug
2008-09-14 14:11:31 ----HD---- C:\$AVG8.VAULT$
2008-09-13 17:16:14 ----D---- C:\Documents and Settings
2008-09-11 00:20:58 ----D---- C:\WINDOWS\WinSxS
2008-08-28 22:19:52 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-08-27 04:28:12 ----A---- C:\WINDOWS\system32\MRT.exe
2008-08-26 18:18:07 ----D---- C:\WINDOWS\Help
2008-08-24 13:01:19 ----RSD---- C:\WINDOWS\assembly
2008-08-24 13:01:13 ----D---- C:\WINDOWS\Microsoft.NET
2008-08-24 13:01:05 ----D---- C:\WINDOWS\system32\DirectX
2008-08-22 12:17:06 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-08-13 18:40:44 ----D---- C:\Program Files\Messenger
2008-08-13 18:40:41 ----HD---- C:\WINDOWS\$hf_mig$
2008-08-13 18:37:47 ----D---- C:\WINDOWS\ie7updates
2008-08-11 22:13:18 ----D---- C:\Program Files\Microsoft Silverlight
2008-08-11 01:33:45 ----A---- C:\WINDOWS\win.ini
2008-08-06 23:57:06 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 16:16:15 ----D---- C:\Program Files\Java
2008-07-27 19:34:49 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-07-27 19:33:45 ----SD---- C:\Documents and Settings\user\Application Data\Microsoft
2008-07-26 16:46:43 ----A---- C:\WINDOWS\ModemLog_Motorola USB Modem.txt
2008-07-22 01:25:17 ----D---- C:\Program Files\Motorola Phone Tools
2008-07-20 11:07:33 ----D---- C:\WINDOWS\system32\Restore
2008-07-18 22:10:48 ----A---- C:\WINDOWS\system32\cdm.dll
2008-07-18 22:10:42 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-07-18 22:10:40 ----A---- C:\WINDOWS\system32\wups2.dll
2008-07-18 22:10:24 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-07-18 22:10:20 ----A---- C:\WINDOWS\system32\wups.dll
2008-07-18 22:09:46 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-07-18 22:09:44 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-07-18 22:09:44 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-07-18 22:09:42 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-07-18 22:09:42 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-07-18 22:08:34 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-18 22:07:34 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-07-18 22:07:32 ----A---- C:\WINDOWS\system32\muweb.dll
2008-07-18 22:07:32 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-07-18 02:48:19 ----D---- C:\WINDOWS\system32\ZoneLabs
2008-07-18 01:34:43 ----D---- C:\WINDOWS\system32\CatRoot
2008-07-17 01:11:29 ----D---- C:\Program Files\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-07-04 26824]
R1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys [2007-05-15 37040]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys [2007-05-15 38576]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-07-09 394952]
R2 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-04 76040]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2004-01-28 9728]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2006-11-10 18688]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2004-01-28 3840]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-12-05 4632576]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-02-29 20240]
R3 L8042mou;SetPoint PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042mou.Sys [2008-02-29 63120]
R3 LMEBDATuner;LMEBDA DTMB53L5C; C:\WINDOWS\System32\Drivers\LMEBDA_DTMB53L5C.sys [2008-03-27 52224]
R3 LMouKE;SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2008-02-29 79120]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-18 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-01-09 7434336]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-03-07 106624]
R3 SaiMini;SaiMini; C:\WINDOWS\system32\DRIVERS\SaiMini.sys [2007-10-05 14080]
R3 SaiNtBus;SaiNtBus; C:\WINDOWS\system32\drivers\SaiBus.sys [2007-10-05 35200]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 VMUVC;Vimicro Camera Service VMUVC; C:\WINDOWS\System32\Drivers\VMUVC.sys [2007-08-08 241152]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC; C:\WINDOWS\system32\drivers\vvftUVC.sys [2007-06-13 476032]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys [2007-05-15 118576]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2006-12-13 20992]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-14 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 QCMerced;Logitech QuickCam Express; C:\WINDOWS\system32\DRIVERS\LVCM.sys [2002-09-20 472396]
S3 SaiH0109;SaiH0109; C:\WINDOWS\system32\DRIVERS\SaiH0109.sys [2007-05-01 132232]
S3 SaiU0109;SaiU0109; C:\WINDOWS\system32\DRIVERS\SaiU0109.sys [2007-05-01 28416]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SNP325;USB PC Camera (SNPSTD325); C:\WINDOWS\system32\DRIVERS\snp325.sys []
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 usbsermpt;Motorola USB Modem Driver for MPT; C:\WINDOWS\system32\DRIVERS\usbsermpt.sys [2008-03-31 22768]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-15 611664]
R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-09-23 109056]
R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 InCDsrv;InCD Helper; C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe [2007-05-15 1550896]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-01-09 155716]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\PROGRA~1\SPYWAR~1\sp_rsser.exe [2008-08-26 570880]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-05 24652]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2006-04-27 53337]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-08 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-04-16 91184]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2006-04-27 49241]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2006-04-27 69718]
S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2006-05-08 69632]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------



**********************************************************************************************************************************

And here's the info.txt file:

info.txt logfile of random's system information tool 1.04 2008-10-13 14:50:05

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\NuNInst.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->Dummy
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
11view 3.0a-->"C:\Program Files\11view\Uninstall.exe" "C:\Program Files\11view\install.log"
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6-->C:\Program Files\AIM6\uninst.exe
AKKORD WebCamera (VC0332)-->C:\Program Files\InstallShield Installation Information\{71A51A91-E7D3-11DB-A386-005056C00008}\setup.exe -runfromtemp -l0x0009 -removeonly
ALZip-->"C:\Program Files\ALZip\unins000.exe"
ArcSoft TotalMedia 3.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3781D2B3-C38C-4713-99B9-74C69C5FE67C}\Setup.exe" -l0x9
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Canon iP1600-->C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Chinese Traditional Fonts Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-2448-0000-800000000003}
CloneDVD2-->"C:\Program Files\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\CloneDVD2"
Crawler Toolbar with Web Security Guard-->C:\PROGRA~1\Crawler\CToolbar.exe uninst
Digital Photo Recovery 2.0.3-->C:\Program Files\Digital Photo Recovery\uninst.exe
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
getPlus_ocx-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
GTA San Andreas-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E0303B6A-C675-4102-95DA-C013625BFA99}\setup.exe" -l0x9 -removeonly
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
K-Lite Mega Codec Pack 3.6.5-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech Desktop Messenger-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech SetPoint-->C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{20110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola Driver Installation-->MsiExec.exe /I{8F4507EF-C5F3-46CE-9718-9D3698821333}
Motorola Phone Tools-->C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe -runfromtemp -l0x0009 -removeonly
MSTPCRT-->MsiExec.exe /I{10106AA7-38E7-4348-8396-9F535DF763EF}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero 7 Essentials-->MsiExec.exe /X{9B4E6CB9-E54D-47F7-A414-E2D5740E1033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OLYMPUS Master 2-->MsiExec.exe /X{F0FC1E09-AF67-47BC-9E61-90ECFEB4CE82}
OpenMG AAC Add-on Module 1.0.00-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3} UNINSTALL
OpenMG Limited Patch 4.5-06-05-12-01-->C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.5-06-05-12-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.5.01-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{3633BA28-67CE-4AC8-A677-3406CA84C3D8} UNINSTALL
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PDF Manual NW-S200 Series-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B694704-8D6C-4833-99E1-311A9788F61F}\setup.exe" -l0x9 UNINSTALL -removeonly
PenPowerJR-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7D53B02-2C51-4CF5-9A51-F7A6D658EA5A}\Setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Saitek SD6 Programming Software 6.0.10.7-->MsiExec.exe /X{DC6CD4F8-6AF8-4B47-A25A-9D9560D3845E}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Skype 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SonicStage 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
SopCast 3.0.3-->C:\Program Files\SopCast\uninst.exe
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"
TagScanner 5.0 build 518-->"C:\Program Files\TagScanner\unins000.exe"
TVAnts 1.0-->C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Visual C++ 8.0 ATL (x86) WinSXS MSM-->MsiExec.exe /I{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18F}
Visual C++ 8.0 CRT (x86) WinSXS MSM-->MsiExec.exe /I{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free
FW: ZoneAlarm Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\Common Files\ArcSoft\Bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ALZip\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8

