Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website blocks and cannot enable view hidden files


  • This topic is locked This topic is locked
19 replies to this topic

#1 bets777

bets777

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 16 April 2009 - 02:00 AM

K so everytime i click on my search result on google, i get redirected. the worse part is I can't even access antispyware sites.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:29 AM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8659 bytes

Attached Files


Edited by bets777, 16 April 2009 - 10:33 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:47 PM

Posted 01 May 2009 - 09:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 bets777

bets777
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 03 May 2009 - 11:51 PM

I have ran combo fix and I no longer get redirected to a random sites, but i still cannot access anti-spyware sites like spywaredb.com nor can I enable "view hidden files" in my folder option

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /S
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoSMHelp = 30
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: StartMenuLogoff = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with GetRight Pro - c:\program files\getright\GRdownload.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\8dl4wzc5.default\
FF - component: c:\documents and settings\admin\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM1.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM2.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM3.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM4.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM5.dll
FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-10-4 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-10-4 549256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-8 24652]
S2 zntksqrc;Driver Shell;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2009-4-7 29184]

=============== Created Last 30 ================

2009-04-28 22:23 <DIR> --d----- C:\!KillBox
2009-04-15 23:44 <DIR> --d----- c:\program files\Trend Micro
2009-04-15 23:29 <DIR> a-dshr-- C:\cmdcons
2009-04-15 23:26 161,792 a------- c:\windows\SWREG.exe
2009-04-15 23:26 98,816 a------- c:\windows\sed.exe
2009-04-15 23:16 <DIR> --d----- c:\docume~1\admin\applic~1\True Sword
2009-04-15 23:13 356,352 a------- c:\windows\eSellerateEngine.dll
2009-04-15 23:13 81,920 a------- c:\windows\eSellerateControl350.dll
2009-04-15 23:13 <DIR> --d----- c:\program files\True Sword 5
2009-04-11 00:58 <DIR> --d----- C:\fixwareout
2009-04-10 17:33 <DIR> --d----- c:\windows\system32\xircom
2009-04-10 16:18 <DIR> --d----- c:\windows\system32\scripting
2009-04-10 16:18 <DIR> --d----- c:\windows\l2schemas
2009-04-10 16:18 <DIR> --d----- c:\windows\system32\bits
2009-04-10 16:10 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-07 20:25 42,496 a------- c:\windows\system32\libusb0.dll
2009-04-07 20:25 29,184 a------- c:\windows\system32\drivers\libusb0.sys
2009-04-06 14:09 754 a------- c:\windows\WORDPAD.INI
2009-04-04 08:02 <DIR> --d----- c:\program files\Winnydows

==================== Find3M ====================

2009-04-10 16:33 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-26 08:35 210,352 a------- c:\windows\system32\idmmbc.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-19 21:19 34 a------- c:\documents and settings\admin\jagex_runescape_preferences.dat
2008-10-04 19:38 94,080 a------- c:\docume~1\admin\applic~1\ezplay.sys
2008-10-04 19:38 87,608 a------- c:\docume~1\admin\applic~1\ezpinst.exe
2008-10-04 19:38 47,360 a------- c:\docume~1\admin\applic~1\pcouffin.sys

============= FINISH: 21:47:36.46 ===============

Attached Files


Edited by bets777, 03 May 2009 - 11:52 PM.


#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 PM

Posted 04 May 2009 - 11:50 AM

Hi bets777,


Due to the warning from the developer of combofix, this tool should not run by oneself for being unsupervised. Sometimes, it will result into an unbootable machine. Since you have run it, may I see the log in C:\combofix.txt if it's still available.


Step1
  • Please download GooredFix and save it to your Desktop.
  • Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.


Step2

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Step3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

In your next reply, please post back:

1.GooredFix log
2.GMER log
3.RSIT log.txt and info.txt. Thanks.

#5 bets777

bets777
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 04 May 2009 - 11:35 PM

Here is my Combo Fix log.

