Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wmsncs Appears To Be a Stubborn Infection


  • This topic is locked This topic is locked
40 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 18 November 2008 - 08:16 AM

About the wmsncs file seen below
I was able to get rid of two of them however there are two remaining that don't seem to be effected by AVG, mbam, panda active scans,Spybot, I was unable to get Adaware functioning.

Please note the untitled entry above those wmsncs entrees.

Also there are two HD's in this system the Slave drive has not been fully scanned !

# 17 Posted Image

Also when I search the wmsncs file in Auto Runs, I get the following ;

# 34 Posted Image


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:46 AM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\PROGRA~1\RINGCE~1\RINGCE~1\R0FAXEDT.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINDOWS\system32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spool Driver Service] C:\WINDOWS\system32\spool\drivers\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Wins Service] C:\WINDOWS\system32\wins\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224997771786
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C70B91E-BAE1-437E-B0D2-66871D3730F1}: NameServer = 209.204.64.2 209.204.64.3
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6725 bytes


OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
Compaq Presario 4403US
Processor x86 Family 6 Model 11 Stepping 1 GenuineIntel ~1395 Mhz
Boot Device \Device\HarddiskVolume1
Total Physical Memory 256.50 MB
Available Physical Memory 47.00 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
AVG
COMODO FW
MalwareBytes
SpyBot


BTW, . . Can I un-click some start up items in Config. Utily. ?

Edited by Jove, 18 November 2008 - 01:04 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 28 November 2008 - 04:35 PM

Hi Jove,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

      Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

      Note 2: The tool takes not more than one minute to scan the system.
  • Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

You might want to save this page on your favorites, so you can find it again when you return.

#3 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 28 November 2008 - 06:23 PM