-----------------EOF-----------------


**********************************************************************************************************************************

Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Virus found HTML/Framer;"C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\TUU30OTJ\mentholatum_com_tw[1].htm";"Moved to Virus Vault";"5/25/2008, 1:28:40 AM";"file";"c:\program files\internet explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 11:22:40 AM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 12:17:49 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 9:39:25 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 9:40:10 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 9:40:50 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Dropper.Agent.JOC;"C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\knlwrap.exe";"Infected";"8/24/2008, 2:28:47 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
Trojan horse PSW.OnlineGames.2.U;"C:\WINDOWS\system32\j3ewro.exe";"Moved to Virus Vault";"9/11/2008, 1:03:07 AM";"file";"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Virus identified Win32/NSAnti.J;"C:\WINDOWS\system32\jwedsfdo0.dll";"Moved to Virus Vault";"9/11/2008, 1:03:07 AM";"file";"C:\WINDOWS\Explorer.EXE"
Trojan horse PSW.OnlineGames.2.U;"C:\WINDOWS\system32\j3ewro.exe";"Infected";"9/11/2008, 1:03:09 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
Trojan horse PSW.OnlineGames.2.U;"C:\System Volume Information\_restore{4ECC0492-3C5B-4126-A3D8-B5C851D369C0}\RP255\A0060086.exe";"Moved to Virus Vault";"9/14/2008, 2:10:40 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
Virus identified Win32/NSAnti.J;"C:\System Volume Information\_restore{4ECC0492-3C5B-4126-A3D8-B5C851D369C0}\RP255\A0060087.dll";"Moved to Virus Vault";"9/14/2008, 2:10:41 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"


**********************************************************************************************************************************
As for my AVG resident shield log, here's a link to a screen capture:

Posted Image

Or if you don't mind looking at a .csv file here it is:

Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Virus found HTML/Framer;"C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\TUU30OTJ\mentholatum_com_tw[1].htm";"Moved to Virus Vault";"5/25/2008, 1:28:40 AM";"file";"c:\program files\internet explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 11:22:40 AM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 12:17:49 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 9:39:25 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 9:40:10 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Patched_c.PO;"C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll";"Infected";"6/4/2008, 9:40:50 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Trojan horse Dropper.Agent.JOC;"C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\knlwrap.exe";"Infected";"8/24/2008, 2:28:47 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
Trojan horse PSW.OnlineGames.2.U;"C:\WINDOWS\system32\j3ewro.exe";"Moved to Virus Vault";"9/11/2008, 1:03:07 AM";"file";"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Virus identified Win32/NSAnti.J;"C:\WINDOWS\system32\jwedsfdo0.dll";"Moved to Virus Vault";"9/11/2008, 1:03:07 AM";"file";"C:\WINDOWS\Explorer.EXE"
Trojan horse PSW.OnlineGames.2.U;"C:\WINDOWS\system32\j3ewro.exe";"Infected";"9/11/2008, 1:03:09 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
Trojan horse PSW.OnlineGames.2.U;"C:\System Volume Information\_restore{4ECC0492-3C5B-4126-A3D8-B5C851D369C0}\RP255\A0060086.exe";"Moved to Virus Vault";"9/14/2008, 2:10:40 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
Virus identified Win32/NSAnti.J;"C:\System Volume Information\_restore{4ECC0492-3C5B-4126-A3D8-B5C851D369C0}\RP255\A0060087.dll";"Moved to Virus Vault";"9/14/2008, 2:10:41 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"


**********************************************************************************************************************************
As for the AVG virus vault, here is a screen capture:

Posted Image

Hopefully this is what you are asking for.

**********************************************************************************************************************************
I haven't noticed anything strange about my computer, except that now when I run scans with AVG/Spyware Terminator/Windows Defender/Spybot/Ad-aware nothing siginificant is found.

I even tried plugging in that micro-SD card that triggers (I think) the first trojan detection from AVG and ran the same scans and yet nothing was found.

I am paranoid about privacy compensation (keyloggers) and I haven't logged into any of my accounts online for close to a month now...

**********************************************************************************************************************************
I haven't restored any registry keys as I don't know how I can do that. I did remove all my windows system restore points per directions from spyware-cleaning tips from another website called aumha.org.....



Thank you VERY MUCH for helping me out...

Edited by NBP11, 13 October 2008 - 11:16 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:31 AM

Posted 13 October 2008 - 01:13 PM

Hi again,

Well done with detailed feedback. And taking precaution about the passwords.

Your computer is infected with a flash drive infection. This type of infection get usually carried over through removable devices (flash drive/ thump drive/ memory stick/ USB stick/ etc) and networks. Please make sure you have your removable devices ready to disinfect. Don't connect them yet.
  • Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program if you are not using it.
    If you decided to uninstall it click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist:

    Viewpoint Media Player.

    Also remove the folder in bold: C:\Program Files\Viewpoint

  • You have the latest version of Java and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java 6 Update 5

  • I see on the log the Crawler Toolbar is installed on your computer:

    This program is an open to debate toolbar which might be related to adware or is installed without informed consent of the user. You may read more about Crawler Toolbar HERE and HERE

    If you decide to uninstall Ask Toolbars:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Crawler Toolbar with Web Security Guard

    Also remove the folder in bold: C:\Program Files\Crawler

  • Please tell me if you know this is, probably your ISP server address?

    netname: NETVIGATOR
    descr: PCCW Limited
    descr: PO Box 9896 GPO Hong Kong

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

    Note: The startup entry pointing at ALCMTR.EXE is an "Sypware" entry related to Realtek used silently to monitor one's actions. It is not a sinister one and you can remove the start up entry without affecting the function of Realtek software. We have just removed the start up entry but not the file itself.Notice that you should not remove the file itself because it is needed for the subsequent updating of the software.

  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

  • Please read this carefully: http://www.zyxware.com/articles/2007/08/14...virus-infection

    Note: It is important to have autoplay feature turned off and not to open the thump drives by double clicking. Instead rightclick the drive and select Explore

    How do I turn off Autoplay in Windows XP for my external hard drive?
    • Open My Computer.
    • Right click on the drive letter assigned to your external drive.
    • Choose properties.
    • Click on the Autoplay tab.
    • Click the "Select an action to perform" option.
    • Choose "Take no action."
    • Click OK .
  • Open notepad, make sure the wordwrap under format menu is not selected
    Copy and paste the text in the code box in it:

    if exist Export.txt del /q Export.txt
    regedit /e Check1.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
    regedit /e Check2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
    Type Check*.txt > Export.txt
    del /q Check*.txt 
    notepad Export.txt
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: look.bat
    • Save as type: All files.
    • Click save
    • Close the Notepad.
    • Locate and double-click look.bat on the desktop.
    • Notepad will open with some text in it. Copy and paste the contents (Export.txt) in your next reply.
  • Please run RSIT, set the list of Files/Folders created to 2 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).