ComboFix 09-04-28.02 - Admin 04/28/2009 15:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.608 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-16 06:44 . 2009-04-16 06:44 -------- d-----w c:\program files\Trend Micro
2009-04-16 06:16 . 2009-04-16 06:16 -------- d-----w c:\documents and settings\Admin\Application Data\True Sword
2009-04-16 06:13 . 2005-10-11 21:40 356352 ----a-w c:\windows\eSellerateEngine.dll
2009-04-16 06:13 . 2003-06-06 18:21 81920 ----a-w c:\windows\eSellerateControl350.dll
2009-04-16 06:13 . 2009-04-16 06:16 -------- d-----w c:\program files\True Sword 5
2009-04-11 07:58 . 2009-04-11 20:50 -------- d-----w C:\fixwareout
2009-04-11 00:33 . 2009-04-11 00:33 -------- d-----w c:\windows\system32\xircom
2009-04-11 00:33 . 2009-04-11 00:33 -------- d-----w c:\program files\microsoft frontpage
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\system32\scripting
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\l2schemas
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\system32\bits
2009-04-10 23:10 . 2009-04-10 23:10 -------- d-----w c:\windows\ServicePackFiles
2009-04-08 03:26 . 2009-04-08 03:26 -------- d-----w c:\program files\DIFX
2009-04-08 03:25 . 2006-05-30 14:53 42496 ----a-w c:\windows\system32\libusb0.dll
2009-04-08 03:25 . 2006-05-30 14:53 29184 ----a-w c:\windows\system32\drivers\libusb0.sys
2009-04-04 16:35 . 2009-04-04 16:35 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Winnydows
2009-04-04 15:02 . 2009-04-04 15:02 -------- d-----w c:\program files\Winnydows
2009-04-03 13:24 . 2009-03-26 15:35 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-04-02 06:46 . 2008-04-13 18:45 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-04-02 06:06 . 2008-08-15 05:35 -------- d-----w C:\mspformat
2009-04-02 06:06 . 2008-08-15 05:35 -------- d-----w C:\msinst
2009-04-02 03:44 . 2005-07-18 18:25 59904 ----a-w c:\windows\system32\zlib1.dll
2009-04-02 03:36 . 2009-04-02 03:36 -------- d-----w c:\program files\Delta

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 01:28 . 2009-03-08 01:52 -------- d-----w c:\program files\Internet Download Manager
2009-04-13 06:55 . 2008-10-05 15:06 77208 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 03:54 . 2009-01-09 02:30 -------- d-----w c:\program files\StepMania
2009-04-13 02:11 . 2008-10-05 02:30 -------- d-----w c:\program files\Opera
2009-04-11 01:31 . 2009-01-04 02:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 23:33 . 2008-10-05 01:15 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-02 00:06 . 2008-10-10 02:58 -------- d-----w c:\program files\Java
2009-03-11 08:54 . 2008-10-05 02:14 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 08:38 . 2009-03-11 08:38 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-10 02:56 . 2008-12-25 06:14 -------- d-----w c:\program files\Counter-Strike 1.6
2009-03-10 02:52 . 2008-10-09 06:37 -------- d-----w c:\program files\Warcraft III
2009-03-09 12:19 . 2009-03-14 18:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-15 21:05 . 2009-02-01 06:58 736 ----a-w c:\windows\eReg.dat
2009-02-02 02:54 . 2009-02-02 02:54 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-05 19:56 . 1601-01-01 00:12 99007 --sha-w c:\windows\system32\hebeferi.dll
1601-01-01 00:12 . 1601-01-01 00:12 69243 --sha-w c:\windows\system32\jasadiwi.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 69243 --sha-w c:\windows\system32\midamuhi.dll.tmp
2006-12-28 05:48 . 2006-12-28 05:48 162423 --sha-r c:\windows\system32\qzvfb.dll
1601-01-01 00:12 . 1601-01-01 00:12 69243 --sha-w c:\windows\system32\zerakede.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_06.39.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 22:28 . 2009-04-28 22:28 16384 c:\windows\Temp\Perflib_Perfdata_788.dat
+ 2009-04-28 22:28 . 2009-04-28 22:28 16384 c:\windows\Temp\Perflib_Perfdata_6e0.dat
+ 2008-10-05 01:09 . 2004-08-04 04:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2008-10-10 10:47 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-10-10 10:47 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-19 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-04-03 2794928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-10-05 950664]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-10-30 2287152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-12-08 1253376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-10-16 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-07 04:16 176128 ----a-w c:\program files\Stardock\Object Desktop\Windowblinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\betsbreezy\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\usnsvc.exe"=
"c:\\Program Files\\Eset\\nod32krn.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30110:TCP"= 30110:TCP:Azureus 1
"7197:TCP"= 7197:TCP:tgjzaig