Hello farbar,
I have recently unchecked msmsgs in Configuration utility
I can not think of any other changes I may have made.
The computer has been running OK, I get a lot of messages from the Comodo Firewall, I have kept a log of most of these,
I am posting because of some doubtful files as previously mentioned.
I am wondering if I may have spyware or something else installed without my permission.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Logfile of random's system information tool 1.04 (written by random/random)
Run by Jp at 2008-11-28 18:16:21
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 146 GB (96%) free of 153 GB
Total RAM: 254 MB (16% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:25 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jp\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Jp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINDOWS\system32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spool Driver Service] C:\WINDOWS\system32\spool\drivers\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Wins Service] C:\WINDOWS\system32\wins\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224997771786
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C70B91E-BAE1-437E-B0D2-66871D3730F1}: NameServer = 209.204.64.2 209.204.64.3
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6678 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-10-29 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-18 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-18 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-18 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe [2001-12-14 32768]
"WCOLOREAL"=C:\Program Files\COMPAQ\Coloreal\coloreal.exe [2002-02-20 143360]
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe [2001-10-12 69632]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe [2008-10-26 146432]
"AutoLogon"= []
"NvidMediaCenter"=C:\Program Files\Common Files\System\wmsncs.exe []
"Spool Driver Service"=C:\WINDOWS\system32\spool\drivers\wmsncs.exe []
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE [2001-08-18 44032]
"MSPY2002"=C:\WINDOWS\system32\I [2008-10-26 80]
"PHIME2002ASync"=C:\WINDOWS\system32\I [2008-10-26 80]
"PHIME2002A"=C:\WINDOWS\system32\I [2008-10-26 80]
"COMODO Firewall Pro"=C:\Program Files\Comodo\Firewall\CPF.exe [2008-10-30 1115728]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2006-03-21 1191936]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-28 1261336]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-18 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"OM2_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe [2007-02-08 95800]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
C:\WINDOWS\system32\carpserv.exe [2002-01-02 4608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"
"C:\WINDOWS\Fonts\wmsncs.exe"="C:\WINDOWS\Fonts\wmsncs.exe:*:Enabled:workstation"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-11-28 18:16:21 ----D---- C:\rsit
2008-11-27 17:37:25 ----A---- C:\WINDOWS\wininit.ini
2008-11-25 11:47:57 ----D---- C:\WINDOWS\Sun
2008-11-18 07:17:46 ----D---- C:\Program Files\Trend Micro
2008-11-18 03:33:29 ----D---- C:\Program Files\Panda Security
2008-11-18 03:20:43 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-18 03:20:42 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-18 03:20:42 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-18 03:20:42 ----A---- C:\WINDOWS\system32\java.exe
2008-11-18 03:20:17 ----D---- C:\Program Files\Java
2008-11-17 09:25:45 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-17 07:31:40 ----A---- C:\spybotsd160.exe
2008-11-16 19:50:17 ----D---- C:\Program Files\Lavasoft
2008-11-16 19:50:16 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-16 19:47:13 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-16 17:27:47 ----A---- C:\aaw2008(2).exe
2008-11-16 17:21:39 ----A---- C:\aaw2008.exe
2008-11-16 17:21:22 ----A---- C:\aaw2008.exe.part
2008-11-16 09:36:13 ----D---- C:\Documents and Settings\Jp\Application Data\RingCentral
2008-11-16 09:36:00 ----A---- C:\WINDOWS\R0DB.Ini
2008-11-16 09:32:43 ----D---- C:\WINDOWS\FORMS
2008-11-16 09:23:36 ----A---- C:\WINDOWS\MTU.INI
2008-11-16 09:22:55 ----A---- C:\WINDOWS\winhelp.ini
2008-11-16 09:22:39 ----A---- C:\WINDOWS\system32\R0TIFF32.DLL
2008-11-16 09:22:39 ----A---- C:\WINDOWS\system32\R0TGA32.DLL
2008-11-16 09:22:39 ----A---- C:\WINDOWS\system32\R0PCX32.DLL
2008-11-16 09:22:39 ----A---- C:\WINDOWS\system32\MFCOLEUI.DLL
2008-11-16 09:22:38 ----A---- C:\WINDOWS\system32\R0TIFF.DLL
2008-11-16 09:22:38 ----A---- C:\WINDOWS\system32\R0TGA.DLL
2008-11-16 09:22:38 ----A---- C:\WINDOWS\system32\R0PCX.DLL
2008-11-16 09:22:38 ----A---- C:\WINDOWS\system32\R0IMG32.DLL
2008-11-16 09:22:38 ----A---- C:\WINDOWS\system32\R0IMAGE.DLL
2008-11-16 09:22:38 ----A---- C:\WINDOWS\system32\R0GIF32.DLL
2008-11-16 09:22:38 ----A---- C:\WINDOWS\system32\R0GIF.DLL
2008-11-16 09:22:37 ----A---- C:\WINDOWS\system32\R0Log.dll