Please copy/paste in your next reply:
  • Tell me if you know the address.
  • The content of Export.txt
  • The RSIT log.


#5 NBP11

NBP11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 October 2008 - 11:42 PM

Hello farbar,

1. Yes I recognize the name as my ISP in Hong Kong.

2. Here is the file content of Export.txt:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ServerAdminUI"=dword:00000000
"Hidden"=dword:00000001
"ShowCompColor"=dword:00000001
"HideFileExt"=dword:00000000
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000001
"Filter"=dword:00000000
"SuperHidden"=dword:00000001
"SeparateProcess"=dword:00000000
"ListviewAlphaSelect"=dword:00000001
"ListviewShadow"=dword:00000001
"ListviewWatermark"=dword:00000001
"TaskbarAnimations"=dword:00000001
"StartMenuInit"=dword:00000002
"StartButtonBalloonTip"=dword:00000002
"TaskbarSizeMove"=dword:00000001
"TaskbarGlomming"=dword:00000000
"Start_ShowNetConn"=dword:00000001
"Start_LargeMFUIcons"=dword:00000001
"Start_MinMFU"=dword:00000006
"Start_ShowControlPanel"=dword:00000002
"Start_EnableDragDrop"=dword:00000001
"StartMenuFavorites"=dword:00000000
"Start_ShowHelp"=dword:00000001
"Start_ShowMyComputer"=dword:00000002
"Start_ShowMyDocs"=dword:00000001
"Start_ShowMyMusic"=dword:00000000
"Start_ShowMyPics"=dword:00000000
"Start_ShowPrinters"=dword:00000000
"Start_ShowRun"=dword:00000001
"Start_ScrollPrograms"=dword:00000000
"Start_ShowSearch"=dword:00000001
"Start_ShowSetProgramAccessAndDefaults"=dword:00000001
"Start_ShowRecentDocs"=dword:00000000
"Start_AutoCascade"=dword:00000001
"Start_NotifyNewApps"=dword:00000001
"Start_AdminToolsRoot"=dword:00000000
"StartMenuAdminTools"=dword:00000000
"NoNetCrawling"=dword:00000000
"FolderContentsInfoTip"=dword:00000001
"FriendlyTree"=dword:00000001
"WebViewBarricade"=dword:00000000
"DisableThumbnailCache"=dword:00000000
"ShowSuperHidden"=dword:00000001
"ClassicViewState"=dword:00000000
"PersistBrowsers"=dword:00000000
"Start_ShowNetPlaces_ShouldShow"=dword:00000041
"LoosenRudeAppCheck"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"

******************************************************************************************************

3. Here is the RSIT log:

Logfile of random's system information tool 1.04 (written by random/random)
Run by user at 2008-10-16 12:39:48
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 10 GB (8%) free of 120 GB
Total RAM: 1023 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:32 PM, on 10/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe" VMUVC
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [LME_IR4TM.exe] C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205658240390
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...381/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAF0F9AB-08AA-4398-BEFD-E1C371D9C79E}: NameServer = 203.198.23.208,205.252.144.126
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 10645 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-02-01 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-08-29 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-01-09 8523776]
"nwiz"=nwiz.exe /install []
"SpywareTerminator"=C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe [2008-08-26 1783808]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-11-30 16858624]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-01-09 81920]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"SecurDisc"=C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe [2007-05-15 1628208]
"InCD"=C:\Program Files\Nero\Nero 7\InCD\InCD.exe [2007-05-15 1057328]
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"VMonitorVMUVC"=C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe [2007-04-13 114688]
"ProfilerU"=C:\Program Files\Saitek\SD6\Software\ProfilerU.exe [2007-10-02 233472]
"SaiMfd"=C:\Program Files\Saitek\SD6\Software\SaiMfd.exe [2007-10-02 131072]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-29 1234712]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2008-09-27 162304]
"LME_IR4TM.exe"=C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe [2008-05-17 212992]
"COMODO Firewall Pro"=C:\Program Files\COMODO\Firewall\cfp.exe [2008-10-15 1655552]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"= []
"Aim6"= []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe [2006-05-08 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll C:\WINDOWS\system32\guard32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:Torrent"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\PPStream\PPStream.exe"="C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPS"
"C:\Program Files\PPStream\PPSAP.exe"="C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS "
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\ArcSoft\TotalMedia 3.5\TotalMedia.exe"="C:\Program Files\ArcSoft\TotalMedia 3.5\TotalMedia.exe:LocalSubNet:Enabled:ArcSoft TotalMedia 3.5"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d23723-3f9e-11dd-b932-001e9077e09d}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d23724-3f9e-11dd-b932-001e9077e09d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe


======File associations======

.js - open - %SystemRoot%\System32\CScript.exe "%1" %*
.vbs - open - %SystemRoot%\System32\CScript.exe "%1" %*

======List of files/folders created in the last 2 months======

2008-10-16 11:03:15 ----RASHD---- C:\autorun.inf
2008-10-16 00:20:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-16 00:20:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-16 00:20:20 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-16 00:19:55 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 00:19:52 ----A---- C:\WINDOWS\imsins.BAK
2008-10-16 00:19:47 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-15 22:51:00 ----D---- C:\Documents and Settings\user\Application Data\Comodo
2008-10-15 22:50:58 ----D---- C:\Program Files\COMODO
2008-10-15 22:50:58 ----D---- C:\Documents and Settings\All Users\Application Data\comodo
2008-10-15 22:50:58 ----A---- C:\WINDOWS\system32\guard32.dll
2008-10-15 02:19:00 ----D---- C:\WINDOWS\pss
2008-10-14 22:50:52 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-13 14:49:45 ----D---- C:\rsit
2008-09-22 13:27:06 ----D---- C:\Program Files\Trend Micro
2008-09-15 17:00:10 ----D---- C:\Program Files\Lavasoft
2008-09-15 17:00:09 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-15 16:59:20 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-14 13:34:02 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-09-14 13:33:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 13:33:59 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 23:11:32 ----D---- C:\WINDOWS\McAfee.com
2008-09-11 00:20:57 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-11 00:20:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-08-24 14:37:43 ----A---- C:\WINDOWS\system32\wnaspi32.dll
2008-08-24 13:01:23 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2008-08-24 13:01:23 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2008-08-24 13:01:22 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2008-08-24 13:01:21 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2008-08-24 13:01:21 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2008-08-24 13:01:20 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2008-08-24 13:01:20 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2008-08-24 13:01:19 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2008-08-24 13:01:19 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2008-08-24 13:01:11 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-08-24 13:01:11 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-08-24 13:01:10 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-08-24 13:01:09 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-08-24 13:01:09 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-08-24 13:01:08 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-08-24 13:01:08 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-08-24 13:01:07 ----A---- C:\WINDOWS\system32\d3dx9_24.dll

