Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probably a spyware stopping Windows service from connecting to Internet


  • This topic is locked This topic is locked
20 replies to this topic

#1 Lanny25

Lanny25

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 01 March 2009 - 03:19 AM

Hello Everyone,I am having a strange problem with my Vista.It is not able to connect to the Internet to update itself.I think it is probably due to a malware because From a week whenever I start my computer, Norton detects a heuristic virus with a very long name in my Windows ---->System32 folder but was unable to remove it, then Norton also stopped getting updates from the Internet due to the malware and I had to install Avast.Please help me ot, my HJT log is located below :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:48:18, on 01-03-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\RALINK\Common\RaUI.exe
D:\Windows\System32\rundll32.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Users\Shantam\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\Users\Shantam\AppData\Local\Temp\Rar$EX00.755\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] D:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [SMSERIAL] D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = D:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2659759-5804-46AB-AEE1-5988886259C9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - D:\ProgramData\Norton\Norton2009Reset.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 6164 bytes


Please help me as soon as possible.

Edited by Lanny25, 01 March 2009 - 03:19 AM.


BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:45 PM

Posted 02 March 2009 - 08:47 AM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal,Lanny25. :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
In the meantime, please refrain from making any changes to your computer, and please do in the following:

Step1
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Step2

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please post back:


1.Gmer.txt
2.RSIT log.txt and info.txt. Thanks.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:45 PM

Posted 02 March 2009 - 09:00 AM

Error. Posts crossed.

Edited by suebaby41, 02 March 2009 - 02:05 PM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 Lanny25

Lanny25
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 02 March 2009 - 09:01 AM

I have got 2 replies which one should I follow?

#5 Lanny25

Lanny25
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 02 March 2009 - 09:30 AM

OK I am replying to SUNDAVIS

Log.txt from RSIT


Logfile of random's system information tool 1.05 (written by random/random)
Run by Shantam at 2009-03-02 19:43:32
Microsoft® Windows Vista™ Ultimate Service Pack 1
System drive D: has 18 GB (45%) free of 40 GB
Total RAM: 1022 MB (28% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:44, on 02-03-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\RALINK\Common\RaUI.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Users\Shantam\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Users\Shantam\Desktop\RSIT.exe
D:\Users\Shantam\Downloads\HiJackThis\Shantam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] D:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [SMSERIAL] D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Ralink Wireless Utility.lnk = D:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2659759-5804-46AB-AEE1-5988886259C9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - D:\ProgramData\Norton\Norton2009Reset.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 7228 bytes

======Scheduled tasks folder======

D:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-288562864-4153202436-3229124400-1000.job
D:\Windows\tasks\User_Feed_Synchronization-{27232AA5-5B9B-4310-A6F3-E322BDD49D97}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - D:\Program Files\Java\jre6\bin\ssv.dll [2009-02-24 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2008-02-22 401968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-24 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=D:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"RtHDVCpl"=D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [2009-01-06 6707744]
"Skytel"=D:\Program Files\Realtek\Audio\HDA\Skytel.exe [2009-01-06 1833504]
"Keyboard Manager Utility"=D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe [2007-03-27 1359872]
"SMSERIAL"=D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2008-06-11 1454080]
"SynTPEnh"=D:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-10-27 815104]
"NvSvc"=D:\Windows\system32\nvsvc.dll [2007-05-22 86016]
"NvCplDaemon"=D:\Windows\system32\NvCpl.dll [2007-05-22 8433664]
"NvMediaCenter"=D:\Windows\system32\NvMcTray.dll [2007-05-22 81920]
"Yahoo Messenger"= []
"avast!"=D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-06 81000]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-02-11 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=D:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1233920]
"WindowsWelcomeCenter"=D:\Windows\system32\oobefldr.dll [2008-01-21 2153472]
"Google Update"=D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 133104]
"ehTray.exe"=D:\Windows\ehome\ehTray.exe [2008-01-21 125952]
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]
"WMPNSCFG"=D:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
D:\Program Files\Innovative Solutions\DriverMax\devices.exe -agent []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
D:\Program Files\Java\jre6\bin\jusched.exe [2009-02-24 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Users^Shantam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
D:\PROGRA~1\LimeWire\LimeWire.exe -startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Users^Shantam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MediaRing Talk.lnk]
D:\PROGRA~1\MEDIAR~1\MEDIAR~1\mrtalk.exe [2008-10-22 3325952]

D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Ralink Wireless Utility.lnk - D:\Program Files\RALINK\Common\RaUI.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll [2007-07-20 233888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NofolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cad5ec70-ef42-11dd-bd5f-806e6f6e6963}]
shell\AutoRun\command - G:\Digit.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cad5eca1-ef42-11dd-bd5f-bbf8710bc16d}]
shell\AutoRun\command - H:\setup.exe