R2 zntksqrc;Driver Shell;c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\DRIVERS\libusb0.sys [2006-05-30 29184]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-10-05 15424]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zntksqrc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
c:\windows\system32\hidec /W c:\vaio\Tools\REGTLIB.EXE "c:\program files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"c:\program files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"c:\program files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s c:\vaio\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1202660629-1060284298-1003.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 23:10]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
LSP: c:\windows\system32\imon.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\8dl4wzc5.default\
FF - component: c:\documents and settings\Admin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM1.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM2.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM3.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM4.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM5.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 15:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0d809737-fa53-423f-a890-0df43ba35b23}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005f
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ce,5a,45,40,a6,49,2a,3f,d9,49,df,c2,6d,17,6c,4b,46,28,ec,18,f1,
fe,45,df,d4,f3,97,c5,26,26,50,34,87,ba,37,2b,3e,ac,43,f4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="16FD6C644C190F0BDCC3409B29B01B5E41B54EF85E6A88B950EE01840A5A6A9421BB450CFDB8E381019099F8DBB0DF0AF397EFA274AA1C107AC7614B7AAE834637912A938DDD4F38D19A788C88FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E6678788E62136AA0427F4C920B4B0D70A421A1D8FB2D978C9CA2761B1C928A6F3289AA9400D332C01ECACE031606D4F4435D2C853B76F7387C5D8B9EE9E540AB904F9C6031B9FD32F349A1A83523B6FED9785B7B78B82BC8E48C37F9DFBDA0A29717885DDE0DE1651D45C4056E91762AB9BB6FC2FFCC8D10680F4A57EBCCB97873ECE600565F9FA70D6F2F16FFCA1E4662ACE79AB4D1B45D655E076D72E5A3B606C16252FA59A9DD57C412293552048C8DD9DE529B1783C2DDD5D8EF393DB8F80314FF49591943011B41216902FFB72C306D2CE21D502F1F968A45E9EA44B45FA755EC5F60D58F575288F6AB53B405B0B2784129556FD357473D4AB2A0DC99D265888E118EFFE471A304B8DD69E209197772B660B4556E79234700DEC6A17F01BA97BE6BC06C4905ADBB8C1CAF2EDB5A56325D00BAA990015135EF0C0501D2BB8EFC446328F885156EDB19EECC4A57D3489B32EA0FD78887AAD689902C6E3CA216459C545C0CF9FEEDB708D9D15E032873F7BAEDDAFC81E88533D9793471DE23A749080C8C1C0224DD2974FC1D963AF288A08D5569E0674490A6FD75B411A9B2EC1A3E114AD29955B2E2BF4BEF911E96327C37BA3A34C510987F515C198512F6BA2B4AD8216F6CA490292E581D571E3C705024A61885F8F593BA96034A35FEDA41FC5F8F0FDBFA589159ADBF8BA33372AC7F7433109A31C0FC44A1EA52D813ACE753E2C43DC399D53E1F3E79970279123C53E3AB6D9A27B437779088B741C0BA496E908DEA0C1C02116B2EA5AAE41350E8C53569C1F0CC1D35D3EAADEACB4ED24A9781C30A6D8AD3394CF1C37231B750A5A97140DF4B01AE0B281E59DFC767F8F867CCEA44621990DF3A607B0EE713D7D225142B967074350E614EF490131F3EC3C6ED92F44E24BF4FEF70A49A5A509100DA905D7F8280F4B2027506845D693860AA84A47DE8A22F534E9D709513B6AAC752ED4209F5263BEB5D064044F7FB86BE76A04E545A70B5F458276FAEFDB07056A4FFC4D4667BADA350CDC299664D1EB7ED8BA8B1C6E8CC49AAE41AFF0D5170CB1621DA24A6DA3975EB63E690465639E2AF8F8397936BD7DCC40E8B93A97E77A3FA2A8637E0EC02AA513625C770684DE7EB89C766C7BCB242B69EB3225375CCBC12DE857A7974893B4487419C36BE04A40E4574D72DDF697B8C425B47D6E68419802F7CD007C04136560F5BF31E237C267B22E4D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\Stardock\Object Desktop\Windowblinds\wbsrv.dll