======List of files/folders modified in the last 2 months======

2008-10-16 12:40:32 ----D---- C:\WINDOWS\Temp
2008-10-16 12:30:19 ----D---- C:\WINDOWS\Prefetch
2008-10-16 11:34:52 ----A---- C:\WINDOWS\NeroDigital.ini
2008-10-16 10:58:46 ----D---- C:\Program Files\Spyware Terminator
2008-10-16 10:58:46 ----D---- C:\Documents and Settings\user\Application Data\Spyware Terminator
2008-10-16 10:35:46 ----D---- C:\Program Files\Digital Photo Recovery
2008-10-16 10:35:38 ----D---- C:\WINDOWS\system
2008-10-16 10:30:10 ----RD---- C:\Program Files
2008-10-16 10:26:54 ----SHD---- C:\WINDOWS\Installer
2008-10-16 10:26:52 ----D---- C:\Program Files\Java
2008-10-16 10:26:49 ----D---- C:\WINDOWS\system32
2008-10-16 10:20:36 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-16 09:55:13 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-16 09:55:10 ----SD---- C:\WINDOWS\Tasks
2008-10-16 04:22:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-16 03:07:13 ----D---- C:\WINDOWS
2008-10-16 00:20:31 ----HD---- C:\WINDOWS\inf
2008-10-16 00:20:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-16 00:20:30 ----D---- C:\WINDOWS\system32\drivers
2008-10-16 00:20:28 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-16 00:20:09 ----D---- C:\Program Files\Internet Explorer
2008-10-16 00:20:01 ----D---- C:\WINDOWS\ie7updates
2008-10-16 00:15:50 ----D---- C:\WINDOWS\Debug
2008-10-15 04:14:17 ----SH---- C:\boot.ini
2008-10-15 04:14:17 ----A---- C:\WINDOWS\win.ini
2008-10-15 04:14:17 ----A---- C:\WINDOWS\system.ini
2008-10-15 04:12:44 ----D---- C:\WINDOWS\Internet Logs
2008-10-15 03:10:49 ----A---- C:\WINDOWS\avisplitter.INI
2008-10-14 22:45:48 ----HD---- C:\$AVG8.VAULT$
2008-10-14 11:04:40 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-10-14 10:49:23 ----D---- C:\Documents and Settings\user\Application Data\uTorrent
2008-10-14 01:09:23 ----D---- C:\Documents and Settings\user\Application Data\Skype
2008-10-14 00:04:45 ----D---- C:\Documents and Settings\user\Application Data\skypePM
2008-10-13 17:50:06 ----D---- C:\Program Files\eMule
2008-10-10 22:16:57 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-08 03:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-04 01:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-03 01:35:43 ----D---- C:\Program Files\ALZip
2008-10-01 00:11:30 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-30 12:12:11 ----D---- C:\Program Files\Panda Security
2008-09-30 02:37:57 ----D---- C:\WINDOWS\BDOSCAN8
2008-09-21 17:40:42 ----D---- C:\WINDOWS\Minidump
2008-09-15 18:51:48 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-15 18:48:31 ----SHD---- C:\System Volume Information
2008-09-15 16:59:20 ----D---- C:\Program Files\Common Files
2008-09-13 17:16:14 ----D---- C:\Documents and Settings
2008-09-11 00:20:58 ----D---- C:\WINDOWS\WinSxS
2008-09-01 11:29:19 ----D---- C:\Documents and Settings\All Users\Application Data\BlazeVideo
2008-08-27 16:24:32 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-08-26 18:18:07 ----D---- C:\WINDOWS\Help
2008-08-26 15:24:31 ----A---- C:\WINDOWS\system32\wininet.dll
2008-08-26 15:24:31 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-08-26 15:24:31 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-08-26 15:24:30 ----N---- C:\WINDOWS\system32\occache.dll
2008-08-26 15:24:30 ----N---- C:\WINDOWS\system32\mstime.dll
2008-08-26 15:24:30 ----N---- C:\WINDOWS\system32\msrating.dll
2008-08-26 15:24:30 ----A---- C:\WINDOWS\system32\url.dll
2008-08-26 15:24:30 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-08-26 15:24:30 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-08-26 15:24:30 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-08-26 15:24:30 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-08-26 15:24:30 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-08-26 15:24:29 ----N---- C:\WINDOWS\system32\iernonce.dll
2008-08-26 15:24:29 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2008-08-26 15:24:29 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-08-26 15:24:28 ----N---- C:\WINDOWS\system32\ieaksie.dll
2008-08-26 15:24:28 ----N---- C:\WINDOWS\system32\ieakeng.dll
2008-08-26 15:24:28 ----N---- C:\WINDOWS\system32\extmgr.dll
2008-08-26 15:24:28 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-08-26 15:24:28 ----A---- C:\WINDOWS\system32\icardie.dll
2008-08-26 15:24:28 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-08-26 15:24:28 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-08-26 15:24:28 ----A---- C:\WINDOWS\system32\advpack.dll
2008-08-25 16:38:00 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-08-25 16:37:59 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2008-08-24 13:01:19 ----RSD---- C:\WINDOWS\assembly
2008-08-24 13:01:13 ----D---- C:\WINDOWS\Microsoft.NET
2008-08-24 13:01:05 ----D---- C:\WINDOWS\system32\DirectX
2008-08-23 13:54:51 ----N---- C:\WINDOWS\system32\ieakui.dll
2008-08-22 12:17:06 ----D---- C:\Program Files\Spybot - Search & Destroy

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-07-04 26824]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2008-10-15 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2008-10-15 24208]
R1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys [2007-05-15 37040]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys [2007-05-15 38576]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R2 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-04 76040]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2004-01-28 9728]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2006-11-10 18688]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2004-01-28 3840]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-12-05 4632576]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-02-29 20240]
R3 L8042mou;SetPoint PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042mou.Sys [2008-02-29 63120]
R3 LMEBDATuner;LMEBDA DTMB53L5C; C:\WINDOWS\System32\Drivers\LMEBDA_DTMB53L5C.sys [2008-03-27 52224]
R3 LMouKE;SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2008-02-29 79120]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-18 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-01-09 7434336]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-03-07 106624]
R3 SaiMini;SaiMini; C:\WINDOWS\system32\DRIVERS\SaiMini.sys [2007-10-05 14080]
R3 SaiNtBus;SaiNtBus; C:\WINDOWS\system32\drivers\SaiBus.sys [2007-10-05 35200]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 VMUVC;Vimicro Camera Service VMUVC; C:\WINDOWS\System32\Drivers\VMUVC.sys [2007-08-08 241152]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC; C:\WINDOWS\system32\drivers\vvftUVC.sys [2007-06-13 476032]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys [2007-05-15 118576]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2006-12-13 20992]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-14 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 QCMerced;Logitech QuickCam Express; C:\WINDOWS\system32\DRIVERS\LVCM.sys [2002-09-20 472396]
S3 SaiH0109;SaiH0109; C:\WINDOWS\system32\DRIVERS\SaiH0109.sys [2007-05-01 132232]
S3 SaiU0109;SaiU0109; C:\WINDOWS\system32\DRIVERS\SaiU0109.sys [2007-05-01 28416]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SNP325;USB PC Camera (SNPSTD325); C:\WINDOWS\system32\DRIVERS\snp325.sys []
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 usbsermpt;Motorola USB Modem Driver for MPT; C:\WINDOWS\system32\DRIVERS\usbsermpt.sys [2008-03-31 22768]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-15 611664]
R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-09-23 109056]
R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 cmdAgent;COMODO Firewall Pro Helper Service; C:\Program Files\COMODO\Firewall\cmdagent.exe [2008-10-15 519936]
R2 InCDsrv;InCD Helper; C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe [2007-05-15 1550896]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-01-09 155716]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\PROGRA~1\SPYWAR~1\sp_rsser.exe [2008-08-26 570880]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2006-04-27 53337]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-08 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-04-16 91184]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2006-04-27 49241]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2006-04-27 69718]
S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2006-05-08 69632]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

**************************************************************************************************************************

Sorry it took me quite some time--yesterday I had to fix the problem with ZoneAlarm arising from the new AVG update.....