2008-11-16 09:22:37 ----A---- C:\WINDOWS\R0SYSTEM.INI
2008-11-16 09:22:37 ----A---- C:\WINDOWS\R0SAPI.INI
2008-11-16 09:22:37 ----A---- C:\WINDOWS\R0RM.INI
2008-11-16 09:22:37 ----A---- C:\WINDOWS\R0LOCAL.INI
2008-11-16 09:22:37 ----A---- C:\WINDOWS\R0FAXSRV.INI
2008-11-16 09:22:37 ----A---- C:\WINDOWS\R0EDIT.INI
2008-11-16 09:22:25 ----D---- C:\Program Files\RingCentral
2008-11-15 07:27:35 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 03:04:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-11-15 03:01:46 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-15 03:01:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-15 03:01:23 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-14 12:44:00 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-11-09 16:46:04 ----D---- C:\Program Files\Common Files\muvee Technologies
2008-11-09 16:45:25 ----RA---- C:\WINDOWS\system32\msvcr80.dll
2008-11-09 16:45:25 ----RA---- C:\WINDOWS\system32\msvcp80.dll
2008-11-09 16:45:25 ----RA---- C:\WINDOWS\system32\atl80.dll
2008-11-09 16:45:24 ----RA---- C:\WINDOWS\system32\mfc80u.dll
2008-11-09 16:43:47 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-11-09 16:42:44 ----D---- C:\Program Files\OLYMPUS
2008-11-09 16:41:45 ----D---- C:\Program Files\MSXML 4.0
2008-11-09 03:06:39 ----D---- C:\WINDOWS\Prefetch
2008-11-08 21:49:28 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-08 21:49:21 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-11-08 21:49:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-11-08 21:49:03 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-11-08 21:48:50 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-11-08 21:48:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-11-08 21:48:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-11-08 21:48:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-11-08 21:48:01 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-11-08 21:47:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-11-08 21:47:44 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-11-08 21:47:36 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-11-08 21:47:29 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-11-08 21:47:21 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-11-08 21:40:41 ----D---- C:\WINDOWS\system32\scripting
2008-11-08 21:40:39 ----D---- C:\WINDOWS\l2schemas
2008-11-08 21:40:38 ----D---- C:\WINDOWS\system32\en
2008-11-07 17:56:01 ----D---- C:\Documents and Settings\Jp\Application Data\Sun
2008-11-07 10:54:00 ----D---- C:\Documents and Settings\Jp\Application Data\Macromedia
2008-11-07 10:26:41 ----A---- C:\install_flash_player.exe
2008-11-06 21:02:40 ----A---- C:\HJTInstall.exe
2008-11-06 12:28:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-06 11:44:20 ----D---- C:\Documents and Settings\Jp\Application Data\AdobeUM
2008-11-06 11:44:07 ----D---- C:\Documents and Settings\Jp\Application Data\Adobe
2008-11-06 11:44:05 ----D---- C:\Program Files\Common Files\Adobe
2008-11-06 11:42:36 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-06 11:42:32 ----D---- C:\Program Files\Adobe
2008-11-06 11:41:10 ----D---- C:\WINDOWS\Cache
2008-11-06 09:23:44 ----A---- C:\AdbeReader60.exe
2008-11-05 11:13:48 ----D---- C:\Documents and Settings\Jp\Application Data\Canon
2008-11-05 11:02:05 ----HD---- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-11-05 11:01:58 ----A---- C:\WINDOWS\system32\CNMLM83.DLL
2008-11-05 11:01:52 ----HD---- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-11-05 11:01:47 ----A---- C:\WINDOWS\system32\cnco160.dll
2008-11-05 11:01:46 ----A---- C:\WINDOWS\system32\CNCL160.DLL
2008-11-05 11:01:46 ----A---- C:\WINDOWS\system32\CNCI160.DLL
2008-11-05 11:01:46 ----A---- C:\WINDOWS\system32\CNCC160.DLL
2008-11-05 11:01:43 ----HD---- C:\Program Files\CanonBJ
2008-11-05 11:00:52 ----D---- C:\Program Files\Canon
2008-11-04 23:03:32 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-11-04 23:03:27 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-11-04 23:03:26 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-11-04 23:03:26 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-11-04 23:03:22 ----N---- C:\WINDOWS\system32\verclsid.exe
2008-11-04 23:03:17 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-11-04 23:03:16 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-11-04 23:03:03 ----N---- C:\WINDOWS\system32\setupn.exe
2008-11-04 23:02:58 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-11-04 23:02:56 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-11-04 23:02:55 ----N---- C:\WINDOWS\system32\qutil.dll
2008-11-04 23:02:54 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-11-04 23:02:54 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-11-04 23:02:54 ----N---- C:\WINDOWS\system32\qagent.dll
2008-11-04 23:02:52 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-11-04 23:02:48 ----N---- C:\WINDOWS\system32\onex.dll
2008-11-04 23:02:38 ----N---- C:\WINDOWS\system32\napstat.exe
