Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with brastk.exe, GetModule23.exe etc.


  • This topic is locked This topic is locked
11 replies to this topic

#1 Haf-A-Mil

Haf-A-Mil

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 27 October 2008 - 05:57 PM

Hello all,

I'm pretty good about keeping my computer free of viruses and spyware/malware with the proper precautions. Well within the last two weeks my hard drive of 6 years failed (where my OS was installed as well as alot of other applications that Im still trying to recover). After the old HD crashed I bought a new HD, when it arrived I proceeded to install all the basic applications to get up and running again. After installing the OS and an unzipping program I ran across another site which is where I was infected with the spyware/malware. At first I had the popups down in the system tray that said my system was infected with spyware and my desktop background had changed to a similar message. I ran AdAware, SuperAntiSpyware, CCleaner, MalwareBytes Anti-Malware, Spybot S&D etc. The MalwareBytes program seemed to remove a majority of the issues. I run AVG Anti Virus with the latest updates (I currently have it disabled because the resident shield) is hogging a ton of RAM so I update and scan basically every other day. I have the Windows Firewall right now until I install the ZoneAlarm firewall. My main system directory where the OS is installed is in the F:\ directory. A slave drive is located on the C:\ drive (I know its backwards, but this happened like this after installing the new HD).

Now after scanning the computer with the above cleaners I no longer had the popups in the system tray and my desktop returned back to the original image I had initially. Now everything seems to be back to normal other than when running msconfig the brastk.exe, getmodule23.exe, nenajizm.exe (which looks suspicious but haven't found any info on it), and ctfmon.exe are still displayed on the start-up tab. I just want to make sure these are totally gone and no keyloggers or anything else is still there even though the popups and random browser pages are gone. Below is my HJT log, thanks guys!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:53 PM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [brastk] F:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [wincfgmon] F:\WINDOWS\system32\nenazijm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Facegame] "F:\Documents and Settings\HOME\Application Data\Facegame\Facegame.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [GetModule23] "F:\Program Files\GetModule\GetModule23.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 3167 bytes

Edited by Haf-A-Mil, 27 October 2008 - 06:10 PM.


BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:01:02 PM

Posted 28 October 2008 - 09:31 AM

Hey Haf-A-Mil,

Welcome to BleepingComputer Forums! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. ;)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:01:02 PM

Posted 29 October 2008 - 07:56 AM

Hey Haf-A-Mil,

From your log(s), you do not seem to have an active anti-virus resident protection running. This is extremely dangerous as your computer is vunerable to all kinds of infections. Before we go on to clean up your computer, please go to the following links provided below, download and install ONE of the anti-virus protection.

Avira Antivir (recommended)
Avast! Home Edition
AVG 8 Free

Your logs are showing signs of infection, please run the tools below to remove them. Before going on to run the tools, please temporarily disable your Spybot Teatimer: Instructions here

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Run SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
2) Run RSIT by random/random
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next reply (please include):

Note: Please do NOT attach the logs and post ONE log in each post

RSIT logs (log.txt and info.txt)
Report.txt (from SDFix)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 Haf-A-Mil

Haf-A-Mil
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 29 October 2008 - 05:57 PM

I have AVG installed on my machine but like said its disabled and I update and run it every other day. Unfortunately Im out of town right now on business, Ill get back to you on this post this Friday or Saturday. Thanks for the tips, will try them soon I get back, and Ill PM you or reply to this post.

#5 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:01:02 PM

Posted 30 October 2008 - 06:19 AM

Alright, please don't PM me the logs but post them on here instead. Thanks. :thumbsup:

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#6 Haf-A-Mil

Haf-A-Mil
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 31 October 2008 - 07:34 PM

SDFix's Report.txt
===========================



SDFix: Version 1.238
Run by Administrator on Fri 10/31/2008 at 07:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 20:05:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\AVG\\AVG8\\avgemc.exe"="F:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"F:\\Program Files\\AVG\\AVG8\\avgupd.exe"="F:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"F:\\Program Files\\uTorrent\\uTorrent.exe"="F:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="F:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"F:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="F:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"F:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="F:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 15 Sep 2008 1,562,960 A.SHR --- "F:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "F:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 17 Oct 2008 0 A.SH. --- "F:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!