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:31 AM

Posted 16 October 2008 - 05:55 AM

well done. No worry about the delay. Comodo is a good choice.

We are almost there.
  • We are going to restore the broken file associations. Download Deckard's Association File Tool daft.exe and save it to your desktop.
    • Double click on it and click Run.
    • Click on the Scan button.
    • If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
    • Click the Fix button.
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4 
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d23724-3f9e-11dd-b932-001e9077e09d}]
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Set Windows to show file extensions:
    • Click Start, open My Computer, select the Tools menu and
    • click Folder Options.
    • Select the View Tab.
    • Uncheck: Hide file extensions for known file types
    • Click Yes to confirm.
    Note: When you finished the step set the folder view options to its default again.

  • Use the windows search advanced options:
    • Go to start -> Search -> click All files and folders.
    • Click More advanced options.
    • Check search system folders, search hidden files and folders and search sub-folders.
    • Type copy.exe in the upper box and click on search.
    • If it finds any instance of the file please note the path to the file and post it to your reply.
  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully.

    You have to install the Recovery Console before running the tool because Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Instruction to install Recovery Console :

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.


    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'Yes' to run the full ComboFix scan.

      Posted Image
    • When the tool is finished, it will produce a report for you.
    Please copy and paste the content of C:\ComboFix.txt for further review.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please copy/paste in your next reply:
  • The result of Windows search.
  • The Combofix log.
  • A fresh Hijackthis log.


#7 NBP11

NBP11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 16 October 2008 - 01:49 PM

Thanks for your timely and speedy reply!

I did change from using ZoneAlarm to Comodo--I had enough of conflicts between AVG and ZoneAlarm....

1) The result of Windows Search returned:
Posted ImagePosted Image

File Name Location
CCMCopy.exe C:Program FilesMotorola Phone Tools
xcopy.exe C:WINDOWS$NtServicePackUninstall$
xcopy.exe C:WINDOWSsystem32
xcopy.exe C:WINDOWSServicePackFilesi386

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2) I followed exactly your directions--I read the entire "How to use ComboFix" Guide but my experience with the program was somewhat different from what the instructions described. I dragged the Windows Recovery Console icon onto the Combofix icon, and Combofix began; the message "Recovery Console was successfully installed" appeared, but then as I clicked "yes" to continue scanning Combofix said something like no recovery console was installed in my machine. So I clicked on the option that let Combofix download it online. After several "connection failed" I supposed it downloaded and installed Recovery Console successfully (my computer restarted, and as a result my Comodo firewall was loaded on startup again--I had to allow changes initiated from Combofix and subsequently closed Comodo) and ComboFix did run a scan and showed me a log. I found that the "ComboFix.txt" in my C: and found it to be the same as the "log.txt" file.

So here is a copy of the ComboFix.txt file:


ComboFix 08-10-15.08 - user 2008-10-17 1:15:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.429 [GMT 8:00]
Running from: C:Documents and SettingsuserDesktopComboFix.exe
Command switches used :: C:Documents and SettingsuserDesktopWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:WINDOWSsystem32systeminfo.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.