======List of files/folders created in the last 1 months======

2009-03-02 19:43:32 ----D---- D:\rsit
2009-03-02 18:53:48 ----D---- D:\Users\Shantam\AppData\Roaming\Malwarebytes
2009-03-02 18:53:37 ----D---- D:\ProgramData\Malwarebytes
2009-03-02 18:53:37 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2009-03-02 10:26:43 ----A---- D:\Windows\ntbtlog.txt
2009-03-02 08:29:04 ----D---- D:\ProgramData\Spybot - Search & Destroy
2009-03-02 08:29:04 ----D---- D:\Program Files\Spybot - Search & Destroy
2009-03-01 21:02:02 ----D---- D:\Users\Shantam\AppData\Roaming\Broad Intelligence
2009-03-01 21:01:08 ----D---- D:\Program Files\MediaCoder
2009-03-01 11:56:03 ----D---- D:\00000082
2009-03-01 10:51:38 ----A---- D:\Windows\system32\MSVCR71.dll
2009-03-01 10:51:38 ----A---- D:\Windows\system32\MSVCP71.dll
2009-03-01 10:51:38 ----A---- D:\Windows\system32\MFC71.dll
2009-03-01 10:51:38 ----A---- D:\Windows\system32\aswBoot.exe
2009-03-01 10:51:35 ----D---- D:\Program Files\Alwil Software
2009-03-01 07:28:19 ----D---- D:\Windows\pss
2009-02-28 16:37:22 ----A---- D:\Windows\system32\xvidvfw.dll
2009-02-28 16:37:22 ----A---- D:\Windows\system32\xvidcore.dll
2009-02-28 16:37:21 ----D---- D:\Program Files\Xvid
2009-02-28 16:33:33 ----D---- D:\Program Files\MKVtoolnix
2009-02-28 16:24:16 ----D---- D:\Program Files\AviSynth 2.5
2009-02-28 16:14:00 ----D---- D:\Program Files\StaxRip
2009-02-26 19:33:54 ----D---- D:\Users\Shantam\AppData\Roaming\skypePM
2009-02-26 15:14:10 ----A---- D:\Windows\system32\ykx32mpcoinst.dll
2009-02-26 15:07:01 ----A---- D:\Windows\system32\sm56co85.dll
2009-02-26 14:43:11 ----A---- D:\Windows\system32\WavesLib.dll
2009-02-26 14:43:11 ----A---- D:\Windows\system32\SRSWOW.dll
2009-02-26 14:43:10 ----A---- D:\Windows\system32\SRSTSHD.dll
2009-02-26 14:43:10 ----A---- D:\Windows\system32\SRSHP360.dll
2009-02-26 14:43:08 ----A---- D:\Windows\system32\RtkPgExt.dll
2009-02-26 14:43:07 ----A---- D:\Windows\system32\RtkApoApi.dll
2009-02-26 14:43:04 ----A---- D:\Windows\system32\MaxxAudioEQ.dll
2009-02-26 14:43:04 ----A---- D:\Windows\system32\MaxxAudioAPO20.dll
2009-02-26 14:43:04 ----A---- D:\Windows\system32\MaxxAudioAPO.dll
2009-02-26 14:43:03 ----A---- D:\Windows\system32\FMAPO.dll
2009-02-26 14:43:03 ----A---- D:\Windows\system32\AERTARen.dll
2009-02-26 14:43:03 ----A---- D:\Windows\system32\AERTACap.dll
2009-02-26 13:12:35 ----D---- D:\Users\Shantam\AppData\Roaming\Skype
2009-02-26 13:10:51 ----D---- D:\Program Files\Common Files\Skype
2009-02-26 13:10:49 ----RD---- D:\Program Files\Skype
2009-02-26 13:10:33 ----D---- D:\ProgramData\Skype
2009-02-24 15:50:11 ----D---- D:\Users\Shantam\AppData\Roaming\LimeWire
2009-02-24 15:48:03 ----A---- D:\Windows\system32\javaws.exe
2009-02-24 15:48:03 ----A---- D:\Windows\system32\javaw.exe
2009-02-24 15:48:03 ----A---- D:\Windows\system32\java.exe
2009-02-24 15:48:03 ----A---- D:\Windows\system32\deploytk.dll
2009-02-24 15:47:18 ----D---- D:\Program Files\Java
2009-02-22 17:36:09 ----D---- D:\Program Files\Tally9.1 Full
2009-02-22 12:40:03 ----D---- D:\Tally
2009-02-22 12:17:23 ----A---- D:\Windows\system32\sqlite3odbc.dll
2009-02-22 12:17:14 ----D---- D:\ProgramData\kBilling
2009-02-22 12:17:14 ----D---- D:\Program Files\kBilling
2009-02-22 11:19:03 ----D---- D:\Windows\Minidump
2009-02-21 09:47:12 ----A---- D:\Windows\ODBCINST.INI
2009-02-21 09:47:12 ----A---- D:\Windows\ODBC.INI
2009-02-20 10:40:25 ----A---- D:\Windows\system32\EncDec.dll
2009-02-20 10:40:17 ----A---- D:\Windows\system32\psisdecd.dll
2009-02-12 10:34:11 ----A---- D:\Windows\system32\mshtml.dll
2009-02-12 10:34:10 ----A---- D:\Windows\system32\ieframe.dll
2009-02-12 10:34:07 ----A---- D:\Windows\system32\urlmon.dll
2009-02-12 10:34:06 ----A---- D:\Windows\system32\msfeeds.dll
2009-02-12 10:34:05 ----A---- D:\Windows\system32\wininet.dll
2009-02-12 10:34:05 ----A---- D:\Windows\system32\mstime.dll
2009-02-12 10:34:03 ----A---- D:\Windows\system32\iertutil.dll
2009-02-12 10:34:02 ----A---- D:\Windows\system32\jsproxy.dll
2009-02-10 19:09:12 ----D---- D:\Program Files\SpeedBit Video Accelerator
2009-02-10 18:59:58 ----AD---- D:\ProgramData\TEMP
2009-02-10 18:59:46 ----D---- D:\ProgramData\SpeedBit
2009-02-10 18:59:04 ----A---- D:\Windows\system32\wbhelp2.dll
2009-02-10 18:59:01 ----D---- D:\Program Files\DAP
2009-02-09 13:50:43 ----D---- D:\Program Files\Microsoft Network Monitor 3
2009-02-08 12:54:35 ----D---- D:\Users\Shantam\AppData\Roaming\MRTalk
2009-02-08 12:54:10 ----D---- D:\Program Files\MediaRing
2009-02-06 20:27:38 ----HD---- D:\Program Files\Zero G Registry
2009-02-06 20:27:38 ----D---- D:\Program Files\Britannica 9.0
2009-02-05 08:53:12 ----D---- D:\Users\Shantam\AppData\Roaming\MessengerGadget
2009-02-03 19:05:20 ----D---- D:\Program Files\Microsoft
2009-02-03 19:04:47 ----D---- D:\Program Files\Microsoft Silverlight
2009-02-03 14:52:36 ----A---- D:\Windows\system32\newdev.dll
2009-02-03 14:52:35 ----A---- D:\Windows\system32\newdev.exe
2009-02-03 14:50:21 ----A---- D:\Windows\system32\RacEngn.dll
2009-02-03 11:57:11 ----A---- D:\Windows\system32\msonpmon.dll
2009-02-03 11:54:43 ----D---- D:\Program Files\Microsoft Works
2009-02-03 11:53:11 ----D---- D:\Program Files\Microsoft Visual Studio
2009-02-03 11:53:10 ----D---- D:\Program Files\Common Files\DESIGNER
2009-02-03 11:51:38 ----D---- D:\Windows\PCHEALTH
2009-02-03 11:51:38 ----D---- D:\Program Files\Microsoft.NET
2009-02-03 11:48:26 ----D---- D:\Program Files\Microsoft Visual Studio 8
2009-02-03 11:46:11 ----D---- D:\Program Files\Microsoft Office
2009-02-03 11:46:10 ----D---- D:\ProgramData\Microsoft Help
2009-02-03 11:45:35 ----RHD---- D:\MSOCache

======List of files/folders modified in the last 1 months======

2009-03-02 19:43:43 ----D---- D:\Windows\Prefetch
2009-03-02 19:43:37 ----D---- D:\Windows\Temp
2009-03-02 19:32:33 ----D---- D:\Users\Shantam\AppData\Roaming\uTorrent
2009-03-02 18:53:41 ----D---- D:\Windows\system32\drivers
2009-03-02 18:53:37 ----RD---- D:\Program Files
2009-03-02 18:53:37 ----HD---- D:\ProgramData
2009-03-02 12:35:41 ----SHD---- D:\RECYCLER
2009-03-02 11:47:13 ----SHD---- D:\System Volume Information
2009-03-02 10:26:43 ----D---- D:\Windows
2009-03-02 10:25:20 ----D---- D:\Program Files\QuoteTracker
2009-03-01 13:40:44 ----D---- D:\Windows\System32
2009-03-01 11:54:37 ----D---- D:\Program Files\Common Files
2009-03-01 10:54:27 ----D---- D:\Program Files\Mozilla Firefox
2009-03-01 10:46:33 ----D---- D:\ProgramData\Norton
2009-03-01 10:46:06 ----D---- D:\Windows\system32\catroot
2009-03-01 10:46:06 ----D---- D:\Windows\inf
2009-03-01 09:12:50 ----RSD---- D:\Windows\Fonts
2009-02-27 21:25:04 ----D---- D:\Windows\ModemLogs
2009-02-27 12:32:16 ----A---- D:\Windows\system32\PerfStringBackup.INI
2009-02-26 19:08:00 ----D---- D:\Windows\system32\wbem
2009-02-26 19:06:51 ----D---- D:\Windows\system32\CodeIntegrity
2009-02-26 19:06:51 ----D---- D:\Windows\system32\catroot2
2009-02-26 19:06:51 ----D---- D:\Users\Shantam\AppData\Roaming\vlc
2009-02-26 19:06:50 ----D---- D:\Windows\registration
2009-02-26 14:45:20 ----D---- D:\Program Files\Realtek
2009-02-26 14:45:19 ----D---- D:\Windows\system32\RTCOM
2009-02-26 13:11:13 ----SHD---- D:\Windows\Installer
2009-02-26 13:11:13 ----SHD---- D:\Config.Msi
2009-02-25 19:55:56 ----SD---- D:\Users\Shantam\AppData\Roaming\Microsoft
2009-02-22 12:40:50 ----HD---- D:\Program Files\InstallShield Installation Information
2009-02-20 12:30:12 ----D---- D:\Windows\Microsoft.NET
2009-02-20 12:30:11 ----RSD---- D:\Windows\assembly
2009-02-20 11:24:36 ----D---- D:\Windows\winsxs
2009-02-20 11:24:35 ----D---- D:\Windows\ehome
2009-02-13 08:44:19 ----D---- D:\Program Files\Windows Mail
2009-02-11 21:51:58 ----D---- D:\Windows\Tasks
2009-02-10 19:09:31 ----D---- D:\Windows\system32\Tasks
2009-02-10 10:21:36 ----D---- D:\Windows\system32\WDI
2009-02-10 09:12:32 ----D---- D:\Windows\Debug
2009-02-09 14:06:43 ----SD---- D:\ProgramData\Microsoft
2009-02-05 20:04:17 ----SD---- D:\Windows\Downloaded Program Files
2009-02-05 11:32:15 ----A---- D:\Windows\win.ini
2009-02-05 11:28:49 ----D---- D:\Program Files\Common Files\microsoft shared
2009-02-04 04:51:12 ----A---- D:\Windows\system32\mrt.exe
2009-02-03 15:00:00 ----D---- D:\Windows\system32\LogFiles
2009-02-03 11:54:14 ----D---- D:\Program Files\MSBuild
2009-02-03 11:53:03 ----D---- D:\Windows\ShellNew
2009-02-03 11:47:37 ----D---- D:\Program Files\Common Files\System