2008-11-04 23:02:38 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-11-04 23:02:38 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-11-04 23:02:36 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-11-04 23:02:36 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-11-04 23:02:33 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-11-04 23:02:33 ----N---- C:\WINDOWS\system32\mssha.dll
2008-11-04 23:02:19 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-11-04 23:02:18 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-11-04 23:02:18 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-11-04 23:02:18 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-11-04 23:02:08 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-11-04 23:01:52 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-11-04 23:01:51 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-11-04 23:01:51 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-11-04 23:01:50 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-11-04 23:01:50 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-11-04 23:01:14 ----A---- C:\WINDOWS\004958_.tmp
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-11-04 23:01:12 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-11-04 23:01:08 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-11-04 23:01:08 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-11-04 23:01:08 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-11-04 23:01:07 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-11-04 23:01:07 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-11-04 23:01:07 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-11-04 23:01:07 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-11-04 23:01:05 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-11-04 23:01:05 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-11-04 23:01:04 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-11-04 23:01:01 ----N---- C:\WINDOWS\system32\credssp.dll
2008-11-04 23:00:53 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-11-04 23:00:52 ----N---- C:\WINDOWS\system32\azroles.dll
2008-11-04 23:00:41 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-10-30 22:32:11 ----HDC---- C:\WINDOWS\$NtUninstallKB921883$
2008-10-30 22:09:01 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2008-10-30 21:50:48 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-10-30 09:23:32 ----D---- C:\Documents and Settings\Jp\Application Data\Comodo
2008-10-30 09:23:25 ----D---- C:\Documents and Settings\All Users\Application Data\Comodo
2008-10-30 09:21:02 ----A---- C:\boot.ini.comodofirewall
2008-10-30 09:20:04 ----D---- C:\Program Files\Comodo
2008-10-30 01:50:57 ----A---- C:\mbam-setup.exe
2008-10-29 23:15:14 ----A---- C:\CFP_Setup_English_2.4.18.184.exe
2008-10-29 22:57:54 ----HD---- C:\$AVG8.VAULT$
2008-10-29 21:44:27 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-10-29 21:22:08 ----D---- C:\WINDOWS\ie7updates
2008-10-29 21:21:02 ----D---- C:\WINDOWS\WBEM
2008-10-29 21:21:02 ----D---- C:\WINDOWS\system32\en-US
2008-10-29 21:20:07 ----HDC---- C:\WINDOWS\ie7
2008-10-29 21:19:37 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-10-29 21:19:17 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-10-29 21:18:50 ----HDC---- C:\WINDOWS\$NtUninstallKB915865$
2008-10-29 21:18:42 ----A---- C:\WINDOWS\system32\xmllite.dll
2008-10-29 21:16:54 ----D---- C:\WINDOWS\network diagnostic
2008-10-29 21:16:52 ----HDC---- C:\WINDOWS\$NtUninstallKB914440$
2008-10-29 21:16:37 ----HDC---- C:\WINDOWS\$NtUninstallKB904942$
2008-10-29 19:21:02 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-29 19:20:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-10-29 06:05:28 ----A---- C:\avg_free_stf_en_8_175a1382.exe
2008-10-29 05:38:52 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-29 05:37:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
2008-10-29 05:37:01 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-10-29 05:36:55 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-10-29 05:36:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956803_0$
2008-10-29 05:36:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-29 05:36:38 ----HDC---- C:\WINDOWS\$NtUninstallKB957095_0$
2008-10-29 05:36:31 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-10-29 05:36:25 ----HDC---- C:\WINDOWS\$NtUninstallKB951698_0$
2008-10-29 05:36:18 ----HDC---- C:\WINDOWS\$NtUninstallKB954211_0$
2008-10-29 05:35:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956841_0$
2008-10-29 05:35:22 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$
2008-10-29 05:35:16 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-10-29 05:35:03 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-10-29 05:34:58 ----HDC---- C:\WINDOWS\$NtUninstallKB901190$
2008-10-29 05:34:53 ----HDC---- C:\WINDOWS\$NtUninstallKB938464_0$
2008-10-29 05:34:31 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$