2008-10-16 00:19 . 2008-10-16 00:20 1,393 --a------ C:WINDOWSimsins.BAK
2008-10-15 23:38 . 2008-08-14 18:11 2,189,184 -----c--- C:WINDOWSsystem32dllcachentoskrnl.exe
2008-10-15 23:38 . 2008-08-14 18:09 2,145,280 -----c--- C:WINDOWSsystem32dllcachentkrnlmp.exe
2008-10-15 23:38 . 2008-08-14 17:33 2,066,048 -----c--- C:WINDOWSsystem32dllcachentkrnlpa.exe
2008-10-15 23:38 . 2008-08-14 17:33 2,023,936 -----c--- C:WINDOWSsystem32dllcachentkrpamp.exe
2008-10-15 23:38 . 2008-09-15 20:12 1,846,400 -----c--- C:WINDOWSsystem32dllcachewin32k.sys
2008-10-15 23:38 . 2008-09-08 18:41 333,824 -----c--- C:WINDOWSsystem32dllcachesrv.sys
2008-10-15 22:51 . 2008-10-15 22:51 <DIR> d-------- C:Documents and SettingsuserApplication DataComodo
2008-10-15 22:50 . 2008-10-15 22:50 <DIR> d-------- C:Program FilesCOMODO
2008-10-15 22:50 . 2008-10-15 23:36 <DIR> d-------- C:Documents and SettingsAll UsersApplication Datacomodo
2008-10-15 22:50 . 2008-10-15 22:50 143,104 --a------ C:WINDOWSsystem32guard32.dll
2008-10-15 22:50 . 2008-10-15 22:50 87,056 --a------ C:WINDOWSsystem32driverscmdguard.sys
2008-10-15 22:50 . 2008-10-15 22:50 24,208 --a------ C:WINDOWSsystem32driverscmdhlp.sys
2008-10-13 14:49 . 2008-10-13 14:50 <DIR> d-------- C:rsit
2008-10-01 01:02 . 2007-08-01 22:47 102,664 --a------ C:WINDOWSsystem32driverstmcomm.sys
2008-09-30 12:12 . 2008-06-19 17:24 28,544 --a------ C:WINDOWSsystem32driverspavboot.sys
2008-09-22 13:27 . 2008-09-22 13:27 <DIR> d-------- C:Program FilesTrend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 02:58 --------- d-----w C:Program FilesSpyware Terminator
2008-10-16 02:58 --------- d-----w C:Documents and SettingsuserApplication DataSpyware Terminator
2008-10-16 02:35 --------- d-----w C:Program FilesDigital Photo Recovery
2008-10-16 02:26 --------- d-----w C:Program FilesJava
2008-10-16 02:20 --------- d-----w C:Documents and SettingsAll UsersApplication DataViewpoint
2008-10-14 03:04 --------- d-----w C:Documents and SettingsAll UsersApplication DataSpyware Terminator
2008-10-14 02:49 --------- d-----w C:Documents and SettingsuserApplication DatauTorrent
2008-10-13 17:09 --------- d-----w C:Documents and SettingsuserApplication DataSkype
2008-10-13 16:04 --------- d-----w C:Documents and SettingsuserApplication DataskypePM
2008-10-13 09:50 --------- d-----w C:Program FileseMule
2008-10-10 14:16 --------- d--h--w C:Program FilesInstallShield Installation Information
2008-10-02 17:35 --------- d-----w C:Program FilesALZip
2008-09-30 04:12 --------- d-----w C:Program FilesPanda Security
2008-09-16 02:28 --------- d-----w C:Documents and SettingsAdministratorApplication DataSpyware Terminator
2008-09-15 12:12 1,846,400 ----a-w C:WINDOWSsystem32win32k.sys
2008-09-15 10:51 --------- d-----w C:Documents and SettingsAll UsersApplication DataBVRP Software
2008-09-15 09:17 --------- d-----w C:Documents and SettingsAll UsersApplication DataLavasoft
2008-09-15 09:00 --------- d-----w C:Program FilesLavasoft
2008-09-15 08:59 --------- d-----w C:Program FilesCommon FilesWise Installation Wizard
2008-09-15 06:32 --------- d-----w C:Documents and SettingsAdministratorApplication DataMalwarebytes
2008-09-14 05:34 --------- d-----w C:Program FilesMalwarebytes' Anti-Malware
2008-09-14 05:34 --------- d-----w C:Documents and SettingsuserApplication DataMalwarebytes
2008-09-14 05:33 --------- d-----w C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-09-09 16:04 38,528 ----a-w C:WINDOWSsystem32driversmbamswissarmy.sys
2008-09-09 16:03 17,200 ----a-w C:WINDOWSsystem32driversmbam.sys
2008-09-08 10:41 333,824 ----a-w C:WINDOWSsystem32driverssrv.sys
2008-09-01 03:29 --------- d-----w C:Documents and SettingsAll UsersApplication DataBlazeVideo
2008-08-29 10:42 97,928 ----a-w C:WINDOWSsystem32driversavgldx86.sys
2008-08-26 07:24 826,368 ----a-w C:WINDOWSsystem32wininet.dll
2008-08-22 04:17 --------- d-----w C:Program FilesSpybot - Search & Destroy
2008-08-14 10:09 2,145,280 ----a-w C:WINDOWSsystem32ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:WINDOWSsystem32ntkrnlpa.exe
2008-07-18 14:10 94,920 ----a-w C:WINDOWSsystem32cdm.dll
2008-07-18 14:10 53,448 ----a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:WINDOWSsystem32wups2.dll
2008-07-18 14:10 36,552 ----a-w C:WINDOWSsystem32wups.dll
2008-07-18 14:09 563,912 ----a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 14:07 270,880 ----a-w C:WINDOWSsystem32mucltui.dll
2008-07-18 14:07 210,976 ----a-w C:WINDOWSsystem32muweb.dll
2008-03-31 07:38 24,192 ----a-w C:Documents and Settingsuserusbsermptxp.sys
2008-03-31 07:38 22,768 ----a-w C:Documents and Settingsuserusbsermpt.sys
2008-03-16 05:53 32 ----a-w C:Documents and SettingsAll UsersApplication Dataezsid.dat
2008-06-24 23:29 32,768 --sha-w C:WINDOWSsystem32configsystemprofileLocal SettingsHistoryHistory.IE5MSHist012008062520080626index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2008-04-14 15360]
"SsAAD.exe"="C:PROGRA~1SonySONICS~1SsAAD.exe" [2006-05-08 81920]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [2008-01-09 8523776]
"SpywareTerminator"="C:PROGRA~1SPYWAR~1SpywareTerminatorShield.exe" [2008-08-26 1783808]
"Adobe Reader Speed Launcher"="C:Program FilesAdobeReader 8.0ReaderReader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="C:WINDOWSsystem32NvMcTray.dll" [2008-01-09 81920]
"NeroFilterCheck"="C:Program FilesCommon FilesAheadLibNeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:Program FilesNeroNero 7InCDNBHGui.exe" [2007-05-15 1628208]
"InCD"="C:Program FilesNeroNero 7InCDInCD.exe" [2007-05-15 1057328]
"VMonitorVMUVC"="C:Program FilesVimicroVimicro USB PC Camera (VC0332)x86VMonitor.exe" [2007-04-13 114688]
"ProfilerU"="C:Program FilesSaitekSD6SoftwareProfilerU.exe" [2007-10-02 233472]
"SaiMfd"="C:Program FilesSaitekSD6SoftwareSaiMfd.exe" [2007-10-02 131072]
"AVG8_TRAY"="C:PROGRA~1AVGAVG8avgtray.exe" [2008-09-29 1234712]
"ArcSoft Connection Service"="C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe" [2008-09-27 162304]
"LME_IR4TM.exe"="C:PROGRA~1ArcSoftTOTALM~1.5LME_IRLME_IR4TM.exe" [2008-05-17 212992]
"COMODO Firewall Pro"="C:Program FilesCOMODOFirewallcfp.exe" [2008-10-15 1655552]
"SunJavaUpdateSched"="C:Program FilesJavajre1.6.0_07binjusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2008-01-09 C:WINDOWSsystem32nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-30 C:WINDOWSRTHDCPL.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:WINDOWSKHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:WINDOWSKHALMNPR.Exe]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"DWQueuedReporting"="C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" [2007-03-13 39264]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Logitech Desktop Messenger.lnk - C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe [2008-03-17 67128]
Logitech SetPoint.lnk - C:Program FilesLogitechSetPointSetPoint.exe [2008-07-27 805392]
TMMonitor.lnk - C:Program FilesArcSoftTotalMedia 3.5TMMonitor.exe [2008-08-07 258048]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyLBTWlgn]
2008-05-02 02:42 72208 c:Program FilesCommon FilesLogitechBluetoothLBTWLgn.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"vsmon"=2 (0x2)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"C:WINDOWSsystem32dpvsetup.exe"=
"C:Program FilesMessengermsmsgs.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"C:Program FilesuTorrentuTorrent.exe"=
"C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe"=
"C:Program FilesCommon FilesAOLLoaderaolload.exe"=
"C:Program FilesAVGAVG8avgupd.exe"=
"C:Program FilesAVGAVG8avgemc.exe"=
"C:Program FilesWindows LiveMessengermsnmsgr.exe"=
"C:Program FilesWindows LiveMessengerlivecall.exe"=
"C:Program FilesSkypePhoneSkype.exe"=

R0 pavboot;pavboot;C:WINDOWSsystem32driverspavboot.sys [2008-06-19 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:WINDOWSsystem32Driversavgldx86.sys [2008-08-29 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:WINDOWSsystem32DRIVERScmdguard.sys [2008-10-15 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:WINDOWSsystem32DRIVERScmdhlp.sys [2008-10-15 24208]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:WINDOWSsystem32driverssp_rsdrv2.sys [2008-05-13 141312]
R2 ACDaemon;ArcSoft Connect Daemon;C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe [2008-09-23 109056]
R2 avg8emc;AVG8 E-mail Scanner;C:PROGRA~1AVGAVG8avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG8 WatchDog;C:PROGRA~1AVGAVG8avgwdsvc.exe [2008-08-29 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:WINDOWSsystem32Driversavgtdix.sys [2008-07-04 76040]
R3 LMEBDATuner;LMEBDA DTMB53L5C;C:WINDOWSsystem32DriversLMEBDA_DTMB53L5C.sys [2008-03-27 52224]
S3 SaiH0109;SaiH0109;C:WINDOWSsystem32DRIVERSSaiH0109.sys [2007-05-01 132232]
S3 SaiU0109;SaiU0109;C:WINDOWSsystem32DRIVERSSaiU0109.sys [2007-05-01 28416]
S3 SNP325;USB PC Camera (SNPSTD325);C:WINDOWSsystem32DRIVERSsnp325.sys [ ]
S3 VMUVC;Vimicro Camera Service VMUVC;C:WINDOWSsystem32DriversVMUVC.sys [2007-08-08 241152]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;C:WINDOWSsystem32driversvvftUVC.sys [2007-06-13 476032]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{23d23723-3f9e-11dd-b932-001e9077e09d}]
ShellAutoRuncommand - F:LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WebCamRT.exe - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
O8 -: E&xport to Microsoft Office Excel - C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O17 -: HKLMCCSInterface{CAF0F9AB-08AA-4398-BEFD-E1C371D9C79E}: NameServer = 203.198.23.208,205.252.144.126
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - %~$path:i