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; D:\Windows\system32\drivers\aswRdr.sys [2009-02-06 23152]
R1 aswSP;avast! Self Protection; D:\Windows\system32\drivers\aswSP.sys [2009-02-06 114768]
R1 aswTdi;avast! Network Shield Support; D:\Windows\system32\drivers\aswTdi.sys [2009-02-06 51376]
R1 CSC;Offline Files Driver; D:\Windows\system32\drivers\csc.sys [2008-01-21 350720]
R1 nm3;Microsoft Network Monitor 3 Driver; D:\Windows\system32\DRIVERS\nm3.sys [2008-09-10 50184]
R2 aswFsBlk;aswFsBlk; D:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-02-06 20560]
R2 aswMonFlt;aswMonFlt; D:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-02-06 51792]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; D:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); D:\Windows\system32\drivers\RTKVHDA.sys [2009-01-06 2261024]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista; D:\Windows\system32\DRIVERS\netr73.sys [2008-10-21 497152]
R3 nvlddmkm;nvlddmkm; D:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-05-22 7117856]
R3 qkbfiltr;Keyboard Filter Driver; D:\Windows\system32\DRIVERS\qkbfiltr.sys [2007-02-01 33792]
R3 sdbus;sdbus; D:\Windows\system32\DRIVERS\sdbus.sys [2008-01-21 88576]
R3 smserial;smserial; D:\Windows\system32\DRIVERS\smserial.sys [2008-06-11 1097856]
R3 SynTP;Synaptics TouchPad Driver; D:\Windows\system32\DRIVERS\SynTP.sys [2006-10-27 179896]
R3 tifm21;tifm21; D:\Windows\system32\drivers\tifm21.sys [2006-07-06 168448]
R3 usbvideo;USB Video Device (WDM); D:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; D:\Windows\system32\DRIVERS\yk60x86.sys [2008-12-09 311808]
S3 BthAudioHF;BthAudioHF Service; D:\Windows\system32\DRIVERS\BthAudioHF.sys [2008-07-10 30208]
S3 BthEnum;Bluetooth Request Block Driver; D:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-21 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); D:\Windows\system32\DRIVERS\bthpan.sys [2008-01-21 92160]
S3 BTHPORT;Bluetooth Port Driver; D:\Windows\System32\Drivers\BTHport.sys [2008-06-12 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; D:\Windows\System32\Drivers\BTHUSB.sys [2008-06-12 29184]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; D:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; D:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; D:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; D:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; D:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; D:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); D:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-21 49664]
S3 ti21sony;ti21sony; D:\Windows\system32\drivers\ti21sony.sys [2007-01-24 808448]
S3 usbscan;USB Scanner Driver; D:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
S3 WUDFRd;WUDFRd; D:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; D:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; D:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; D:\Windows\system32\drivers\wmiacpi.sys [2008-01-21 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-06 18752]
R2 avast! Antivirus;avast! Antivirus; D:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-06 138680]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; D:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; D:\Windows\System32\svchost.exe [2008-01-21 21504]
R2 Fax;@%systemroot%\system32\fxsresm.dll,-118; D:\Windows\system32\fxssvc.exe [2008-01-21 523776]
R2 HFGService;Handsfree Headset Service; D:\Windows\system32\svchost.exe [2008-01-21 21504]
R3 avast! Mail Scanner;avast! Mail Scanner; D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-06 254040]
R3 avast! Web Scanner;avast! Web Scanner; D:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-06 352920]
S2 .norton2009Reset;Norton 2009 Reset; D:\ProgramData\Norton\Norton2009Reset.exe [2009-01-30 281625]
S3 AppMgmt;@appmgmts.dll,-3250; D:\Windows\system32\svchost.exe [2008-01-21 21504]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; D:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; D:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; D:\Windows\System32\svchost.exe [2008-01-21 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; D:\Windows\system32\wbengine.exe [2008-01-21 917504]