RSIT's log.txt
================================


Logfile of random's system information tool 1.04 (written by random/random)
Run by Me at 2008-10-31 20:18:15
Microsoft Windows XP Professional Service Pack 2
System drive F: has 223 GB (94%) free of 238 GB
Total RAM: 512 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:21 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Winamp Remote\bin\OrbTray.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\HOME\Desktop\RSIT.exe
F:\Program Files\Trend Micro\HijackThis\HOME.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [wincfgmon] F:\WINDOWS\system32\nenazijm.exe
O4 - HKCU\..\Run: [GetModule23] "F:\Program Files\GetModule\GetModule23.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "F:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 3113 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"WinampAgent"=F:\Program Files\Winamp\winampa.exe [2008-08-03 36352]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"wincfgmon"=F:\WINDOWS\system32\nenazijm.exe []
"GetModule23"=F:\Program Files\GetModule\GetModule23.exe []
"SUPERAntiSpyware"=F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-08-19 1576176]
"ctfmon.exe"=F:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Orb"=F:\Program Files\Winamp Remote\bin\OrbTray.exe [2008-03-31 507904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]
F:\WINDOWS\system32\brastk.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GetModule23]
F:\Program Files\GetModule\GetModule23.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
F:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=F:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoLogOff"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\Program Files\AVG\AVG8\avgemc.exe"="F:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"F:\Program Files\AVG\AVG8\avgupd.exe"="F:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"F:\Program Files\uTorrent\uTorrent.exe"="F:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\Program Files\Winamp Remote\bin\Orb.exe"="F:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"F:\Program Files\Winamp Remote\bin\OrbTray.exe"="F:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"F:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="F:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-10-31 20:18:15 ----D---- F:\rsit
2008-10-31 19:53:41 ----D---- F:\WINDOWS\ERUNT
2008-10-31 19:48:46 ----D---- F:\SDFix
2008-10-28 01:40:51 ----HDC---- F:\WINDOWS\$NtUninstallKB939683$
2008-10-28 01:40:14 ----HDC---- F:\WINDOWS\$NtUninstallKB932823-v3$
2008-10-28 01:39:55 ----HDC---- F:\WINDOWS\$NtUninstallKB958644$
2008-10-27 21:53:19 ----D---- F:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-10-27 21:53:07 ----D---- F:\Program Files\Winamp Remote
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\vxblock.dll
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxwave.dll
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxsfs.dll
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxmas.dll
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxinsa64.exe
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxhpinst.exe
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxdrv.dll
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxcpya64.exe
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\pxafs.dll
2008-10-27 21:52:10 ----N---- F:\WINDOWS\system32\px.dll
2008-10-27 21:52:01 ----D---- F:\Program Files\Winamp
2008-10-27 21:52:01 ----D---- F:\Documents and Settings\HOME\Application Data\Winamp
2008-10-27 17:04:35 ----D---- F:\WINDOWS\CSC
2008-10-27 17:04:23 ----A---- F:\WINDOWS\ntbtlog.txt
2008-10-27 17:00:20 ----D---- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-27 17:00:05 ----D---- F:\Program Files\SUPERAntiSpyware
2008-10-27 17:00:05 ----D---- F:\Documents and Settings\HOME\Application Data\SUPERAntiSpyware.com
2008-10-27 16:59:29 ----D---- F:\Program Files\Common Files\Wise Installation Wizard
2008-10-23 04:41:06 ----D---- F:\Program Files\Common Files\Adobe AIR
2008-10-23 04:38:51 ----D---- F:\Documents and Settings\All Users\Application Data\Adobe
2008-10-23 04:37:56 ----D---- F:\Program Files\Common Files\Adobe
2008-10-23 04:37:56 ----D---- F:\Program Files\Adobe
2008-10-23 04:33:45 ----D---- F:\Documents and Settings\All Users\Application Data\NOS
2008-10-23 04:33:44 ----D---- F:\Program Files\NOS
2008-10-22 22:13:02 ----D---- F:\WINDOWS\ie7updates
2008-10-22 22:11:34 ----D---- F:\WINDOWS\WBEM
2008-10-22 22:11:31 ----D---- F:\WINDOWS\system32\en-US
2008-10-22 22:09:58 ----HDC---- F:\WINDOWS\ie7
2008-10-22 22:09:29 ----HDC---- F:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-10-22 22:09:07 ----HDC---- F:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-10-22 22:08:42 ----HDC---- F:\WINDOWS\$NtUninstallKB915865$
2008-10-22 22:08:34 ----N---- F:\WINDOWS\system32\xmllite.dll
2008-10-22 22:06:13 ----D---- F:\WINDOWS\network diagnostic
2008-10-22 22:06:11 ----HDC---- F:\WINDOWS\$NtUninstallKB914440$
2008-10-22 22:05:51 ----HDC---- F:\WINDOWS\$NtUninstallKB904942$
2008-10-20 10:22:13 ----D---- F:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-10-20 10:03:33 ----HDC---- F:\WINDOWS\$NtUninstallKB941569$
2008-10-20 10:03:13 ----HDC---- F:\WINDOWS\$NtUninstallKB929399$
2008-10-20 10:02:54 ----HDC---- F:\WINDOWS\$NtUninstallKB954154_WM11$
2008-10-20 10:02:28 ----HDC---- F:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-10-20 09:35:28 ----D---- F:\WINDOWS\pss
2008-10-20 08:58:19 ----D---- F:\Documents and Settings\HOME\Application Data\vlc
2008-10-20 08:54:38 ----D---- F:\Program Files\VideoLAN
2008-10-20 08:38:08 ----A---- F:\WINDOWS\system32\MRT.exe
2008-10-20 08:35:01 ----D---- F:\WINDOWS\system32\CatRoot_bak
2008-10-17 04:34:59 ----HDC---- F:\WINDOWS\$NtUninstallKB926239$
2008-10-17 04:34:39 ----N---- F:\WINDOWS\system32\spmsg.dll
2008-10-17 04:34:38 ----HDC---- F:\WINDOWS\$NtUninstallMSCompPackV1$
2008-10-17 04:33:45 ----D---- F:\Program Files\Windows Media Connect 2
2008-10-17 04:32:47 ----HDC---- F:\WINDOWS\$NtUninstallwmp11$
2008-10-17 04:28:23 ----HDC---- F:\WINDOWS\$NtUninstallWMFDist11$
2008-10-17 04:26:10 ----D---- F:\WINDOWS\system32\LogFiles
2008-10-17 04:26:01 ----HDC---- F:\WINDOWS\$NtUninstallWudf01000$
2008-10-17 04:19:58 ----D---- F:\Documents and Settings\HOME\Application Data\Adobe
2008-10-17 04:09:27 ----D---- F:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-10-17 04:09:26 ----D---- F:\Program Files\DVD Shrink
2008-10-17 03:41:33 ----D---- F:\Program Files\WinRAR
2008-10-17 03:36:43 ----D---- F:\Documents and Settings\HOME\Application Data\Mozilla
2008-10-17 03:36:03 ----D---- F:\Program Files\Mozilla Firefox
2008-10-17 03:24:26 ----D---- F:\Program Files\uTorrent
2008-10-17 03:24:23 ----D---- F:\Documents and Settings\HOME\Application Data\uTorrent
2008-10-17 03:07:29 ----HDC---- F:\WINDOWS\$NtUninstallKB951376-v2$
2008-10-17 03:07:19 ----HDC---- F:\WINDOWS\$NtUninstallKB952954$
2008-10-17 03:07:08 ----HDC---- F:\WINDOWS\$NtUninstallKB946648$