O16 -: {3AC7F64E-6154-47B0-82B5-764ED4077F77} - hxxp://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
C:WINDOWSDownloaded Program FileseWinCtl.inf
C:WINDOWSDownloaded Program FilesEWinECertRegAX.dll
C:WINDOWSDownloaded Program FilesEWinSKey.dll
C:WINDOWSDownloaded Program FilesTNSSPPC.dll
C:WINDOWSDownloaded Program FilesDataStore.dll
C:WINDOWSDownloaded Program FilesIEZoneSet.exe
C:WINDOWSDownloaded Program FilesIEZoneHlp.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-17 01:19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesCOMODOFirewallcmdagent.exe
C:Program FilesNeroNero 7InCDInCDsrv.exe
C:WINDOWSsystem32nvsvc32.exe
C:PROGRA~1SPYWAR~1sp_rsser.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinArcCon.ac
C:Program FilesCommon FilesLogishrdKHAL2KHALMNPR.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSsystem32verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-17 1:22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 17:22:49

Pre-Run: 10,273,083,392 bytes free
Post-Run: 10,954,448,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
C:CMDCONSBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

209 --- E O F --- 2008-10-15 16:20:31


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3) And here is a fresh Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:22 AM, on 10/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesNeroNero 7InCDNBHGui.exe
C:Program FilesNeroNero 7InCDInCD.exe
C:Program FilesVimicroVimicro USB PC Camera (VC0332)x86VMonitor.exe
C:Program FilesCOMODOFirewallcmdagent.exe
C:Program FilesSaitekSD6SoftwareProfilerU.exe
C:Program FilesSaitekSD6SoftwareSaiMfd.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
C:PROGRA~1ArcSoftTOTALM~1.5LME_IRLME_IR4TM.exe
C:Program FilesJavajre1.6.0_07binjusched.exe
C:Program FilesNeroNero 7InCDInCDsrv.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32ctfmon.exe
C:PROGRA~1SPYWAR~1sp_rsser.exe
C:PROGRA~1SonySONICS~1SsAAD.exe
C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe
C:Program FilesLogitechSetPointSetPoint.exe
C:Program FilesArcSoftTotalMedia 3.5TMMonitor.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinArcCon.ac
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesLogishrdKHAL2KHALMNPR.EXE
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSexplorer.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [SpywareTerminator] "C:PROGRA~1SPYWAR~1SpywareTerminatorShield.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [NeroFilterCheck] C:Program FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [SecurDisc] C:Program FilesNeroNero 7InCDNBHGui.exe
O4 - HKLM..Run: [InCD] C:Program FilesNeroNero 7InCDInCD.exe
O4 - HKLM..Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [VMonitorVMUVC] "C:Program FilesVimicroVimicro USB PC Camera (VC0332)x86VMonitor.exe" VMUVC
O4 - HKLM..Run: [ProfilerU] C:Program FilesSaitekSD6SoftwareProfilerU.exe
O4 - HKLM..Run: [SaiMfd] C:Program FilesSaitekSD6SoftwareSaiMfd.exe
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [ArcSoft Connection Service] C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
O4 - HKLM..Run: [LME_IR4TM.exe] C:PROGRA~1ArcSoftTOTALM~1.5LME_IRLME_IR4TM.exe
O4 - HKLM..Run: [COMODO Firewall Pro] "C:Program FilesCOMODOFirewallcfp.exe" -h
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_07binjusched.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SsAAD.exe] C:PROGRA~1SonySONICS~1SsAAD.exe
O4 - HKUSS-1-5-18..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:Program FilesLogitechSetPointSetPoint.exe
O4 - Global Startup: TMMonitor.lnk = C:Program FilesArcSoftTotalMedia 3.5TMMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205658240390
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...381/mcfscan.cab
O17 - HKLMSystemCCSServicesTcpip..{CAF0F9AB-08AA-4398-BEFD-E1C371D9C79E}: NameServer = 203.198.23.208,205.252.144.126
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:Program FilesLogitechDesktop Messenger8876480ProgramGAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:Program FilesCOMODOFirewallcmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:Program FilesNeroNero 7InCDInCDsrv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:Program FilesCommon FilesLogitechBluetoothLBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibMSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:Program FilesNeroNero 7Nero BackItUpNBService.exe
O23 - Service: NMIndexingService - Nero AG - C:Program FilesCommon FilesAheadLibNMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibPACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:PROGRA~1SPYWAR~1sp_rsser.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSSScsiSV.exe

--
End of file - 9998 bytes


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks for helping me out....

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:31 AM

Posted 16 October 2008 - 04:49 PM

We are almost there. But logs are all missing the \ separator and not readable. Lets try this:
  • Open HJT press "Do a system scan and save a log file", it will open in Notepad.
  • Go to Format menu and make sure Wordwrap is Unchecked.
  • Go to Edit> Select All.....Edit > Copy then log into this thread by using the Add Reply and paste the reply.


#9 NBP11

NBP11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 16 October 2008 - 09:21 PM

Hm that was weird....sorry about that. I did the same thing every time posting logs so don't really know why all the slashes are missing.

ComboFix log first:

ComboFix 08-10-15.08 - user 2008-10-17 1:15:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.429 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\systeminfo.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.