-----------------EOF-----------------



info.txt from RSIT


info.txt logfile of random's system information tool 1.05 2009-03-02 19:43:48

======Uninstall list======

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Adobe Flash Player 10 Plugin-->D:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->D:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
avast! Antivirus-->D:\Program Files\Alwil Software\Avast4\aswRunDll.exe "D:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AviSynth 2.5-->"D:\Program Files\AviSynth 2.5\Uninstall.exe"
Foxit Reader-->D:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Google Talk Plugin-->MsiExec.exe /I{B279F2F1-3B2F-3A96-AC11-5743CD43DCCB}
HijackThis 2.0.2-->"D:\Users\Shantam\Downloads\HiJackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->D:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->D:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
kBilling Invoicing Software-->"D:\Program Files\kBilling\unins000.exe"
Keyboard Manager Utility-->D:\Program Files\InstallShield Installation Information\{C99EF05C-A49C-4C8C-902B-BD4B96A6F3A8}\setup.exe -runfromtemp -l0x0409
Malwarebytes' Anti-Malware-->"D:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver-->D:\Program Files\Marvell\Miniport Driver\Uninst.exe
MediaCoder 0.6.2-->D:\Program Files\MediaCoder\uninst.exe
MediaRing Talk-->"D:\Program Files\MediaRing\MediaRing Talk\Uninstall.exe" "D:\Program Files\MediaRing\MediaRing Talk\install.log" -u
Microsoft .NET Framework 3.5 SP1-->d:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Network Monitor 3.2-->MsiExec.exe /I{B4B70951-3AB9-4609-B8FA-BAF0066A914A}
Microsoft Network Monitor: Microsoft Parsers 3.2-->MsiExec.exe /I{FD4C0E23-A95B-4CC2-8993-3C1530CF69FD}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"D:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
MKVtoolnix 2.2.0-->D:\Program Files\MKVtoolnix\uninst.exe
Motorola SM56 Data Fax Modem-->rundll32.exe sm56co85.dll,SM56UnInstaller
Mozilla Firefox (3.0.6)-->D:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers-->D:\Windows\system32\NVUNINST.EXE UninstallGUI
QuoteTracker-->"D:\Program Files\QuoteTracker\unins000.exe"
Ralink Wireless LAN-->D:\Program Files\InstallShield Installation Information\{E91E8912-769D-42F0-8408-0E329443BABC}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->D:\Program Files\Realtek\Audio\HDA\RtlUpd.exe -r -m -nrg2709
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Spybot - Search & Destroy-->"D:\Program Files\Spybot - Search & Destroy\unins000.exe"
StaxRip 1.1.1.0-->"D:\Program Files\StaxRip\unins000.exe"
Synaptics Pointing Device Driver-->rundll32.exe "D:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tally9.1 Full-->MsiExec.exe /I{3A17A667-2AB1-4EDF-9EDE-9BF420F4EAE3}
Texas Instruments PCIxx21/x515/xx12 drivers.-->D:\Program Files\InstallShield Installation Information\{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}\setup.exe -runfromtemp -l0x0409
Ultimate Extras sounds from Microsoft® Tinker™-->RunDll32 advpack.dll,LaunchINFSection D:\Windows\INF\UltSound2.inf,Uninstall
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office Access 2007 Help (KB957241)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {D670F9B9-3E84-47B5-8A4A-618B65DB1593}
Update for Microsoft Office Excel 2007 Help (KB957242)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {51864046-74C8-487B-97CD-6167A4B1DB56}
Update for Microsoft Office InfoPath 2007 Help (KB957243)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {766DF26B-5F03-48ED-9307-5326F2790ED0}
Update for Microsoft Office OneNote 2007 Help (KB957245)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {7332DE60-DC79-4578-A60A-A5EA0D6E032B}
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Microsoft Office Outlook 2007 Help (KB957246)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {6F0E4983-E419-4591-B7DD-EFB0073D3E47}
Update for Microsoft Office PowerPoint 2007 Help (KB957247)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {B20E2C59-EEC5-4102-9E50-5DBB2093C37D}
Update for Microsoft Office Publisher 2007 Help (KB957249)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4E140A5A-4A90-404A-B955-10C2D98CD3EE}
Update for Microsoft Office Word 2007 Help (KB957252)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {54DF3345-0720-4224-9740-C7E00303F565}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb959634)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {50C77E2F-5C1C-467D-9BC8-3CA07D28C9F2}
VLC media player 0.9.8a-->D:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live Sign-in Assistant-->MsiExec.exe /I{8984E374-6C93-427C-A3B9-AD92472FDCA0}
Windows Sound Schemes-->RunDll32 advpack.dll,LaunchINFSection D:\Windows\INF\UltSound.inf,Uninstall
WinRAR archiver-->D:\Program Files\WinRAR\uninstall.exe
Xvid 1.1.3 final uninstall-->"D:\Program Files\Xvid\unins000.exe"

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090228-0]
AS: Windows Defender
AS: avast! antivirus 4.8.1335 [VPS 090228-0]

System event log

Computer Name: Shantam-Laptop
Event Code: 102
Message: The service temporarily stopped publishing because of a power event.
Record Number: 19708
Source Name: Microsoft-Windows-ResourcePublication
Time Written: 20090302140559.404866-000
Event Type: Information
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: Shantam-Laptop
Event Code: 1103
Message: Your computer was successfully assigned an address from the network, and it can now connect to other computers.
Record Number: 19709
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090302140646.000000-000
Event Type: Information
User:

Computer Name: Shantam-Laptop
Event Code: 4201
Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.
Record Number: 19710
Source Name: Tcpip
Time Written: 20090302140645.999866-000
Event Type: Information
User:

Computer Name: Shantam-Laptop
Event Code: 4201
Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.
Record Number: 19711
Source Name: Tcpip
Time Written: 20090302140645.999866-000
Event Type: Information
User:

Computer Name: Shantam-Laptop
Event Code: 104
Message: The service is publishing to the network.
Record Number: 19712
Source Name: Microsoft-Windows-ResourcePublication
Time Written: 20090302140647.475866-000
Event Type: Information
User: NT AUTHORITY\LOCAL SERVICE

Application event log

Computer Name: Shantam-Laptop
Event Code: 1007
Message: Customer Experience Improvement Program data was successfully sent to Microsoft.
Record Number: 2409
Source Name: Microsoft-Windows-CEIP
Time Written: 20090302074017.000000-000
Event Type: Information
User:

Computer Name: Shantam-Laptop
Event Code: 9010
Message: A request to disable the Desktop Window Manager was made by process (6088)
Record Number: 2410
Source Name: Desktop Window Manager
Time Written: 20090302114159.000000-000
Event Type: Information
User:

Computer Name: Shantam-Laptop
Event Code: 9013
Message: The Desktop Window Manager was unable to start because composition was disabled by a running application
Record Number: 2411
Source Name: Desktop Window Manager
Time Written: 20090302114159.000000-000
Event Type: Information
User:

Computer Name: Shantam-Laptop
Event Code: 9010
Message: A request to disable the Desktop Window Manager was made by process (6088)
Record Number: 2412
Source Name: Desktop Window Manager
Time Written: 20090302114204.000000-000
Event Type: Information
User:

Computer Name: Shantam-Laptop
Event Code: 9013
Message: The Desktop Window Manager was unable to start because composition was disabled by a running application
Record Number: 2413
Source Name: Desktop Window Manager
Time Written: 20090302114204.000000-000
Event Type: Information
User:

Security event log

Computer Name: Shantam-Laptop
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 4831
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090302141341.554866-000
Event Type: Audit Failure
User:

Computer Name: Shantam-Laptop
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 4832
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090302141341.635866-000
Event Type: Audit Failure
User:

Computer Name: Shantam-Laptop
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 4833
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090302141341.729866-000
Event Type: Audit Failure
User:

Computer Name: Shantam-Laptop
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 4834
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090302141341.812866-000
Event Type: Audit Failure
User:

Computer Name: Shantam-Laptop
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 4835
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090302141341.888866-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;D:\Program Files\Microsoft Network Monitor 3\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE

-----------------EOF-----------------


Here is Gmer.txt. I would like to bring to your notice that you asked to uncheck Show All but it was already unchecked so I left it unchecked.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-02 19:54:32
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

Code 85E20038 ZwEnumerateKey
Code 86100038 ZwFlushInstructionCache
Code 86102038 ZwQueryValueKey
Code 8609786D IofCallDriver
Code 85FF186E IofCompleteRequest

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\gaopdxmxuwrtpc.sys (*** hidden *** ) 8A68F000-8A6A8000 (102400 bytes)

---- Services - GMER 1.0.14 ----

Service D:\Windows\system32\drivers\gaopdxmxuwrtpc.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026@00025b81e471 0xD7 0x14 0x77 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026@00025b52db10 0x82 0x50 0xCB 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026@080625800517 0x06 0x3D 0x5D 0xF4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxmxuwrtpc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxmxuwrtpc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxqntsqdhn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026@00025b81e471 0xD7 0x14 0x77 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026@00025b52db10 0x82 0x50 0xCB 0xE6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026@080625800517 0x06 0x3D 0x5D 0xF4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxmxuwrtpc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@userdata 2
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxmxuwrtpc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxqntsqdhn.dll

---- EOF - GMER 1.0.14 ----

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:45 PM

Posted 03 March 2009 - 07:14 PM

Hi Lanny25,


I'm afraid i have unpleasant news for you.