2008-10-17 03:06:57 ----HDC---- F:\WINDOWS\$NtUninstallKB956803$
2008-10-17 03:06:45 ----HDC---- F:\WINDOWS\$NtUninstallKB956391$
2008-10-17 03:06:34 ----HDC---- F:\WINDOWS\$NtUninstallKB957095$
2008-10-17 03:06:22 ----HDC---- F:\WINDOWS\$NtUninstallKB950974$
2008-10-17 03:06:07 ----HDC---- F:\WINDOWS\$NtUninstallKB951698$
2008-10-17 03:05:47 ----HDC---- F:\WINDOWS\$NtUninstallKB954211$
2008-10-17 03:05:01 ----HDC---- F:\WINDOWS\$NtUninstallKB956841$
2008-10-17 03:04:40 ----HDC---- F:\WINDOWS\$NtUninstallKB950762$
2008-10-17 03:04:29 ----HDC---- F:\WINDOWS\$NtUninstallKB951072-v2$
2008-10-17 03:04:16 ----HDC---- F:\WINDOWS\$NtUninstallKB952287$
2008-10-17 03:04:03 ----HDC---- F:\WINDOWS\$NtUninstallKB951066$
2008-10-17 03:03:46 ----HDC---- F:\WINDOWS\$NtUninstallKB951748$
2008-10-17 03:03:12 ----HDC---- F:\WINDOWS\$NtUninstallKB950749$
2008-10-17 03:02:41 ----HDC---- F:\WINDOWS\$NtUninstallKB938464$
2008-10-17 03:01:53 ----HDC---- F:\WINDOWS\$NtUninstallKB956390$
2008-10-17 03:01:11 ----A---- F:\WINDOWS\imsins.BAK
2008-10-17 03:00:59 ----HDC---- F:\WINDOWS\$NtUninstallKB944338-v2$
2008-10-17 00:28:53 ----D---- F:\Documents and Settings\HOME\Application Data\Malwarebytes
2008-10-17 00:28:36 ----D---- F:\Program Files\Malwarebytes' Anti-Malware
2008-10-17 00:28:36 ----D---- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-17 00:14:52 ----D---- F:\Documents and Settings\HOME\Application Data\Macromedia
2008-10-16 23:49:35 ----D---- F:\Program Files\Trend Micro
2008-10-16 23:37:29 ----D---- F:\Program Files\Yahoo!
2008-10-16 23:37:01 ----D---- F:\Program Files\CCleaner
2008-10-16 22:52:29 ----A---- F:\WINDOWS\wininit.ini
2008-10-16 20:48:11 ----D---- F:\Program Files\Spybot - Search & Destroy
2008-10-16 20:48:11 ----D---- F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 20:42:38 ----HDC---- F:\WINDOWS\$MSI31Uninstall_KB893803v2$
2008-10-16 20:41:55 ----HDC---- F:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-16 20:33:46 ----D---- F:\Documents and Settings\All Users\Application Data\svmpylyj
2008-10-16 20:33:39 ----D---- F:\Documents and Settings\HOME\Application Data\WinRAR
2008-10-16 20:33:37 ----D---- F:\Program Files\ighmcwc
2008-10-16 20:32:18 ----HD---- F:\$AVG8.VAULT$
2008-10-16 20:26:12 ----SHD---- F:\RECYCLER
2008-10-16 20:19:44 ----A---- F:\WINDOWS\system32\avgrsstx.dll
2008-10-16 20:19:05 ----D---- F:\Program Files\AVG
2008-10-16 20:19:05 ----D---- F:\Documents and Settings\All Users\Application Data\avg8
2008-10-16 19:52:39 ----D---- F:\WINDOWS\system32\PreInstall
2008-10-16 19:52:38 ----A---- F:\WINDOWS\system32\spupdsvc.exe
2008-10-16 19:52:37 ----HDC---- F:\WINDOWS\$NtUninstallKB898461$
2008-10-16 19:52:37 ----HD---- F:\WINDOWS\$hf_mig$
2008-10-16 19:42:54 ----D---- F:\WINDOWS\system32\SoftwareDistribution
2008-10-16 19:42:28 ----D---- F:\Program Files\InstallShield Installation Information
2008-10-16 19:42:08 ----D---- F:\Program Files\D-Link
2008-10-16 19:41:51 ----D---- F:\Program Files\Common Files\InstallShield
2008-10-16 19:38:37 ----D---- F:\Documents and Settings\HOME\Application Data\Identities
2008-10-16 19:38:32 ----HD---- F:\Program Files\Uninstall Information
2008-10-16 19:38:20 ----ASH---- F:\Documents and Settings\HOME\Application Data\desktop.ini
2008-10-16 19:38:19 ----SD---- F:\Documents and Settings\HOME\Application Data\Microsoft
2008-10-16 19:22:52 ----D---- F:\WINDOWS\SoftwareDistribution
2008-10-16 19:22:50 ----D---- F:\WINDOWS\Prefetch
2008-10-16 19:22:48 ----SD---- F:\WINDOWS\system32\Microsoft
2008-10-16 19:22:48 ----A---- F:\WINDOWS\SchedLgU.Txt
2008-10-16 19:12:49 ----D---- F:\WINDOWS\system32\xircom
2008-10-16 19:12:49 ----D---- F:\Program Files\xerox
2008-10-16 19:12:49 ----D---- F:\Program Files\microsoft frontpage
2008-10-16 19:11:51 ----A---- F:\WINDOWS\control.ini
2008-10-16 19:11:17 ----A---- F:\WINDOWS\system32\mapi32.dll
2008-10-16 19:08:47 ----RD---- F:\WINDOWS\Offline Web Pages
2008-10-16 19:08:46 ----SD---- F:\WINDOWS\Downloaded Program Files
2008-10-16 19:08:46 ----RAH---- F:\WINDOWS\system32\logonui.exe.manifest
2008-10-16 19:08:27 ----RAH---- F:\WINDOWS\system32\cdplayer.exe.manifest
2008-10-16 19:08:12 ----HD---- F:\Program Files\WindowsUpdate
2008-10-16 19:07:32 ----D---- F:\WINDOWS\system32\DirectX
2008-10-16 19:06:59 ----A---- F:\WINDOWS\system32\atrace.dll
2008-10-16 19:06:56 ----A---- F:\WINDOWS\system32\desktop.ini
2008-10-16 19:06:56 ----A---- F:\WINDOWS\desktop.ini
2008-10-16 19:06:47 ----A---- F:\WINDOWS\system32\nmevtmsg.dll
2008-10-16 19:06:45 ----A---- F:\WINDOWS\system32\acctres.dll
2008-10-16 19:06:44 ----D---- F:\Program Files\Common Files\Services
2008-10-16 19:06:40 ----SD---- F:\WINDOWS\Tasks
2008-10-16 19:06:40 ----A---- F:\WINDOWS\system32\icfgnt5.dll
2008-10-16 19:06:38 ----D---- F:\Program Files\Common Files\MSSoap
2008-10-16 19:06:32 ----D---- F:\WINDOWS\srchasst
2008-10-16 19:06:31 ----D---- F:\WINDOWS\system32\Macromed
2008-10-16 19:06:26 ----A---- F:\WINDOWS\system32\wuweb.dll
2008-10-16 19:06:26 ----A---- F:\WINDOWS\system32\wucltui.dll
2008-10-16 19:06:26 ----A---- F:\WINDOWS\system32\wuauserv.dll
2008-10-16 19:06:26 ----A---- F:\WINDOWS\system32\wuaueng1.dll
2008-10-16 19:06:25 ----A---- F:\WINDOWS\system32\wups.dll
2008-10-16 19:06:25 ----A---- F:\WINDOWS\system32\wuaueng.dll
2008-10-16 19:06:25 ----A---- F:\WINDOWS\system32\wuauclt1.exe
2008-10-16 19:06:24 ----A---- F:\WINDOWS\system32\wuauclt.exe
2008-10-16 19:06:24 ----A---- F:\WINDOWS\system32\wuapi.dll
2008-10-16 19:06:24 ----A---- F:\WINDOWS\system32\bitsprx3.dll
2008-10-16 19:06:24 ----A---- F:\WINDOWS\system32\bitsprx2.dll
2008-10-16 19:06:23 ----A---- F:\WINDOWS\system32\qmgrprxy.dll
2008-10-16 19:06:23 ----A---- F:\WINDOWS\system32\qmgr.dll
2008-10-16 19:06:17 ----D---- F:\Program Files\Movie Maker
2008-10-16 19:06:11 ----A---- F:\WINDOWS\system32\safrslv.dll
2008-10-16 19:06:11 ----A---- F:\WINDOWS\system32\safrdm.dll
2008-10-16 19:06:11 ----A---- F:\WINDOWS\system32\safrcdlg.dll
2008-10-16 19:06:11 ----A---- F:\WINDOWS\system32\racpldlg.dll
2008-10-16 19:06:06 ----A---- F:\WINDOWS\system32\fltMc.exe
2008-10-16 19:06:06 ----A---- F:\WINDOWS\system32\fltlib.dll
2008-10-16 19:06:05 ----D---- F:\WINDOWS\system32\Restore
2008-10-16 19:06:05 ----A---- F:\WINDOWS\system32\srsvc.dll
2008-10-16 19:06:05 ----A---- F:\WINDOWS\system32\srrstr.dll
2008-10-16 19:06:05 ----A---- F:\WINDOWS\system32\srclient.dll
2008-10-16 19:06:03 ----A---- F:\WINDOWS\system32\nmmkcert.dll
2008-10-16 19:06:03 ----A---- F:\WINDOWS\system32\mnmsrvc.exe
2008-10-16 19:06:03 ----A---- F:\WINDOWS\system32\mnmdd.dll
2008-10-16 19:06:03 ----A---- F:\WINDOWS\system32\isrdbg32.dll
2008-10-16 19:06:03 ----A---- F:\WINDOWS\system32\ils.dll
2008-10-16 19:06:02 ----A---- F:\WINDOWS\system32\msconf.dll
2008-10-16 19:05:59 ----D---- F:\Program Files\NetMeeting
2008-10-16 19:05:59 ----A---- F:\WINDOWS\system32\msoert2.dll
2008-10-16 19:05:58 ----A---- F:\WINDOWS\system32\msoeacct.dll
2008-10-16 19:05:57 ----A---- F:\WINDOWS\system32\inetres.dll
2008-10-16 19:05:56 ----A---- F:\WINDOWS\system32\inetcomm.dll