======List of files/folders modified in the last 1 months======

2008-11-28 18:17:25 ----D---- C:\WINDOWS\Temp
2008-11-28 18:16:14 ----A---- C:\WINDOWS\ModemLog_Conexant HSFi V90 V92 56K PCI Modem.txt
2008-11-28 18:05:04 ----D---- C:\Program Files\Mozilla Firefox
2008-11-28 17:56:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-28 14:30:33 ----RASH---- C:\boot.ini
2008-11-28 14:30:33 ----A---- C:\WINDOWS\win.ini
2008-11-28 14:30:33 ----A---- C:\WINDOWS\system.ini
2008-11-28 14:22:08 ----D---- C:\WINDOWS
2008-11-27 17:37:24 ----D---- C:\WINDOWS\system32
2008-11-27 17:37:24 ----D---- C:\WINDOWS\Help
2008-11-27 17:37:18 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-27 17:37:17 ----HD---- C:\WINDOWS\inf
2008-11-21 21:18:31 ----D---- C:\Documents and Settings\Jp\Application Data\Real
2008-11-18 07:17:46 ----RD---- C:\Program Files
2008-11-18 05:15:07 ----D---- C:\WINDOWS\system32\drivers
2008-11-18 03:21:41 ----SHD---- C:\WINDOWS\Installer
2008-11-16 19:47:13 ----D---- C:\Program Files\Common Files
2008-11-16 09:32:42 ----D---- C:\Program Files\Windows NT
2008-11-15 03:10:55 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-11-15 03:01:49 ----A---- C:\WINDOWS\imsins.BAK
2008-11-15 03:01:45 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-15 03:01:06 ----D---- C:\WINDOWS\WinSxS
2008-11-09 03:09:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-09 03:07:51 ----A---- C:\WINDOWS\OEWABLog.txt
2008-11-09 03:07:10 ----A---- C:\WINDOWS\setuplog.txt
2008-11-09 03:06:16 ----D---- C:\WINDOWS\system32\Setup
2008-11-09 03:06:16 ----D---- C:\Program Files\Messenger
2008-11-09 03:06:15 ----D---- C:\WINDOWS\system32\wbem
2008-11-09 03:06:15 ----D---- C:\WINDOWS\AppPatch
2008-11-09 03:06:14 ----RSD---- C:\WINDOWS\Fonts
2008-11-08 21:53:09 ----D---- C:\WINDOWS\security
2008-11-08 21:49:30 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-08 21:41:39 ----D---- C:\WINDOWS\ServicePackFiles
2008-11-08 21:41:37 ----D---- C:\Program Files\Windows Media Player
2008-11-08 21:41:10 ----D---- C:\WINDOWS\ime
2008-11-08 21:40:42 ----D---- C:\WINDOWS\system32\usmt
2008-11-08 21:40:37 ----D---- C:\WINDOWS\system32\bits
2008-11-08 21:40:37 ----D---- C:\WINDOWS\peernet
2008-11-08 21:40:36 ----D---- C:\Program Files\Movie Maker
2008-11-08 21:34:54 ----D---- C:\WINDOWS\system32\Restore
2008-11-08 21:34:53 ----D---- C:\WINDOWS\system32\npp
2008-11-08 21:34:51 ----D---- C:\WINDOWS\msagent
2008-11-08 21:34:48 ----D---- C:\WINDOWS\srchasst
2008-11-08 21:34:45 ----D---- C:\Program Files\NetMeeting
2008-11-08 21:34:42 ----D---- C:\WINDOWS\system32\Com
2008-11-08 21:34:37 ----D---- C:\Program Files\Outlook Express
2008-11-08 21:34:33 ----RSHD---- C:\Program Files\Common Files\System
2008-11-08 21:34:04 ----D---- C:\WINDOWS\system32\oobe
2008-11-08 21:34:00 ----D---- C:\WINDOWS\system
2008-11-08 21:30:06 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-08 21:29:44 ----HDC---- C:\WINDOWS\$ntservicepackuninstall$
2008-11-08 21:24:06 ----D---- C:\WINDOWS\EHome
2008-11-08 18:04:37 ----A---- C:\WINDOWS\WORDPAD.INI
2008-11-05 11:03:41 ----D---- C:\WINDOWS\Media
2008-11-05 11:01:51 ----D---- C:\WINDOWS\twain_32
2008-11-01 16:48:52 ----SD---- C:\Documents and Settings\Jp\Application Data\Microsoft
2008-10-29 21:44:05 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-29 21:41:15 ----D---- C:\Program Files\Internet Explorer
2008-10-29 21:21:09 ----D---- C:\WINDOWS\system32\config
2008-10-29 19:21:03 ----D---- C:\WINDOWS\Debug
2008-10-29 19:20:57 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-29 05:58:43 ----D---- C:\cpqs
2008-10-29 05:36:58 ----D---- C:\WINDOWS\system32\wins