Your computer has multiple infections, including Rootkit. A Rootkit gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc. This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards. If you still want to clean your system, then please follow all instructons and do the following:




Step1

Please disable Windows Defender real time protection. or it will interfere.
  • Go to Start > All Programs > Windows Defender.
  • Click on Tools at the top.
  • Under Settings, click on Options.
  • Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
  • Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
  • Click on the Save button at the bottom right hand corner.


Step2

Please disable Spybot S&D's protection,or it will interfere.
  • You can enable it after you're clean.
  • Open Spybot and click on 'Mode' and check 'Advanced Mode'.
  • Click on 'Tools' in bottom left hand corner.
  • Click on the 'System Startup' icon.
  • Uncheck 'Teatimer' box and/or uncheck 'Resident'.
  • Click the 'Allow Change' box.
  • Then, check next to the computer clock to see if the icon for Spybot is still there.
  • If it is, right click it and choose 'exit Spybot-S&D Resident'.
  • Restart the computer.
  • If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
  • http://www.russelltexas.com/malware/teatimer.htm
Step3

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Posted Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:

1.Combofix log
2.New HJT log

Tell me how your pc is behaving now.

#7 Lanny25

Lanny25
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 03 March 2009 - 08:43 PM

Hello Sundavis Here is My Combofix Log


ComboFix 09-03-02.03 - Shantam 2009-03-04 6:49:46.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1022.230 [GMT 5.5:30]
Running from: d:\users\Shantam\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090228-0] *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-2-3-79-100028888-100026975-100010057-2789.com
D:\00000082
d:\00000082\000000fb\000002bf\cltLMS1.dat
d:\00000082\000000fb\000002bf\cltLMS2.dat
d:\00000082\000000fb\000002c4\cltLMS1.dat
d:\00000082\000000fb\000002c4\cltLMS2.dat
D:\Autorun.inf
d:\windows\system32\drivers\gaopdxmxuwrtpc.sys
d:\windows\system32\gaopdxqntsqdhn.dll
e:\recycler\S-2-3-79-100028888-100026975-100010057-2789.com
f:\recycler\S-2-3-79-100028888-100026975-100010057-2789.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-03-03 20:31 . 2009-03-03 20:34 <DIR> d-------- d:\users\Shantam\AppData\Roaming\VoxOx
2009-03-03 20:29 . 2009-03-03 20:37 <DIR> d-------- d:\program files\VoxOx
2009-03-02 19:46 . 2009-03-02 19:46 250 --a------ d:\windows\gmer.ini
2009-03-02 19:43 . 2009-03-02 19:43 <DIR> d-------- D:\rsit
2009-03-02 18:53 . 2009-03-02 18:53 <DIR> d-------- d:\users\Shantam\AppData\Roaming\Malwarebytes
2009-03-02 18:53 . 2009-03-02 18:53 <DIR> d-------- d:\users\All Users\Malwarebytes
2009-03-02 18:53 . 2009-03-02 18:53 <DIR> d-------- d:\programdata\Malwarebytes
2009-03-02 18:53 . 2009-03-02 18:53 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-03-02 18:53 . 2009-02-11 10:19 38,496 --a------ d:\windows\System32\drivers\mbamswissarmy.sys
2009-03-02 18:53 . 2009-02-11 10:19 15,504 --a------ d:\windows\System32\drivers\mbam.sys
2009-03-02 08:29 . 2009-03-02 18:53 <DIR> d-------- d:\users\All Users\Spybot - Search & Destroy
2009-03-02 08:29 . 2009-03-02 18:53 <DIR> d-------- d:\programdata\Spybot - Search & Destroy
2009-03-02 08:29 . 2009-03-02 08:29 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2009-03-01 21:02 . 2009-03-01 21:02 <DIR> d-------- d:\users\Shantam\AppData\Roaming\Broad Intelligence
2009-03-01 21:01 . 2009-03-01 21:01 <DIR> d-------- d:\program files\MediaCoder
2009-03-01 10:51 . 2009-03-01 10:51 <DIR> d-------- d:\program files\Alwil Software
2009-03-01 10:51 . 2003-03-19 02:50 1,060,864 --a------ d:\windows\System32\MFC71.dll
2009-03-01 10:51 . 2003-03-19 01:44 499,712 --a------ d:\windows\System32\MSVCP71.dll
2009-03-01 10:51 . 2003-02-21 10:12 348,160 --a------ d:\windows\System32\MSVCR71.dll
2009-03-01 10:51 . 2009-02-06 02:36 51,792 --a------ d:\windows\System32\drivers\aswMonFlt.sys
2009-02-28 16:37 . 2009-02-28 17:02 <DIR> d-------- d:\program files\Xvid
2009-02-28 16:37 . 2007-06-28 18:52 765,952 --a------ d:\windows\System32\xvidcore.dll
2009-02-28 16:37 . 2007-06-28 18:54 180,224 --a------ d:\windows\System32\xvidvfw.dll
2009-02-28 16:37 . 2007-06-28 18:55 77,824 --a------ d:\windows\System32\xvid.ax
2009-02-28 16:33 . 2009-02-28 16:33 <DIR> d-------- d:\program files\MKVtoolnix
2009-02-28 16:24 . 2009-02-28 16:27 <DIR> d-------- d:\program files\AviSynth 2.5
2009-02-28 16:14 . 2009-02-28 16:14 <DIR> d-------- d:\program files\StaxRip
2009-02-26 19:33 . 2009-02-28 08:59 <DIR> d-------- d:\users\Shantam\AppData\Roaming\skypePM
2009-02-26 19:33 . 2009-02-26 19:33 56 --ah----- d:\users\All Users\ezsidmv.dat
2009-02-26 19:33 . 2009-02-26 19:33 56 --ah----- d:\programdata\ezsidmv.dat
2009-02-26 15:26 . 2007-01-24 14:46 808,448 --a------ d:\windows\System32\drivers\ti21sony.sys
2009-02-26 15:14 . 2008-12-09 17:06 311,808 --a------ d:\windows\System32\drivers\yk60x86.sys
2009-02-26 15:14 . 2008-12-09 17:06 282,624 --a------ d:\windows\System32\ykx32mpcoinst.dll
2009-02-26 15:07 . 2008-06-11 14:23 1,097,856 --a------ d:\windows\System32\drivers\smserial.sys
2009-02-26 15:07 . 2008-06-11 14:17 532,480 --a------ d:\windows\System32\sm56co85.dll
2009-02-26 13:12 . 2009-02-28 08:59 <DIR> d-------- d:\users\Shantam\AppData\Roaming\Skype
2009-02-26 13:10 . 2009-02-26 13:10 <DIR> d-------- d:\users\All Users\Skype
2009-02-26 13:10 . 2009-02-26 13:10 <DIR> d-------- d:\programdata\Skype
2009-02-26 13:10 . 2009-02-26 13:10 <DIR> dr------- d:\program files\Skype
2009-02-26 13:10 . 2009-02-26 13:10 <DIR> d-------- d:\program files\Common Files\Skype
2009-02-24 15:50 . 2009-03-01 07:27 <DIR> d-------- d:\users\Shantam\AppData\Roaming\LimeWire
2009-02-24 15:48 . 2009-02-24 15:47 410,984 --a------ d:\windows\System32\deploytk.dll
2009-02-24 15:47 . 2009-02-24 15:47 <DIR> d-------- d:\program files\Java
2009-02-22 17:36 . 2009-02-22 17:36 <DIR> d-------- d:\program files\Tally9.1 Full
2009-02-22 12:40 . 2009-02-24 08:29 <DIR> d-------- D:\Tally
2009-02-22 12:17 . 2009-02-22 12:34 <DIR> d-------- d:\users\All Users\kBilling
2009-02-22 12:17 . 2009-02-22 12:34 <DIR> d-------- d:\programdata\kBilling
2009-02-22 12:17 . 2009-02-22 12:17 <DIR> d-------- d:\program files\kBilling
2009-02-22 12:17 . 2008-01-06 05:39 558,592 --a------ d:\windows\System32\sqlite3odbc.dll
2009-02-21 09:47 . 2009-02-22 12:17 191 --a------ d:\windows\ODBCINST.INI
2009-02-21 09:47 . 2009-02-22 12:17 145 --a------ d:\windows\ODBC.INI
2009-02-20 10:40 . 2008-12-05 10:02 428,544 --a------ d:\windows\System32\EncDec.dll
2009-02-20 10:40 . 2008-12-05 10:02 293,376 --a------ d:\windows\System32\psisdecd.dll
2009-02-20 10:40 . 2008-12-05 10:01 217,088 --a------ d:\windows\System32\psisrndr.ax
2009-02-20 10:40 . 2008-12-05 10:01 177,664 --a------ d:\windows\System32\mpg2splt.ax
2009-02-20 10:40 . 2008-12-05 10:01 80,896 --a------ d:\windows\System32\MSNP.ax
2009-02-12 10:34 . 2009-01-15 09:06 1,383,424 --a------ d:\windows\System32\mshtml.tlb
2009-02-12 10:34 . 2009-01-15 11:41 827,392 --a------ d:\windows\System32\wininet.dll
2009-02-10 19:09 . 2009-03-01 11:54 <DIR> d-------- d:\program files\SpeedBit Video Accelerator
2009-02-10 18:59 . 2009-02-27 19:00 <DIR> d-a------ d:\users\All Users\TEMP
2009-02-10 18:59 . 2009-03-01 10:54 <DIR> d-------- d:\users\All Users\SpeedBit
2009-02-10 18:59 . 2009-02-27 19:00 <DIR> d-a------ d:\programdata\TEMP
2009-02-10 18:59 . 2009-03-01 10:54 <DIR> d-------- d:\programdata\SpeedBit
2009-02-10 18:59 . 2009-03-01 11:54 <DIR> d-------- d:\program files\DAP
2009-02-10 18:59 . 2009-02-10 18:59 479,298 --a------ d:\windows\System32\wbocx.ocx
2009-02-10 18:59 . 2009-02-10 18:59 172,032 --a------ d:\windows\System32\AniGIF.ocx
2009-02-10 18:59 . 2009-02-10 18:59 50,688 --a------ d:\windows\System32\wbhelp2.dll
2009-02-09 13:50 . 2009-02-09 13:50 <DIR> d-------- d:\program files\Microsoft Network Monitor 3
2009-02-08 12:54 . 2009-02-08 13:13 <DIR> d-------- d:\users\Shantam\AppData\Roaming\MRTalk
2009-02-08 12:54 . 2009-02-08 12:54 <DIR> d-------- d:\program files\MediaRing
2009-02-06 20:27 . 2009-02-06 20:45 <DIR> d--h----- d:\program files\Zero G Registry
2009-02-06 20:27 . 2009-03-01 09:07 <DIR> d-------- d:\program files\Britannica 9.0
2009-02-06 20:26 . 2009-02-06 20:26 <DIR> d--h----- d:\users\Shantam\InstallAnywhere
2009-02-05 08:53 . 2009-02-05 08:53 <DIR> d-------- d:\users\Shantam\AppData\Roaming\MessengerGadget