2008-10-16 00:19 . 2008-10-16 00:20 1,393 --a------ C:\WINDOWS\imsins.BAK
2008-10-15 23:38 . 2008-08-14 18:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 23:38 . 2008-08-14 18:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 23:38 . 2008-08-14 17:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 23:38 . 2008-08-14 17:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 23:38 . 2008-09-15 20:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 23:38 . 2008-09-08 18:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 22:51 . 2008-10-15 22:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\Comodo
2008-10-15 22:50 . 2008-10-15 22:50 <DIR> d-------- C:\Program Files\COMODO
2008-10-15 22:50 . 2008-10-15 23:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-10-15 22:50 . 2008-10-15 22:50 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-10-15 22:50 . 2008-10-15 22:50 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-10-15 22:50 . 2008-10-15 22:50 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-10-13 14:49 . 2008-10-13 14:50 <DIR> d-------- C:\rsit
2008-10-01 01:02 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-30 12:12 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-22 13:27 . 2008-09-22 13:27 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 02:58 --------- d-----w C:\Program Files\Spyware Terminator
2008-10-16 02:58 --------- d-----w C:\Documents and Settings\user\Application Data\Spyware Terminator
2008-10-16 02:35 --------- d-----w C:\Program Files\Digital Photo Recovery
2008-10-16 02:26 --------- d-----w C:\Program Files\Java
2008-10-16 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-14 03:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-10-14 02:49 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-10-13 17:09 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2008-10-13 16:04 --------- d-----w C:\Documents and Settings\user\Application Data\skypePM
2008-10-13 09:50 --------- d-----w C:\Program Files\eMule
2008-10-10 14:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-02 17:35 --------- d-----w C:\Program Files\ALZip
2008-09-30 04:12 --------- d-----w C:\Program Files\Panda Security
2008-09-16 02:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-15 10:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-15 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-15 09:00 --------- d-----w C:\Program Files\Lavasoft
2008-09-15 08:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 06:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-14 05:34 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 05:34 --------- d-----w C:\Documents and Settings\user\Application Data\Malwarebytes
2008-09-14 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-09 16:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 16:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\BlazeVideo
2008-08-29 10:42 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 04:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-03-31 07:38 24,192 ----a-w C:\Documents and Settings\user\usbsermptxp.sys
2008-03-31 07:38 22,768 ----a-w C:\Documents and Settings\user\usbsermpt.sys
2008-03-16 05:53 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-06-24 23:29 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062520080626\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-09 8523776]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-08-26 1783808]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-09 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"VMonitorVMUVC"="C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe" [2007-04-13 114688]
"ProfilerU"="C:\Program Files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-02 233472]
"SaiMfd"="C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-02 131072]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-09-27 162304]
"LME_IR4TM.exe"="C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe" [2008-05-17 212992]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-10-15 1655552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2008-01-09 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-30 C:\WINDOWS\RTHDCPL.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-17 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-27 805392]
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe [2008-08-07 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-10-15 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-10-15 24208]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-13 141312]
R2 ACDaemon;ArcSoft Connect Daemon;C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-09-23 109056]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 76040]
R3 LMEBDATuner;LMEBDA DTMB53L5C;C:\WINDOWS\system32\Drivers\LMEBDA_DTMB53L5C.sys [2008-03-27 52224]
S3 SaiH0109;SaiH0109;C:\WINDOWS\system32\DRIVERS\SaiH0109.sys [2007-05-01 132232]
S3 SaiU0109;SaiU0109;C:\WINDOWS\system32\DRIVERS\SaiU0109.sys [2007-05-01 28416]
S3 SNP325;USB PC Camera (SNPSTD325);C:\WINDOWS\system32\DRIVERS\snp325.sys [ ]
S3 VMUVC;Vimicro Camera Service VMUVC;C:\WINDOWS\system32\Drivers\VMUVC.sys [2007-08-08 241152]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;C:\WINDOWS\system32\drivers\vvftUVC.sys [2007-06-13 476032]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23d23723-3f9e-11dd-b932-001e9077e09d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WebCamRT.exe - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
O8 -: E&xport to Microsoft Office Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{CAF0F9AB-08AA-4398-BEFD-E1C371D9C79E}: NameServer = 203.198.23.208,205.252.144.126
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - %~$path:i

O16 -: {3AC7F64E-6154-47B0-82B5-764ED4077F77} - hxxp://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
C:\WINDOWS\Downloaded Program Files\eWinCtl.inf
C:\WINDOWS\Downloaded Program Files\EWinECertRegAX.dll
C:\WINDOWS\Downloaded Program Files\EWinSKey.dll
C:\WINDOWS\Downloaded Program Files\TNSSPPC.dll
C:\WINDOWS\Downloaded Program Files\DataStore.dll
C:\WINDOWS\Downloaded Program Files\IEZoneSet.exe
C:\WINDOWS\Downloaded Program Files\IEZoneHlp.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-17 01:19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-17 1:22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 17:22:49

Pre-Run: 10,273,083,392 bytes free
Post-Run: 10,954,448,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

209 --- E O F --- 2008-10-15 16:20:31


And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:25 AM, on 10/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Program Files\Vimicro\Vimicro USB PC Camera (VC0332)\x86\VMonitor.exe" VMUVC
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [LME_IR4TM.exe] C:\PROGRA~1\ArcSoft\TOTALM~1.5\LME_IR\LME_IR4TM.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn01.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205658240390
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...381/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAF0F9AB-08AA-4398-BEFD-E1C371D9C79E}: NameServer = 203.198.23.208,205.252.144.126
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 10229 bytes

Edited by NBP11, 16 October 2008 - 09:24 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:31 AM

Posted 17 October 2008 - 02:47 AM

Everything looks good.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

  • Remove RSIT and its folder (C:\rsit). Delete also any tool or fix we have used from your desktop. You may keep ATF-Cleaner.

  • Install Javacools SpywareBlaster -
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link here.

Please let me know you have read this, so that I can close the thread.

#11 NBP11

NBP11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 17 October 2008 - 12:42 PM

Hello farbar,

I followed all your instructions.

I checked my registry and all the changes listed by TrendMicro as effects of the concerned worm were gone! Fantastic!

I do have a couple of questions still:

1) So my system is clean from that worm now? I am very sensitive about keyloggers--is there any way to make sure my machine is clean without any loggers?

2) As for my AVG virus vault, Posted ImagePosted Image

What should I do with the infections? I deleted the first infection entry and all warnings, but should I delete the bottom 4 infections as well?

3) You mentioned that I can keep "ATF-Cleaner"; I actually didn't recall which software that is and when we used it. Is that a short-hand name?

4) The Flash_Disinfector.exe by sUBs seems like a very useful program for ALL my flash drive\memory cards; should I run it on all my portable drives?

5) I read the article recommend by you on flash drive security and decided to turn "autorun" off for ALL drives--would you recommend that?

Once again thank you VERY MUCH for your help and dedication; I greatly appreciate it. I am really grateful I found Bleeping Computer and Samaritans like you online. :thumbsup:

Edited by NBP11, 17 October 2008 - 12:53 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:31 AM

Posted 17 October 2008 - 02:10 PM

1) So my system is clean from that worm now? I am very sensitive about keyloggers--is there any way to make sure my machine is clean without any loggers?


You had already run many tools, then we researched every suspicious file, identified and removed the password stealer and more. You PC is safe enough now.

What should I do with the infections? I deleted the first infection entry and all warnings, but should I delete the bottom 4 infections as well?


All of them could be removed safely. The last two are were the restore points are saved and would have been removed automatically when we uninstalled Combofix as it removes all the old Restore Point.

3) You mentioned that I can keep "ATF-Cleaner"; I actually didn't recall which software that is and when we used it. Is that a short-hand name?


My bad, I use it almost in every log, but since you had CCleaner you didn't need that. CCleaner does the same and even more.

4) The Flash_Disinfector.exe by sUBs seems like a very useful program for ALL my flash drive\memory cards; should I run it on all my portable drives?


yes, of course.

5) I read the article recommend by you on flash drive security and decided to turn "autorun" off for ALL drives--would you recommend that?


Most certainly, the recommended "right-click the drive and slect Explore" makes sense only when the autorun is disabled.

Once again thank you VERY MUCH for your help and dedication; I greatly appreciate it. I am really grateful I found Bleeping Computer and Samaritans like you online. thumbup.gif


You are most welcome. :thumbsup:

If you don't have any question I'll close the thread. Just let me know.

#13 NBP11

NBP11
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 18 October 2008 - 06:41 AM

Thanks for clearing my concerns--so I DID have some password stealers in my machine? I thought that was just a pretty low-risk worm... Then I should change all my passwords from now on....

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:31 AM

Posted 18 October 2008 - 08:09 AM

Glad I could help.

Your computer was infected both with flash drive worm and on-line game password sealers. As a precaution changing the passwords is a good idea. However if they had sealed your passwords you should not be able to log in to those games.


This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.

This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users