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-10-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-10-29 26824]
R1 CmdMon;Comodo Application Engine; C:\WINDOWS\System32\DRIVERS\cmdmon.sys [2008-10-30 75520]
R1 EAWDMFD;EAWDMFD; C:\WINDOWS\system32\drivers\EAWDMFD.sys [1999-10-29 24348]
R1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-10-29 76040]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\fallback.sys [2002-01-02 303171]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\fsksnt.sys [2002-01-02 124701]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\k56nt.sys [2002-01-02 428431]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2001-09-17 17744]
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\faxnt.sys [2002-01-02 212491]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [2002-01-02 33548]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\tonesnt.sys [2002-01-02 59663]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\v124nt.sys [2002-01-02 541981]
R3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\basic2.sys [2002-01-02 84786]
R3 eaps2kbd;Compaq Easy Access PS2 Internet Keyboard (Win2K); C:\WINDOWS\System32\DRIVERS\eaps2kbd.sys [2001-12-28 24035]
R3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-10-30 159772]
R3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\rksample.sys [2002-01-02 62422]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-01-16 415400]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2002-01-02 591520]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 FBIKB_NT;FBIKB_NT; \??\C:\WINDOWS\System32\Drivers\FBIKB_NT.Sys []
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-10-30 12543]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-10-30 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-10-30 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-10-30 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-10-30 19455]
S3 iAimFP5;iAimFP5; C:\WINDOWS\System32\DRIVERS\wADV07nt.sys [2001-10-30 11807]
S3 iAimFP6;iAimFP6; C:\WINDOWS\System32\DRIVERS\wADV08nt.sys [2001-10-30 11295]
S3 iAimFP7;iAimFP7; C:\WINDOWS\System32\DRIVERS\wADV09nt.sys [2001-10-30 11871]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-10-30 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-10-30 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-10-30 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-10-30 23615]
S3 iAimTV5;iAimTV5; C:\WINDOWS\System32\DRIVERS\wATV10nt.sys [2001-10-30 25471]
S3 iAimTV6;iAimTV6; C:\WINDOWS\System32\DRIVERS\wATV06nt.sys [2001-10-30 22111]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-29 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-29 231704]
R2 CmdAgent;Comodo Application Agent; C:\Program Files\Comodo\Firewall\cmdagent.exe [2008-10-30 361040]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-18 152984]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]

-----------------EOF-----------------



\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\




info.txt logfile of random's system information tool 1.04 2008-11-28 18:17:29

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{854A5F01-D692-11D4-A984-009027EC0A9C}\setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{945E2519-C2B9-11D3-9D56-0060B0A4823E}\setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD47EFC1-D692-11D4-A984-009027EC0A9C}\setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}\setup.exe"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A00000000001}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Canon MP Navigator 3.0-->"C:\Program Files\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.0\uninst.ini
Canon MP160 User Registration-->C:\Program Files\Canon\IJEREG\MP160\UNINST.EXE
Canon MP160-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Coloreal-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDE90251-93EB-4F6A-89D8-086E2D91DC56}\setup.exe"
COMODO Firewall Pro-->C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Compaq SetRefresh-->MsiExec.exe /X{ADB54615-A0E2-40F8-9C5E-FD8513472ED3}
Easy Access Button Support-->C:\Program Files\COMPAQ\Easy Access Button Support\Uninst.exe
filehippo.com Update Checker-->"C:\Program Files\filehippo.com\uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
ModemXpert-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9CB4FEE2-7F47-11D4-B6AD-00A0CC624550}\setup.exe" AnyText
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" ControlPanelAnyText
OLYMPUS Master 2-->MsiExec.exe /X{CB49B376-1136-44B4-83FA-036334B59937}
OLYMPUS muvee theaterPack-->MsiExec.exe /X{DDDE47E5-C711-4D17-9FA6-E3D7C340192A}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
RealOne Player-->C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RingCentral SmartFax 2002-->C:\PROGRA~1\RINGCE~1\RINGCE~1\uninst\rc_unins.exe -fC:\PROGRA~1\RINGCE~1\RINGCE~1\uninst\rc_unins.ins
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free
FW: COMODO Firewall Pro

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 11 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0b01
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 28 November 2008 - 07:24 PM

Hi Jove,

You were right to suspect those entries. They are trojans. Other than that you have taken a good care of your computer. :thumbsup:
  • Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

    Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

  • Please run RSIT, set the list of Files/Folders created to 2 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log).


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 28 November 2008 - 07:36 PM

In addition to the previous post could you tell me if you know this server: 209.204.64.2
I couldn't find much on it other then a reference to ns1.snip.net
Are you having a static IP? Or are you on a network?

#6 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 28 November 2008 - 08:29 PM

Thank you.
I have a dial up ISP, snip.net, Hope that helps, if you need the number ID let me know, and where I might find it .

I do the scan and post.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#7 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 28 November 2008 - 09:03 PM

I'm not sure this went right, prior to using the Safe mode I opened the downloaded file, and it produced a log, which I saved; installed text,

I then went into the safe mode and opened again and it again produced a log, not being sure a checking your instructions I opened again and it did the same thing, what would you like me to do with these logs, would you want the last one posted or is there something else ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#8 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 29 November 2008 - 04:35 AM

farbar,

I'm not sure if this defines the problem, please check this for me.