2008-10-16 19:05:54 ----D---- F:\Program Files\Outlook Express
2008-10-16 19:05:54 ----A---- F:\WINDOWS\system32\schedsvc.dll
2008-10-16 19:05:54 ----A---- F:\WINDOWS\system32\mstinit.exe
2008-10-16 19:05:53 ----A---- F:\WINDOWS\system32\mstask.dll
2008-10-16 19:05:53 ----A---- F:\WINDOWS\system32\icwphbk.dll
2008-10-16 19:05:53 ----A---- F:\WINDOWS\system32\icwdial.dll
2008-10-16 19:05:52 ----A---- F:\WINDOWS\system32\isign32.dll
2008-10-16 19:05:52 ----A---- F:\WINDOWS\system32\inetcfg.dll
2008-10-16 19:05:43 ----D---- F:\Program Files\Common Files\System
2008-10-16 19:05:41 ----D---- F:\Program Files\Internet Explorer
2008-10-16 19:04:15 ----D---- F:\Program Files\ComPlus Applications
2008-10-16 19:04:12 ----A---- F:\WINDOWS\vbaddin.ini
2008-10-16 19:04:12 ----A---- F:\WINDOWS\vb.ini
2008-10-16 19:04:05 ----D---- F:\WINDOWS\Registration
2008-10-16 19:03:53 ----D---- F:\Program Files\Online Services
2008-10-16 19:03:52 ----D---- F:\Program Files\Windows Media Player
2008-10-16 19:03:41 ----D---- F:\Program Files\Messenger
2008-10-16 19:03:35 ----D---- F:\Program Files\MSN Gaming Zone
2008-10-16 19:03:35 ----A---- F:\WINDOWS\system32\write.exe
2008-10-16 19:03:19 ----A---- F:\WINDOWS\system32\sndvol32.exe
2008-10-16 19:03:19 ----A---- F:\WINDOWS\system32\hticons.dll
2008-10-16 19:03:19 ----A---- F:\WINDOWS\system32\avwav.dll
2008-10-16 19:03:18 ----A---- F:\WINDOWS\system32\winchat.exe
2008-10-16 19:03:18 ----A---- F:\WINDOWS\system32\avtapi.dll
2008-10-16 19:03:18 ----A---- F:\WINDOWS\system32\avmeter.dll
2008-10-16 19:03:07 ----A---- F:\WINDOWS\system32\getuname.dll
2008-10-16 19:03:07 ----A---- F:\WINDOWS\system32\charmap.exe
2008-10-16 19:03:07 ----A---- F:\WINDOWS\system32\calc.exe
2008-10-16 19:03:06 ----A---- F:\WINDOWS\system32\winmine.exe
2008-10-16 19:03:06 ----A---- F:\WINDOWS\system32\sol.exe
2008-10-16 19:03:05 ----A---- F:\WINDOWS\system32\usrlogon.cmd
2008-10-16 19:03:05 ----A---- F:\WINDOWS\system32\tskill.exe
2008-10-16 19:03:05 ----A---- F:\WINDOWS\system32\reset.exe
2008-10-16 19:03:05 ----A---- F:\WINDOWS\system32\mshearts.exe
2008-10-16 19:03:05 ----A---- F:\WINDOWS\system32\freecell.exe
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\tsshutdn.exe
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\tslabels.ini
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\tsdiscon.exe
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\tscon.exe
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\shadow.exe
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\rwinsta.exe
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\regini.exe
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\rdpcfgex.dll
2008-10-16 19:03:04 ----A---- F:\WINDOWS\system32\qwinsta.exe
2008-10-16 19:03:03 ----A---- F:\WINDOWS\system32\qappsrv.exe
2008-10-16 19:03:03 ----A---- F:\WINDOWS\system32\msg.exe
2008-10-16 19:03:03 ----A---- F:\WINDOWS\system32\msdtcprf.ini
2008-10-16 19:03:03 ----A---- F:\WINDOWS\system32\logoff.exe
2008-10-16 19:03:03 ----A---- F:\WINDOWS\system32\cdmodem.dll
2008-10-16 19:03:02 ----A---- F:\WINDOWS\system32\dcomcnfg.exe
2008-10-16 19:03:01 ----A---- F:\WINDOWS\system32\stclient.dll
2008-10-16 19:03:01 ----A---- F:\WINDOWS\system32\mtxlegih.dll
2008-10-16 19:03:01 ----A---- F:\WINDOWS\system32\mtxex.dll
2008-10-16 19:03:01 ----A---- F:\WINDOWS\system32\mtxdm.dll
2008-10-16 19:03:01 ----A---- F:\WINDOWS\system32\comrepl.dll
2008-10-16 19:03:01 ----A---- F:\WINDOWS\system32\comaddin.dll
2008-10-16 19:03:00 ----A---- F:\WINDOWS\system32\comsnap.dll
2008-10-16 19:02:51 ----A---- F:\WINDOWS\system32\wmimgmt.msc
2008-10-16 19:02:37 ----D---- F:\Program Files\MSN
2008-10-16 19:02:35 ----A---- F:\WINDOWS\system32\sndrec32.exe
2008-10-16 19:02:35 ----A---- F:\WINDOWS\system32\mplay32.exe
2008-10-16 19:02:35 ----A---- F:\WINDOWS\system32\accwiz.exe
2008-10-16 19:02:34 ----D---- F:\Program Files\Windows NT
2008-10-16 19:02:34 ----A---- F:\WINDOWS\system32\mspaint.exe
2008-10-16 19:02:34 ----A---- F:\WINDOWS\system32\hypertrm.dll
2008-10-16 19:02:33 ----A---- F:\WINDOWS\system32\spider.exe
2008-10-16 19:02:33 ----A---- F:\WINDOWS\system32\clipbrd.exe
2008-10-16 19:02:32 ----A---- F:\WINDOWS\system32\tscfgwmi.dll
2008-10-16 19:02:32 ----A---- F:\WINDOWS\system32\mstscax.dll
2008-10-16 19:02:31 ----A---- F:\WINDOWS\system32\sessmgr.exe
2008-10-16 19:02:31 ----A---- F:\WINDOWS\system32\remotepg.dll
2008-10-16 19:02:31 ----A---- F:\WINDOWS\system32\rdshost.exe
2008-10-16 19:02:31 ----A---- F:\WINDOWS\system32\rdsaddin.exe
2008-10-16 19:02:31 ----A---- F:\WINDOWS\system32\mstsc.exe
2008-10-16 19:02:30 ----A---- F:\WINDOWS\system32\tscupgrd.exe
2008-10-16 19:02:30 ----A---- F:\WINDOWS\system32\termsrv.dll
2008-10-16 19:02:30 ----A---- F:\WINDOWS\system32\rdpwsx.dll
2008-10-16 19:02:30 ----A---- F:\WINDOWS\system32\rdpsnd.dll
2008-10-16 19:02:30 ----A---- F:\WINDOWS\system32\rdpclip.exe
2008-10-16 19:02:30 ----A---- F:\WINDOWS\system32\rdchost.dll
2008-10-16 19:02:29 ----D---- F:\WINDOWS\system32\MsDtc
2008-10-16 19:02:29 ----A---- F:\WINDOWS\system32\qprocess.exe
2008-10-16 19:02:29 ----A---- F:\WINDOWS\system32\msdtcuiu.dll
2008-10-16 19:02:29 ----A---- F:\WINDOWS\system32\icaapi.dll
2008-10-16 19:02:29 ----A---- F:\WINDOWS\system32\cfgbkend.dll
2008-10-16 19:02:28 ----A---- F:\WINDOWS\system32\mtxoci.dll
2008-10-16 19:02:28 ----A---- F:\WINDOWS\system32\msdtctm.dll
2008-10-16 19:02:28 ----A---- F:\WINDOWS\system32\msdtcprx.dll
2008-10-16 19:02:27 ----A---- F:\WINDOWS\system32\xolehlp.dll
2008-10-16 19:02:27 ----A---- F:\WINDOWS\system32\msdtclog.dll
2008-10-16 19:02:27 ----A---- F:\WINDOWS\system32\msdtc.exe
2008-10-16 19:02:26 ----D---- F:\WINDOWS\system32\Com
2008-10-16 19:02:26 ----A---- F:\WINDOWS\system32\colbact.dll
2008-10-16 19:02:26 ----A---- F:\WINDOWS\system32\clbcatex.dll
2008-10-16 19:02:26 ----A---- F:\WINDOWS\system32\catsrvps.dll
2008-10-16 19:02:25 ----A---- F:\WINDOWS\system32\comsvcs.dll
2008-10-16 19:02:25 ----A---- F:\WINDOWS\system32\catsrvut.dll
2008-10-16 19:02:25 ----A---- F:\WINDOWS\system32\catsrv.dll
2008-10-16 19:02:24 ----A---- F:\WINDOWS\system32\comuid.dll
2008-10-16 19:02:24 ----A---- F:\WINDOWS\system32\clbcatq.dll
2008-10-16 19:02:14 ----A---- F:\WINDOWS\system32\servdeps.dll
2008-10-16 19:02:14 ----A---- F:\WINDOWS\system32\mmfutil.dll
2008-10-16 19:02:14 ----A---- F:\WINDOWS\system32\licwmi.dll
2008-10-16 19:02:14 ----A---- F:\WINDOWS\system32\cmprops.dll
2008-10-16 14:54:18 ----A---- F:\WINDOWS\system32\h323log.txt
2008-10-16 14:49:26 ----A---- F:\WINDOWS\system32\sis300iv.dll
2008-10-16 14:48:45 ----A---- F:\WINDOWS\system32\usbui.dll
2008-10-16 14:48:38 ----A---- F:\WINDOWS\system32\ksuser.dll
2008-10-16 14:45:37 ----SHD---- F:\WINDOWS\Installer
2008-10-16 14:45:37 ----A---- F:\WINDOWS\system32\PerfStringBackup.INI
2008-10-16 14:45:36 ----D---- F:\Program Files\Common Files\ODBC
2008-10-16 14:45:36 ----A---- F:\WINDOWS\ODBCINST.INI
2008-10-16 14:45:30 ----D---- F:\Program Files\Common Files\SpeechEngines
2008-10-16 14:45:29 ----RD---- F:\Program Files
2008-10-16 14:45:29 ----D---- F:\Program Files\Common Files\Microsoft Shared