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 16:38 41,621 ----a-w d:\users\Shantam\AppData\Roaming\nvModes.dat
2009-03-03 14:18 --------- d-----w d:\users\Shantam\AppData\Roaming\uTorrent
2009-03-03 05:39 --------- d-----w d:\program files\QuoteTracker
2009-03-01 05:16 --------- d-----w d:\programdata\Norton
2009-02-26 13:36 --------- d-----w d:\users\Shantam\AppData\Roaming\vlc
2009-02-26 09:15 --------- d-----w d:\program files\Realtek
2009-02-22 07:10 --------- d--h--w d:\program files\InstallShield Installation Information
2009-02-13 03:15 --------- d-----w d:\programdata\Microsoft Help
2009-02-13 03:14 --------- d-----w d:\program files\Windows Mail
2009-02-03 13:35 --------- d-----w d:\program files\Microsoft
2009-02-03 13:34 --------- d-----w d:\program files\Microsoft Silverlight
2009-02-03 06:24 --------- d-----w d:\program files\MSBuild
2009-02-03 06:24 --------- d-----w d:\program files\Microsoft Works
2009-02-03 06:21 --------- d-----w d:\program files\Microsoft.NET
2009-02-03 06:18 --------- d-----w d:\program files\Microsoft Visual Studio 8
2009-02-01 10:15 --------- d-----w d:\programdata\WindowsSearch
2009-01-31 06:01 --------- d-----w d:\program files\Microsoft Games
2009-01-31 05:59 --------- d-----w d:\program files\BitLocker
2009-01-31 03:04 0 ---ha-w d:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-01-30 15:06 --------- d-----w d:\program files\uTorrent
2009-01-30 14:57 --------- d-----w d:\program files\VideoLAN
2009-01-30 14:53 --------- d-----w d:\users\Shantam\AppData\Roaming\Foxit
2009-01-30 14:53 --------- d-----w d:\program files\Foxit Software
2009-01-30 14:43 --------- d-----w d:\programdata\Symantec
2009-01-30 14:41 --------- d-----w d:\programdata\NortonInstaller
2009-01-30 14:31 --------- d-----w d:\users\Shantam\AppData\Roaming\InstallShield
2009-01-30 14:31 --------- d-----w d:\program files\RALINK
2009-01-30 14:22 0 ---ha-w d:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-01-30 14:22 --------- d-----w d:\program files\Synaptics
2009-01-30 14:20 --------- d-----w d:\users\Shantam\AppData\Roaming\TMP
2009-01-30 14:20 --------- d-----w d:\program files\Motorola
2009-01-30 14:20 --------- d-----w d:\program files\Marvell
2009-01-30 14:19 --------- d-----w d:\program files\Keyboard Manager
2009-01-30 14:16 --------- d-----w d:\program files\Intel
2009-01-30 14:13 319,456 ----a-w d:\windows\DIFxAPI.dll
2009-01-30 14:13 315,392 ----a-w d:\windows\HideWin.exe
2009-01-30 14:13 --------- d-----w d:\program files\Common Files\InstallShield
2009-01-13 21:38 288,768 ----a-w d:\windows\system32\drivers\srv.sys
2009-01-06 13:59 965,664 ----a-w d:\windows\System32\RtkPgExt.dll
2009-01-06 13:59 44,064 ----a-w d:\windows\System32\RtkCoInst.dll
2009-01-06 13:59 322,080 ----a-w d:\windows\System32\RtkApoApi.dll
2009-01-06 13:59 2,510,368 ----a-w d:\windows\System32\RtkAPO.dll
2009-01-06 13:37 2,261,024 ----a-w d:\windows\system32\drivers\RTKVHDA.sys
2008-12-10 19:15 1,645,568 ----a-w d:\windows\System32\connect.dll
2008-12-10 19:14 241,152 ----a-w d:\windows\System32\PortableDeviceApi.dll
2008-12-10 19:14 2,927,104 ----a-w d:\windows\explorer.exe
2008-12-10 19:11 712,704 ----a-w d:\windows\System32\WindowsCodecs.dll
2008-12-10 19:11 541,696 ----a-w d:\windows\AppPatch\AcLayers.dll
2008-12-10 19:11 52,736 ----a-w d:\windows\AppPatch\iebrshim.dll
2008-12-10 19:11 460,288 ----a-w d:\windows\AppPatch\AcSpecfc.dll
2008-12-10 19:11 425,472 ----a-w d:\windows\System32\PhotoMetadataHandler.dll
2008-12-10 19:11 4,240,384 ----a-w d:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 19:11 347,136 ----a-w d:\windows\System32\WindowsCodecsExt.dll
2008-12-10 19:11 28,672 ----a-w d:\windows\System32\Apphlpdm.dll
2008-12-10 19:11 2,154,496 ----a-w d:\windows\AppPatch\AcGenral.dll
2008-12-10 19:11 173,056 ----a-w d:\windows\AppPatch\AcXtrnal.dll
2008-12-10 19:10 296,960 ----a-w d:\windows\System32\gdi32.dll
2008-12-10 19:10 2,048 ----a-w d:\windows\System32\tzres.dll
2008-12-10 19:09 996,352 ----a-w d:\windows\System32\WMNetMgr.dll
2008-12-10 19:09 94,720 ----a-w d:\windows\System32\logagent.exe
2008-12-10 19:09 678,408 ----a-w d:\windows\System32\gpprefcl.dll
2008-12-10 19:09 2,868,736 ----a-w d:\windows\System32\mf.dll
2008-01-21 02:41 174 --sha-w d:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="d:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"Google Update"="d:\users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-01-30 133104]
"ehTray.exe"="d:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"googletalk"="d:\users\Shantam\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"VoxOx"="d:\program files\VoxOx\voxox.exe" [2009-02-21 5087232]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 d:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="d:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-06 6707744]
"Skytel"="d:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-01-06 1833504]
"Keyboard Manager Utility"="d:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-03-27 1359872]
"SMSERIAL"="d:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-06-11 1454080]
"SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"NvSvc"="d:\windows\system32\nvsvc.dll" [2007-05-22 86016]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-05-22 81920]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06 81000]

d:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - d:\program files\RALINK\Common\RaUI.exe [2009-01-30 942080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= d:\windows\system32\xvidvfw.dll

[HKLM\~\startupfolder\D:^Users^Shantam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=d:\users\Shantam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=d:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\D:^Users^Shantam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MediaRing Talk.lnk]
path=d:\users\Shantam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MediaRing Talk.lnk
backup=d:\windows\pss\MediaRing Talk.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 d:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-24 15:47 136600 d:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2D40C8DD-73C0-4F53-85C3-BFE9DF60634F}"= UDP:d:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{77E9FDB8-1A12-44E5-9A6D-688B539B090B}"= TCP:d:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{7FBB4549-192E-482D-B1DB-247763DBE7EF}"= TCP:6004|d:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{61DE8B5E-A213-4A4D-B222-013BDBDF7405}"= UDP:d:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{87CD0346-EA8C-45B1-9A26-A89B38316D7C}"= TCP:d:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{34B5FE4F-C343-4673-B269-C5FDBC694A6A}"= UDP:d:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A89AAA3B-5AD1-4D4E-8FC0-3F7EAD235DC5}"= TCP:d:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A645A130-9751-4109-B583-B31A8D73355F}"= d:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 aswSP;avast! Self Protection;d:\windows\System32\drivers\aswSP.sys [2009-03-01 114768]
R1 nm3;Microsoft Network Monitor 3 Driver;d:\windows\System32\drivers\nm3.sys [2008-09-10 50184]
R2 aswFsBlk;aswFsBlk;d:\windows\System32\drivers\aswFsBlk.sys [2009-03-01 20560]
R2 aswMonFlt;aswMonFlt;d:\windows\System32\drivers\aswMonFlt.sys [2009-03-01 51792]
R2 HFGService;Handsfree Headset Service;d:\windows\system32\svchost.exe -k bthaudiosvc [2008-01-21 21504]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;d:\windows\System32\drivers\netr73.sys [2008-10-21 497152]
S2 .norton2009Reset;Norton 2009 Reset;d:\programdata\Norton\Norton2009Reset.exe [2009-01-30 281625]
S3 BthAudioHF;BthAudioHF Service;d:\windows\System32\drivers\BthAudioHF.sys [2008-07-10 30208]
S3 ti21sony;ti21sony;d:\windows\System32\drivers\ti21sony.sys [2009-02-26 808448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
bthaudiosvc REG_MULTI_SZ HFGService

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cad5eca1-ef42-11dd-bd5f-bbf8710bc16d}]
\shell\AutoRun\command - H:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-288562864-4153202436-3229124400-1000.job
- d:\users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 20:23]

2009-03-03 d:\windows\Tasks\User_Feed_Synchronization-{27232AA5-5B9B-4310-A6F3-E322BDD49D97}.job
- d:\windows\system32\msfeedssync.exe [2008-01-21 07:53]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DriverMax - d:\program files\Innovative Solutions\DriverMax\devices.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {B2659759-5804-46AB-AEE1-5988886259C9} = 208.67.220.220,208.67.222.222
FF - ProfilePath - d:\users\Shantam\AppData\Roaming\Mozilla\Firefox\Profiles\frcuxur1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
1 file(s) moved.
FF - component: d:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: d:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: d:\users\Shantam\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\users\Shantam\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 06:58:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-03-04 7:00:31
ComboFix-quarantined-files.txt 2009-03-04 01:30:28

Pre-Run: 18,721,677,312 bytes free
Post-Run: 18,711,244,800 bytes free

283 --- E O F --- 2009-02-20 05:54:46





And Here is my Hijackthis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:06:16, on 04-03-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Windows\system32\notepad.exe
D:\Windows\explorer.exe
D:\Program Files\RALINK\Common\RaUI.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Users\Shantam\Downloads\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] D:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [SMSERIAL] D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [googletalk] D:\Users\Shantam\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [VoxOx] D:\Program Files\VoxOx\voxox.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = D:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2659759-5804-46AB-AEE1-5988886259C9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - D:\ProgramData\Norton\Norton2009Reset.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 5607 bytes


I dont see much change in my PC, Vimax ads are still there, Windows Update is still not able to connect, only the startup has got faster.

#8 Lanny25

Lanny25
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 04 March 2009 - 04:03 AM

Hello sundavis , I have just noticed that Windows update is able to download updates now and Vimax Ads have also disappeared

#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:45 PM

Posted 04 March 2009 - 04:19 AM

Hi Lanny25,

Glad to hear that. I will give you my new instructions asap. :thumbup2:

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:45 PM

Posted 04 March 2009 - 09:16 AM

Hi Lanny25,




Step1


I notice you have MBAM installed in your system. Please go to Here to download the new virus definition and install manually.
After that, do the following as instructed below.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Step2

1.Please run HijackThis! and click "Do a system scan only." Place checks next to the following entries,(if present):


O17 - HKLM\System\CCS\Services\Tcpip\..\{B2659759-5804-46AB-AEE1-5988886259C9}: NameServer = 208.67.220.220,208.67.222.222 (Did you place this OpenDNS by yourself?If not, Fix Checked this)
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - D:\ProgramData\Norton\Norton2009Reset.exe

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Restart your pc.