- - - - - - - > 'lsass.exe'(632)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(1272)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-04-28 15:50
ComboFix-quarantined-files.txt 2009-04-28 22:49
ComboFix2.txt 2009-04-28 06:15
ComboFix3.txt 2009-04-16 06:47

Pre-Run: 5,481,308,160 bytes free
Post-Run: 5,478,248,448 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
214 --- E O F --- 2009-04-10 23:55


Here is my GMER log.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-04 21:32:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spca.sys ZwCreateKey [0xF739F0E0]
SSDT spca.sys ZwEnumerateKey [0xF73BDCA2]
SSDT spca.sys ZwEnumerateValueKey [0xF73BE030]
SSDT spca.sys ZwOpenKey [0xF739F0C0]
SSDT spca.sys ZwQueryKey [0xF73BE108]
SSDT spca.sys ZwQueryValueKey [0xF73BDF88]
SSDT spca.sys ZwSetValueKey [0xF73BE19A]

INT 0x35 ? 869A0F00
INT 0x3B ? 869A0F00
INT 0x3E ? 86BDBBF8
INT 0x3F ? 86BDBBF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86BDA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \Driver\PCI_PNP4208 \Device\00000042 spca.sys
Device \Driver\usbohci \Device\USBPDO-0 868EE500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86B6E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86B6E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86B6E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86B6E1F8
Device \Driver\usbehci \Device\USBPDO-1 8699F500
Device \Driver\usbohci \Device\USBPDO-2 868EE500
Device \Driver\Ftdisk \Device\HarddiskVolume1 86BDC1F8
Device \Driver\Cdrom \Device\CdRom0 86A151F8
Device \Driver\Cdrom \Device\CdRom1 86A151F8
Device \Driver\Cdrom \Device\CdRom2 86A151F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 864561F8
Device \Driver\NetBT \Device\NetbiosSmb 864561F8
Device \Driver\usbohci \Device\USBFDO-0 868EE500
Device \Driver\usbohci \Device\USBFDO-1 868EE500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 863931F8
Device \Driver\usbehci \Device\USBFDO-2 8699F500
Device \Driver\sptd \Device\2279515216 spca.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 863931F8
Device \Driver\Ftdisk \Device\FtControl 86BDC1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2933C275-BB27-4A6D-9BE9-A509FB35265E} 864561F8
Device \Driver\aoc1zn43 \Device\Scsi\aoc1zn431Port2Path0Target0Lun0 868761F8
Device \Driver\aoc1zn43 \Device\Scsi\aoc1zn431 868761F8
Device \FileSystem\Cdfs \Cdfs 864FF500