2008-10-16 14:45:29 ----D---- F:\Program Files\Common Files
2008-10-16 14:45:24 ----RA---- F:\WINDOWS\system32\kbdazel.dll
2008-10-16 14:45:23 ----RA---- F:\WINDOWS\system32\kbdtuq.dll
2008-10-16 14:45:23 ----RA---- F:\WINDOWS\system32\kbdtuf.dll
2008-10-16 14:45:21 ----RA---- F:\WINDOWS\system32\kbdtat.dll
2008-10-16 14:45:21 ----RA---- F:\WINDOWS\system32\kbdmon.dll
2008-10-16 14:45:21 ----RA---- F:\WINDOWS\system32\kbdkyr.dll
2008-10-16 14:45:21 ----RA---- F:\WINDOWS\system32\kbdaze.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbdycc.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbduzb.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbdur.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbdru1.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbdru.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbdkaz.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbdbu.dll
2008-10-16 14:45:20 ----RA---- F:\WINDOWS\system32\kbdblr.dll
2008-10-16 14:45:17 ----RA---- F:\WINDOWS\system32\kbdhept.dll
2008-10-16 14:45:17 ----RA---- F:\WINDOWS\system32\kbdhela3.dll
2008-10-16 14:45:17 ----RA---- F:\WINDOWS\system32\kbdhela2.dll
2008-10-16 14:45:17 ----RA---- F:\WINDOWS\system32\kbdhe319.dll
2008-10-16 14:45:17 ----RA---- F:\WINDOWS\system32\kbdhe220.dll
2008-10-16 14:45:17 ----RA---- F:\WINDOWS\system32\kbdhe.dll
2008-10-16 14:45:17 ----RA---- F:\WINDOWS\system32\kbdgkl.dll
2008-10-16 14:45:15 ----RA---- F:\WINDOWS\system32\kbdlv1.dll
2008-10-16 14:45:15 ----RA---- F:\WINDOWS\system32\kbdlv.dll
2008-10-16 14:45:15 ----RA---- F:\WINDOWS\system32\kbdlt1.dll
2008-10-16 14:45:15 ----RA---- F:\WINDOWS\system32\kbdlt.dll
2008-10-16 14:45:15 ----RA---- F:\WINDOWS\system32\kbdest.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdycl.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdsl1.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdsl.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdro.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdpl1.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdpl.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdhu1.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdhu.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdcz2.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdcz1.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdcz.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\kbdcr.dll
2008-10-16 14:45:12 ----RA---- F:\WINDOWS\system32\KBDAL.DLL
2008-10-16 14:45:06 ----A---- F:\WINDOWS\system32\spxcoins.dll
2008-10-16 14:45:06 ----A---- F:\WINDOWS\system32\irclass.dll
2008-10-16 14:45:06 ----A---- F:\WINDOWS\system32\EqnClass.Dll
2008-10-16 14:45:06 ----A---- F:\WINDOWS\system32\dgsetup.dll
2008-10-16 14:45:06 ----A---- F:\WINDOWS\system32\dgrpsetu.dll
2008-10-16 14:45:03 ----A---- F:\WINDOWS\TASKMAN.EXE
2008-10-16 14:45:02 ----N---- F:\WINDOWS\system32\CONFIG.TMP
2008-10-16 14:45:02 ----A---- F:\WINDOWS\system32\batt.dll
2008-10-16 14:45:01 ----A---- F:\WINDOWS\NOTEPAD.EXE
2008-10-16 14:44:54 ----A---- F:\WINDOWS\system32\storprop.dll
2008-10-16 14:44:40 ----ASH---- F:\Documents and Settings\All Users\Application Data\desktop.ini
2008-10-16 14:44:31 ----RA---- F:\WINDOWS\SET8.tmp
2008-10-16 14:44:25 ----RA---- F:\WINDOWS\SET4.tmp
2008-10-16 14:44:22 ----RA---- F:\WINDOWS\SET3.tmp
2008-10-16 14:44:13 ----D---- F:\WINDOWS\system32\CatRoot2
2008-10-16 14:44:13 ----D---- F:\WINDOWS\system32\CatRoot
2008-10-16 14:44:06 ----SD---- F:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-16 14:43:30 ----D---- F:\Documents and Settings
2008-10-16 14:43:29 ----SHD---- F:\System Volume Information
2008-10-16 14:41:29 ----SH---- F:\boot.ini
2008-10-16 14:27:32 ----RSHDC---- F:\WINDOWS\system32\dllcache
2008-10-16 14:27:32 ----RSD---- F:\WINDOWS\Fonts
2008-10-16 14:27:32 ----RD---- F:\WINDOWS\Web
2008-10-16 14:27:32 ----HD---- F:\WINDOWS\inf
2008-10-16 14:27:32 ----D---- F:\WINDOWS\WinSxS
2008-10-16 14:27:32 ----D---- F:\WINDOWS\twain_32
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Temp
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\wins
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\wbem
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\usmt
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\spool
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\ShellExt
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\Setup
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\ras
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\oobe
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\npp
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\mui
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\inetsrv
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\IME
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\icsxml
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\ias
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\export
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\drivers
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\dhcp
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\config
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\3com_dmi
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\3076
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\2052
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1054
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1042
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1041
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1037
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1033
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1031
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1028
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32\1025
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system32
2008-10-16 14:27:32 ----D---- F:\WINDOWS\system
2008-10-16 14:27:32 ----D---- F:\WINDOWS\security
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Resources
2008-10-16 14:27:32 ----D---- F:\WINDOWS\repair
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Provisioning
2008-10-16 14:27:32 ----D---- F:\WINDOWS\PeerNet
2008-10-16 14:27:32 ----D---- F:\WINDOWS\pchealth
2008-10-16 14:27:32 ----D---- F:\WINDOWS\mui
2008-10-16 14:27:32 ----D---- F:\WINDOWS\msapps
2008-10-16 14:27:32 ----D---- F:\WINDOWS\msagent
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Media
2008-10-16 14:27:32 ----D---- F:\WINDOWS\java
2008-10-16 14:27:32 ----D---- F:\WINDOWS\ime
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Help
2008-10-16 14:27:32 ----D---- F:\WINDOWS\ehome
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Driver Cache
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Debug
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Cursors
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Connection Wizard
2008-10-16 14:27:32 ----D---- F:\WINDOWS\Config
2008-10-16 14:27:32 ----D---- F:\WINDOWS\AppPatch
2008-10-16 14:27:32 ----D---- F:\WINDOWS\addins
2008-10-16 14:27:32 ----D---- F:\WINDOWS