Go to start> Run>copy/paste the following in the run box and click "OK"

sc delete ".norton2009Reset"

and delete this file in the following:

D:\ProgramData\Norton\Norton2009Reset.exe


Step3


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    • Java™ 6 Update 11
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

Step4


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step5


Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.---><Vista user, Please right click on Internet Explorer and click Run as administrator>
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.MBAM log
2.KAS Scan Report
3.Fresh HJT log

Tell me how things are going now.

#11 Lanny25

Lanny25
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 04 March 2009 - 08:19 PM

Here is my MBAM Log

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 6.0.6001 Service Pack 1

04-03-2009 20:00:34
mbam-log-2009-03-04 (20-00-34).txt

Scan type: Quick Scan
Objects scanned: 58664
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Windows\System32\gaopdxqntsqdhn.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Windows\System32\drivers\gaopdxmxuwrtpc.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Step2

1.Please run HijackThis! and click "Do a system scan only." Place checks next to the following entries,(if present):


O17 - HKLM\System\CCS\Services\Tcpip\..\{B2659759-5804-46AB-AEE1-5988886259C9}: NameServer = 208.67.220.220,208.67.222.222 (Did you place this OpenDNS by yourself?If not, Fix Checked this)
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - D:\ProgramData\Norton\Norton2009Reset.exe

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Restart your pc.



When I ran a system scan HJT just showed me the First Entry with OpenDNS Nameservers, As I had myself set them, I didnot fix this.The rest two entries were not present there.So HJT had nothing to do and there was no log produced.

Go to start> Run>copy/paste the following in the run box and click "OK"

sc delete ".norton2009Reset"

and delete this file in the following:

D:\ProgramData\Norton\Norton2009Reset.exe


Done the above.


Here is my KAS Scan Report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, March 5, 2009
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 04, 2009 14:26:20
Records in database: 1868383
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 95134
Threat name: 1
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:40:10


File name / Threat name / Threats count
D:\Qoobox\Quarantine\C\RECYCLER\S-2-3-79-100028888-100026975-100010057-2789.com.vir Infected: Packed.Win32.Tdss.c 1
D:\Qoobox\Quarantine\E\RECYCLER\S-2-3-79-100028888-100026975-100010057-2789.com.vir Infected: Packed.Win32.Tdss.c 1
D:\Qoobox\Quarantine\F\RECYCLER\S-2-3-79-100028888-100026975-100010057-2789.com.vir Infected: Packed.Win32.Tdss.c 1

The selected area was scanned.


Here is my Frsh HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:20:30, on 05-03-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Windows\system32\taskeng.exe
D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Users\Shantam\AppData\Roaming\Google\Google Talk\googletalk.exe
D:\Program Files\RALINK\Common\RaUI.exe
D:\Windows\ehome\ehmsas.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\MediaRing\MediaRing Talk\mrtalk.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Users\Shantam\Downloads\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] D:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [SMSERIAL] D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [googletalk] D:\Users\Shantam\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - Global Startup: Ralink Wireless Utility.lnk = D:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2659759-5804-46AB-AEE1-5988886259C9}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 5997 bytes



My computer is running fine now and I see no problems with it yet.

Edited by Lanny25, 04 March 2009 - 08:52 PM.


#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:45 PM

Posted 05 March 2009 - 10:50 AM

Hi Lanny25,


My computer is running fine now and I see no problems with it yet.

That sounds good. :thumbup2: Any issue left? If not, Let's do some tidy up.

Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Remember to delete the RSIT and the folder in C:\rsit.

Step2

Click Start>Run>Type or Copy/paste the following command in the run box, then hit Enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Use a Firewall

    I don't see any firewall in your HijackThis log, so i assume you use Windows Vista firewall. Windows Vista includes a two-way firewall that has outbound filtering disabled by default. The best explanation was that it was too complicated for end-users to use so they had that feature turned off as well as hidden.
    To get started, just click on the Start Button and key in wf.msc and hit Enter. This will bring up the comprehensive Windows Firewall with Advanced Security management interface. Here you will be able to configure rules for incoming as well as outgoing connections. Otherwise, you can choose some free firewall in the following:

    FREE FIREWALLS
    • Kerio
    • comodo(Select install the Firewall as a standalone while installation)

    You can choose a free firewall from Here. For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Make your Internet Explorer more secure

    Please referring this thread to configure Internet Explorer 7 properly.

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#13 Lanny25

Lanny25
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 05 March 2009 - 11:28 AM

Hello sundavis I still have a problem, when I ran a Spybot scan right now it detected the Malwares shown in the attached image, this means that I am not yet completely clean. Please help me to remove these malwares.Attached File  Spybot.jpg   112.52KB   27 downloads

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:45 PM

Posted 06 March 2009 - 07:27 PM

Hi Lanny25,



Step1

Use Windows Explorer to find and delete this file(if found):

D:\WINDOWS\system32\gaopdxcounter

After that, Reboot your pc twice.



Step2

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

@Echo off
reg query "HKEY_LOCAL_MACHINE\SYSTEM\Select" >> D:\look.txt
START D:\look.txt

Name the file as check.bat, making sure save as type is set to " All Files ". It should look like Posted Image
Double click on check.bat & allow it to run. Copy and paste the content in your next reply (If the file does not open please check here for the file D:\look.txt.).



Step3


Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





In your next reply, please post back:


1.Gmer.txt
2.Look.txt
3.New HJT log

Tell me How things went.

#15 Lanny25

Lanny25
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:45 PM

Posted 06 March 2009 - 09:56 PM

Deleted File D:\WINDOWS\system32\gaopdxcounter and rebooted twice.

Here is my Gmer.txt


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-07 08:23:20
Windows 6.0.6001 Service Pack 1


---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxcemegrti.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026@00025b81e471 0xD7 0x14 0x77 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026@00025b52db10 0x82 0x50 0xCB 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026@080625800517 0x06 0x3D 0x5D 0xF4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxcemegrti.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxcemegrti.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxqpcpviry.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026@00025b81e471 0xD7 0x14 0x77 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026@00025b52db10 0x82 0x50 0xCB 0xE6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b00026@080625800517 0x06 0x3D 0x5D 0xF4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxcemegrti.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxcemegrti.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxqpcpviry.dll

---- Files - GMER 1.0.14 ----

File D:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RAC230B.tmp 0 bytes
File D:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACBBC0.tmp 0 bytes

---- EOF - GMER 1.0.14 ----


Here is my Look.txt



HKEY_LOCAL_MACHINE\SYSTEM\Select
Current REG_DWORD 0x1
Default REG_DWORD 0x1
Failed REG_DWORD 0x0
LastKnownGood REG_DWORD 0x3


Here is my New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:25:27, on 07-03-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Windows\system32\taskeng.exe
D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
D:\Program Files\CyberLink\Shared Files\brs.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe
D:\Windows\ehome\ehtray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Users\Shantam\AppData\Roaming\Google\Google Talk\googletalk.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\RALINK\Common\RaUI.exe
D:\Windows\ehome\ehmsas.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Windows\system32\taskeng.exe
D:\Users\Shantam\Downloads\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] D:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] D:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "D:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [SMSERIAL] D:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl9] "D:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] D:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "D:\Users\Shantam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [googletalk] D:\Users\Shantam\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Ralink Wireless Utility.lnk = D:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2659759-5804-46AB-AEE1-5988886259C9}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 6475 bytes

Things went just fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users