Problem:

If SDFix still doesn't run check the %comspec% variable


How to fix:

Click on the Start button then right-click on My Computer and select properties. Then click on the Advanced tab and then click on the Environment Variables. Under System Variables, make sure that the ComSpec variable points to %SystemRoot%\system32\cmd.exe



Posted Image

Edited by Jove, 29 November 2008 - 04:39 AM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 29 November 2008 - 04:59 AM

Thank you.
I have a dial up ISP, snip.net, Hope that helps, if you need the number ID let me know, and where I might find it .

I do the scan and post.



I'm not sure this went right, prior to using the Safe mode I opened the downloaded file, and it produced a log, which I saved; installed text,

I then went into the safe mode and opened again and it again produced a log, not being sure a checking your instructions I opened again and it did the same thing, what would you like me to do with these logs, would you want the last one posted or is there something else ?


I have a dial up ISP, snip.net, Hope that helps, if you need the number ID let me know, and where I might find it .


So it is clear no deed to do anything.

I'm not sure this went right, prior to using the Safe mode I opened the downloaded file, and it produced a log, which I saved; installed text,

I then went into the safe mode and opened again and it again produced a log, not being sure a checking your instructions I opened again and it did the same thing, what would you like me to do with these logs, would you want the last one posted or is there something else ?


Could you please post the log? If it is too long you may attach it.

The problem with running SDFix is not what you mention. Your %comspec% variable is OK otherwise we would have set it right before running SDFix. The RSIT log reflect those variable and they are OK.


Is this the only computer you have? It is possible that you download SDFix and extract it using another computer. Then transfer the extracted folder (C:\SDFix) to the infected computer and go on with the fix.

#10 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 29 November 2008 - 05:46 AM

This is the only computer I have, I have the Sdfix icon on desk top but just the installation text runs, . . Could I save it it to a CD ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 29 November 2008 - 06:24 AM

I'm afraid you missed a part of my request. Could you please post the log you saved?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:03 AM

Posted 29 November 2008 - 06:42 AM

Jove I think I know what is going on. No deed to post the log.

First: Save my instruction in the post about running SDFix to a text file so that you can read in Safe Mode.
Second: In Safe Mode you need not to run the downloaded file again. Run the file is given in the instruction.

#13 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 29 November 2008 - 08:26 AM

Previously, when in the safe mode I received these instructions, . . I doubled clicked it but just got the instructions again, . . so what do you mean ?



SDFix has been extracted to %systemdrive%\SDFix\
(Drive that contains the Windows directory - typically C:\SDFix)

Open the SDFix folder in Safe Mode and double click the RunThis.bat file to start the fixtool
If RunThis.bat is started in Normal Mode, options to download and run Anti-Virus command line scanners are displayed

Catchme.exe Stealth Malware Detector by GMER is also included in the SDFix folder

Additional SDFix Instructions & screen shots can be found here - http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/



I'll try what you said but I get no options when I double click it does something but just leaves the instruction text.

Edited by Jove, 29 November 2008 - 08:28 AM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#14 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 29 November 2008 - 09:03 AM

SDFix: Version 1.240
Run by Jp on Sat 11/29/2008 at 08:46 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\AAW2008.EXE - Deleted
C:\WINDOWS\system32\i - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 08:51:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"
"C:\\WINDOWS\\Fonts\\wmsncs.exe"="C:\\WINDOWS\\Fonts\\wmsncs.exe:*:Enabled:workstation"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"wmsncs.exe"="wmsncs.exe:*:Enabled:SYSTEM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 23 Mar 1999 16,062 ..SHR --- "C:\LOGO.SYS"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"

Finished!

I will now scan with malwarebytes.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#15 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:09:03 PM

Posted 29 November 2008 - 09:15 AM

No ,alicious files found, . .

Malwarebytes' Anti-Malware 1.30
Database version: 1433
Windows 5.1.2600 Service Pack 3

11/29/2008 9:13:12 AM
mbam-log-2008-11-29 (09-13-12).txt

Scan type: Quick Scan
Objects scanned: 46341
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Regarding;
Please run RSIT, set the list of Files/Folders created to 2 Months
and copy/paste the content of log.txt to your reply (this time RSIT
creates just one log).

I will attempt this and include the log in my next post.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users