======List of files/folders modified in the last 1 months======

2008-10-23 11:32:21 ----A---- F:\WINDOWS\win.ini
2008-10-23 11:32:21 ----A---- F:\WINDOWS\system.ini
2008-10-15 12:57:55 ----A---- F:\WINDOWS\system32\netapi32.dll
2008-10-03 13:41:15 ----A---- F:\WINDOWS\system32\ieframe.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; F:\WINDOWS\System32\Drivers\avgldx86.sys [2008-10-16 97928]
R1 SASDIFSV;SASDIFSV; \??\F:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\F:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 AvgTdiX;AVG Free8 Network Redirector; F:\WINDOWS\System32\Drivers\avgtdix.sys [2008-10-16 76040]
R3 aliadwdm;ALi Audio Accelerator WDM driver; F:\WINDOWS\system32\drivers\ac97ali.sys [2004-08-03 231552]
R3 catchme;catchme; \??\F:\DOCUME~1\HOME~1\LOCALS~1\Temp\catchme.sys []
R3 FETNDISB;D-Link PCI Fast Ethernet Adapter Driver Service; F:\WINDOWS\system32\DRIVERS\dlkfet5b.sys [2005-07-01 43008]
R3 ltmodem5;LT Modem Driver; F:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2004-08-03 606684]
R3 MODEMCSA;Unimodem Streaming Filter Device; F:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 SASENUM;SASENUM; \??\F:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SiS300i;SiS300i; F:\WINDOWS\system32\DRIVERS\sis300ip.sys [2001-08-17 101760]
R3 usbhub;USB2 Enabled Hub; F:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; F:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 NtApm;NT Apm/Legacy Interface Driver; F:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 9344]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; F:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 USBSTOR;USB Mass Storage Driver; F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; F:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; F:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 ACPI;ACPI; F:\WINDOWS\system32\drivers\ACPI.sys []
S4 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; F:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-10-16 26824]
S4 IntelIde;IntelIde; F:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; F:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; F:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 avg8emc;AVG Free8 E-mail Scanner; F:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-16 875288]
S4 avg8wd;AVG Free8 WatchDog; F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-16 231704]

-----------------EOF-----------------



RSIT's info.txt
================================


info.txt logfile of random's system information tool 1.04 2008-10-31 20:18:26

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
530TX+-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}
Acrobat.com-->F:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->F:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->F:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
AVG Free 8.0-->F:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only)-->"F:\Program Files\CCleaner\uninst.exe"
D-Link PCI Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $D-Link
DVD Shrink 3.2-->"F:\Program Files\DVD Shrink\unins000.exe"
HijackThis 2.0.2-->"F:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"F:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"F:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"F:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"F:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"F:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"F:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Malwarebytes' Anti-Malware-->"F:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"F:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"F:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"F:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"F:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.3)-->F:\Program Files\Mozilla Firefox\uninstall\helper.exe
Security Update for Windows Internet Explorer 7 (KB938127)-->"F:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"F:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"F:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"F:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"F:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"F:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->F:\WINDOWS\system32\MacroMed\Flash\genuinst.exe F:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"F:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"F:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"F:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"F:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"F:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"F:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"F:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"F:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"F:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"F:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"F:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"F:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"F:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"F:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"F:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"F:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"F:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"F:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"F:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"F:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB898461)-->"F:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"F:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"F:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"F:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VLC media player 0.9.4-->F:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp Remote-->"F:\Program Files\Winamp Remote\uninstall.exe"
Winamp-->"F:\Program Files\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"F:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"F:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"F:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"F:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"F:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"F:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->F:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager-->F:\WINDOWS\system32\regsvr32 /u F:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar-->F:\PROGRA~1\Yahoo!\Common\unyt.exe

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: AVG Anti-Virus Free (disabled)

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 4 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0402
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


HiJackThis log
================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:28 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Winamp Remote\bin\OrbTray.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [wincfgmon] F:\WINDOWS\system32\nenazijm.exe
O4 - HKCU\..\Run: [GetModule23] "F:\Program Files\GetModule\GetModule23.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "F:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 3083 bytes

#7 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:01:02 PM

Posted 03 November 2008 - 08:52 AM

Sorry for the delay, real life issues got to me. I'll be getting back with a fix soon, thanks for your awesome patience. :thumbsup:

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#8 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:01:02 PM

Posted 03 November 2008 - 12:24 PM

Hey Haf-A-Mil,

Are you still using AVG as your anti-virus? If so, please enable it and update it immediately.

There seems to be hidden infections on your computer, a stronger tool is needed to reveal them.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt and Fresh HijackThis log in your next reply.

PS. I will be away from 4th to 5th November, please be patient and I'll get back with a fix as soon as I can, thanks for your understanding. :thumbsup:

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 03 November 2008 - 06:06 PM

Hi Haf-A-Mil.

LT has an exam coming up and he needs a bit of time off, so I will be handling this log with you. :thumbsup:

Please follow the instructions in his previous post, and post back with the results when you are ready.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Haf-A-Mil

Haf-A-Mil
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 04 November 2008 - 04:18 AM

Thanks for the help guys, it looks like the hidden files are gone. Well at least that I can see (the files I was suspicious of are no longer in startup under msconfig). Let me know what you guys think, this here is the combofix log file as well as the new hijackthis log file. I do however have a followup question, would you guys happen to know of a sure fire way of installing AVG with only the essentials needed. My box only has 512mb of RAM and the Processes that the new AVG 8.0 run is bogging down my machine. Again I appreciate all of you guys help, how do the log files look???

ComboFix Log File
====================



ComboFix 08-11-03.04 - HOME 2008-11-04 3:55:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.319 [GMT -5:00]
Running from: f:\documents and settings\HOME\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-04 03:44 . 2008-11-04 03:44 <DIR> d-------- f:\windows\LastGood
2008-11-01 19:17 . 2008-11-01 19:17 <DIR> d-------- f:\windows\system32\scripting
2008-11-01 19:17 . 2008-11-01 19:17 <DIR> d-------- f:\windows\l2schemas
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- f:\windows\system32\en
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- f:\windows\system32\bits
2008-11-01 19:09 . 2008-11-01 19:09 <DIR> d-------- f:\windows\ServicePackFiles
2008-11-01 02:56 . 2008-11-01 02:56 <DIR> d-------- f:\program files\mkv2vob
2008-10-31 19:18 . 2008-10-31 19:18 <DIR> d-------- F:\rsit
2008-10-31 18:53 . 2008-10-31 18:53 <DIR> d-------- f:\windows\ERUNT
2008-10-31 18:48 . 2008-10-31 19:08 <DIR> d-------- F:\SDFix
2008-10-27 20:53 . 2008-10-27 20:53 <DIR> d-------- f:\program files\Winamp Remote
2008-10-27 20:53 . 2008-10-27 20:54 <DIR> d-------- f:\documents and settings\All Users\Application Data\OrbNetworks
2008-10-27 20:52 . 2008-10-27 20:53 <DIR> d-------- f:\program files\Winamp
2008-10-27 20:52 . 2008-10-27 20:53 <DIR> d-------- f:\documents and settings\HOME\Application Data\Winamp
2008-10-27 16:06 . 2008-10-27 16:06 <DIR> d-------- f:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-10-27 16:05 . 2008-10-27 16:05 <DIR> d-------- f:\documents and settings\Administrator\Application Data\Malwarebytes
2008-10-27 16:04 . 2008-10-27 16:04 <DIR> d-------- f:\documents and settings\Administrator
2008-10-27 16:00 . 2008-10-27 16:00 <DIR> d-------- f:\program files\SUPERAntiSpyware
2008-10-27 16:00 . 2008-10-27 16:00 <DIR> d-------- f:\documents and settings\HOME\Application Data\SUPERAntiSpyware.com
2008-10-27 16:00 . 2008-10-27 16:00 <DIR> d-------- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-27 15:59 . 2008-11-01 02:55 <DIR> d-------- f:\program files\Common Files\Wise Installation Wizard
2008-10-27 14:44 . 2008-10-15 11:34 337,408 -----c--- f:\windows\system32\dllcache\netapi32.dll
2008-10-23 03:41 . 2008-10-23 03:41 <DIR> d-------- f:\program files\Common Files\Adobe AIR
2008-10-23 03:37 . 2008-10-23 03:39 <DIR> d-------- f:\program files\Common Files\Adobe
2008-10-23 03:33 . 2008-10-27 14:41 <DIR> d-------- f:\program files\NOS
2008-10-23 03:33 . 2008-10-27 14:41 <DIR> d-------- f:\documents and settings\All Users\Application Data\NOS
2008-10-22 21:12 . 2008-10-03 12:41 6,066,176 -----c--- f:\windows\system32\dllcache\ieframe.dll
2008-10-22 21:12 . 2007-04-17 04:32 2,455,488 -----c--- f:\windows\system32\dllcache\ieapfltr.dat
2008-10-22 21:12 . 2007-03-08 00:10 991,232 -----c--- f:\windows\system32\dllcache\ieframe.dll.mui
2008-10-22 21:12 . 2008-08-26 02:24 459,264 -----c--- f:\windows\system32\dllcache\msfeeds.dll
2008-10-22 21:12 . 2008-08-26 02:24 383,488 -----c--- f:\windows\system32\dllcache\ieapfltr.dll
2008-10-22 21:12 . 2008-08-26 02:24 267,776 -----c--- f:\windows\system32\dllcache\iertutil.dll
2008-10-22 21:12 . 2008-08-26 02:24 63,488 -----c--- f:\windows\system32\dllcache\icardie.dll
2008-10-22 21:12 . 2008-08-26 02:24 52,224 -----c--- f:\windows\system32\dllcache\msfeedsbs.dll
2008-10-22 21:12 . 2008-08-25 03:38 13,824 -----c--- f:\windows\system32\dllcache\ieudinit.exe
2008-10-20 08:57 . 2008-04-13 19:12 412,160 --------- f:\windows\system32\photometadatahandler.dll
2008-10-20 08:56 . 2008-04-13 19:12 4,274,816 --------- f:\windows\system32\nv4_disp.dll
2008-10-20 08:55 . 2008-04-13 19:11 397,312 --------- f:\windows\system32\mmcex.dll
2008-10-20 08:55 . 2008-04-13 19:11 184,320 --------- f:\windows\system32\microsoft.managementconsole.dll
2008-10-20 08:55 . 2008-04-13 19:11 106,496 --------- f:\windows\system32\mmcfxcommon.dll
2008-10-20 08:55 . 2008-04-13 19:11 86,016 --------- f:\windows\system32\mdmxsdk.dll
2008-10-20 08:55 . 2008-04-13 19:12 33,792 --------- f:\windows\system32\mmcperf.exe
2008-10-20 08:55 . 2004-08-03 21:41 11,868 --------- f:\windows\system32\drivers\mdmxsdk.sys
2008-10-20 08:54 . 2008-04-13 19:11 61,440 --------- f:\windows\system32\kmsvc.dll
2008-10-20 08:54 . 2008-04-13 19:11 37,376 --------- f:\windows\system32\l2gpstore.dll
2008-10-20 08:54 . 2008-04-13 19:09 6,144 --------- f:\windows\system32\kbdpash.dll
2008-10-20 08:54 . 2008-04-13 19:09 6,144 --------- f:\windows\system32\kbdnepr.dll
2008-10-20 08:54 . 2008-04-13 19:09 6,144 --------- f:\windows\system32\kbdiultn.dll
2008-10-20 08:54 . 2008-04-13 19:09 6,144 --------- f:\windows\system32\kbdbhc.dll
2008-10-20 08:52 . 2008-04-13 19:11 1,888,992 --------- f:\windows\system32\ati3duag.dll
2008-10-20 08:51 . 2004-08-03 21:29 701,440 --------- f:\windows\system32\drivers\ati2mtag.sys
2008-10-20 07:58 . 2008-10-20 08:01 <DIR> d-------- f:\documents and settings\HOME\Application Data\vlc
2008-10-20 07:54 . 2008-10-20 07:54 <DIR> d-------- f:\program files\VideoLAN
2008-10-17 03:33 . 2008-10-17 03:33 <DIR> d-------- f:\program files\Windows Media Connect 2
2008-10-17 03:26 . 2008-10-17 03:26 <DIR> d-------- f:\windows\system32\LogFiles
2008-10-17 03:26 . 2008-10-17 03:30 <DIR> d-------- f:\windows\system32\drivers\UMDF
2008-10-17 03:09 . 2008-10-17 03:09 <DIR> d-------- f:\program files\DVD Shrink
2008-10-17 03:09 . 2008-10-17 03:09 <DIR> d-------- f:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-17 02:37 . 2008-10-17 02:37 0 --a------ f:\windows\nsreg.dat
2008-10-17 02:24 . 2008-10-17 02:24 <DIR> d-------- f:\program files\uTorrent
2008-10-17 02:24 . 2008-11-01 05:11 <DIR> d-------- f:\documents and settings\HOME\Application Data\uTorrent
2008-10-17 02:01 . 2008-11-01 19:28 2,675 --a------ f:\windows\imsins.BAK
2008-10-16 23:28 . 2008-10-27 16:06 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2008-10-16 23:28 . 2008-10-16 23:28 <DIR> d-------- f:\documents and settings\HOME\Application Data\Malwarebytes
2008-10-16 23:28 . 2008-10-16 23:28 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-16 23:28 . 2008-10-22 15:10 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2008-10-16 23:28 . 2008-10-22 15:10 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2008-10-16 22:49 . 2008-10-16 22:49 <DIR> d-------- f:\program files\Trend Micro
2008-10-16 22:37 . 2008-10-16 22:37 <DIR> d-------- f:\program files\Yahoo!
2008-10-16 22:37 . 2008-10-16 22:38 <DIR> d-------- f:\program files\CCleaner
2008-10-16 21:52 . 2008-10-16 21:52 91 --a------ f:\windows\wininit.ini
2008-10-16 19:48 . 2008-10-16 19:50 <DIR> d-------- f:\program files\Spybot - Search & Destroy
2008-10-16 19:48 . 2008-10-20 08:24 <DIR> d-------- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 19:41 . 2008-10-16 19:42 <DIR> d--h-c--- f:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-16 19:33 . 2008-10-17 02:09 <DIR> d-------- f:\program files\ighmcwc
2008-10-16 19:33 . 2008-10-16 19:33 <DIR> d-------- f:\documents and settings\All Users\Application Data\svmpylyj
2008-10-16 19:32 . 2008-10-17 03:12 <DIR> d--h----- F:\$AVG8.VAULT$
2008-10-16 19:19 . 2008-10-20 08:21 <DIR> d-------- f:\windows\system32\drivers\Avg
2008-10-16 19:19 . 2008-10-16 19:19 <DIR> d-------- f:\program files\AVG
2008-10-16 19:19 . 2008-10-16 19:19 <DIR> d-------- f:\documents and settings\All Users\Application Data\avg8
2008-10-16 19:19 . 2008-10-16 19:19 97,928 --a------ f:\windows\system32\drivers\avgldx86.sys
2008-10-16 19:19 . 2008-10-16 19:19 76,040 --a------ f:\windows\system32\drivers\avgtdix.sys
2008-10-16 19:19 . 2008-10-16 19:19 10,520 --a------ f:\windows\system32\avgrsstx.dll
2008-10-16 19:13 . 2008-10-16 19:13 <DIR> d--hs---- f:\documents and settings\HOME\UserData
2008-10-16 19:09 . 2008-08-14 05:09 2,145,280 -----c--- f:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 19:09 . 2008-09-15 07:12 1,846,400 -----c--- f:\windows\system32\dllcache\win32k.sys
2008-10-16 19:09 . 2008-09-08 05:41 333,824 -----c--- f:\windows\system32\dllcache\srv.sys
2008-10-16 19:09 . 2008-06-13 06:05 272,128 --------- f:\windows\system32\drivers\bthport.sys
2008-10-16 19:09 . 2008-06-13 06:05 272,128 -----c--- f:\windows\system32\dllcache\bthport.sys
2008-10-16 19:08 . 2008-08-14 05:11 2,189,184 -----c--- f:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 19:08 . 2008-08-14 04:33 2,066,048 -----c--- f:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 19:08 . 2008-08-14 04:33 2,023,936 -----c--- f:\windows\system32\dllcache\ntkrpamp.exe
2008-10-16 19:08 . 2008-04-11 14:04 691,712 -----c--- f:\windows\system32\dllcache\inetcomm.dll
2008-10-16 19:08 . 2008-05-08 09:02 203,136 -----c--- f:\windows\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 23:42 --------- d-----w f:\program files\InstallShield Installation Information
2008-10-16 23:42 --------- d-----w f:\program files\D-Link
2008-10-16 23:41 --------- d-----w f:\program files\Common Files\InstallShield
2008-10-16 23:12 --------- d-----w f:\program files\microsoft frontpage
2008-09-15 12:12 1,846,400 ----a-w f:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w f:\windows\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w f:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w f:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w f:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Orb"="f:\program files\Winamp Remote\bin\OrbTray.exe" [2008-03-31 507904]
"WMPNSCFG"="f:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"WinampAgent"="f:\program files\Winamp\winampa.exe" [2008-08-03 36352]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"GetModule23"="f:\program files\GetModule\GetModule23.exe"
"ctfmon.exe"=f:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"brastk"=f:\windows\system32\brastk.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"f:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"f:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"f:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\windows\system32\Drivers\avgldx86.sys [2008-10-16 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;f:\windows\system32\Drivers\avgtdix.sys [2008-10-16 76040]
R3 NtApm;NT Apm/Legacy Interface Driver;f:\windows\system32\DRIVERS\NtApm.sys [2001-08-17 9344]
S4 avg8emc;AVG Free8 E-mail Scanner;f:\progra~1\AVG\AVG8\avgemc.exe [2008-10-16 875288]
S4 avg8wd;AVG Free8 WatchDog;f:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-16 231704]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-wincfgmon - f:\windows\system32\nenazijm.exe
HKCU-Run-GetModule23 - f:\program files\GetModule\GetModule23.exe
MSConfigStartUp-brastk - f:\windows\system32\brastk.exe
MSConfigStartUp-GetModule23 - f:\program files\GetModule\GetModule23.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - f:\documents and settings\HOME\Application Data\Mozilla\Firefox\Profiles\9688009d.default\
FF -: plugin - f:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 03:59:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-04 4:02:08
ComboFix-quarantined-files.txt 2008-11-04 09:01:59

Pre-Run: 223,598,858,240 bytes free
Post-Run: 223,689,023,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

187 --- E O F --- 2008-11-04 08:47:10


HiJackThis Log File
====================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:37 AM, on 11/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Winamp Remote\bin\OrbTray.exe
F:\Program Files\Windows Media Player\WMPNSCFG.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "F:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] F:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 2749 bytes

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 AM

Posted 05 November 2008 - 07:36 AM

Hi Haf-A-Mil sorry for the delay.

Log looks much better now.

My box only has 512mb of RAM and the Processes that the new AVG 8.0 run is bogging down my machine. Again I appreciate all of you guys help, how do the log files look???

Well, you can reinstall it and during the installation process you can choose Custom installation which will let you choose what to install and what not to install.

If that still doesn't work you might want to switch to another Anti-virus program such as Antivir. It's more of a light-weight anti-virus.

Still some work left to do.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case U-Torrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    f:\windows\system32\brastk.exe
    
    Folder::
    f:\program files\GetModule
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "brastk"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "GetModule23"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Install Java to Version 6 Update 10

I see you have no Java installed. This is not bad but there are certain websites that require Java so please install it because the online scan that you need to do after requires Java :thumbsup:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Combofix log
-Kapsersky log
-Fresh RSIT log
-How is your computer runnning?


Thanks :)

With Regards,
Extremeboy

Edited by extremeboy, 05 November 2008 - 07:37 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 AM

Posted 10 November 2008 - 08:53 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users