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] zntksqrc <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcbgrkcgwwulxnaoykturrjxboxhijmgfv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcbgrkcgwwulxnaoykturrjxboxhijmgfv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcmsqtolkromqukvrndyiauqajolotgktb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC0 0xAC 0x65 0xE8 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0xB9 0x43 0x56 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x4E 0x38 0xCB ...
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc@DisplayName Driver Shell
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc@Description Provides launch functionality for DCOM services.
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc\Parameters
Reg HKLM\SYSTEM\ControlSet001\Services\zntksqrc\Parameters@ServiceDll C:\WINDOWS\system32\qzvfb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcbgrkcgwwulxnaoykturrjxboxhijmgfv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcbgrkcgwwulxnaoykturrjxboxhijmgfv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcmsqtolkromqukvrndyiauqajolotgktb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC0 0xAC 0x65 0xE8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0xB9 0x43 0x56 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x4E 0x38 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc@DisplayName Driver Shell
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc@Description Provides launch functionality for DCOM services.
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\zntksqrc\Parameters@ServiceDll C:\WINDOWS\system32\qzvfb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC0 0xAC 0x65 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0xB9 0x43 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x4E 0x38 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc@DisplayName Driver Shell
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc@Description Provides launch functionality for DCOM services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\zntksqrc\Parameters@ServiceDll C:\WINDOWS\system32\qzvfb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC0 0xAC 0x65 0xE8 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0xB9 0x43 0x56 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0x4E 0x38 0xCB ...
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc@DisplayName Driver Shell
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc@Description Provides launch functionality for DCOM services.
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc\Parameters
Reg HKLM\SYSTEM\ControlSet004\Services\zntksqrc\Parameters@ServiceDll C:\WINDOWS\system32\qzvfb.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION 16FD6C644C190F0BDCC3409B29B01B5E41B54EF85E6A88B950EE01840A5A6A9421BB450CFDB8E381019099F8DBB0DF0AF397EFA274AA1C107AC7614B7AAE834637912A938DDD4F38D19A788C88FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E6678788E62136AA0427F4C920B4B0D70A421A1D8FB2D978C9CA2761B1C928A6F3289AA9400D332C01ECACE031606D4F4435D2C853B76F7387C5D8B9EE9E540AB904F9C6031B9FD32F349A1A83523B6FED9785B7B78B82BC8E48C37F9DFBDA0A29717885DDE0DE1651D45C4056E91762AB9BB6FC2FFCC8D10680F4A57EBCCB97873ECE600565F9FA70D6F2F16FFCA1E4662ACE79AB4D1B45D655E076D72E5A3B606C16252FA59A9DD57C412293552048C8DD9DE529B1783C2DDD5D8EF393DB8F80314FF49591943011B41216902FFB72C306D2CE21D502F1F968A45E9EA44B45FA755EC5F60D58F575288F6AB53B405B0B2784129556FD357473D4AB2A0DC99D265888E118EFFE471A304B8DD69E209197772B660B4556E79234700DEC6A17F01BA97BE6BC06C4905ADBB8C1CAF2EDB5A56325D00BAA990015135EF0C0501D2BB8EFC446328F885156EDB19EECC4A57D3489B32EA0FD78887AAD689902C6E3CA216459C54
Reg HKLM\SOFTWARE\Classes\CLSID\{0d809737-fa53-423f-a890-0df43ba35b23}@Model 95
Reg HKLM\SOFTWARE\Classes\CLSID\{0d809737-fa53-423f-a890-0df43ba35b23}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{0d809737-fa53-423f-a890-0df43ba35b23}@MData 0x2B 0x8F 0x78 0x29 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33f4e7e7-9619-40ac-ac00-4cdb4b7198a7}@Model 121
Reg HKLM\SOFTWARE\Classes\CLSID\{33f4e7e7-9619-40ac-ac00-4cdb4b7198a7}@Therad 1
Reg HKLM\SOFTWARE\Classes\CLSID\{33f4e7e7-9619-40ac-ac00-4cdb4b7198a7}@MData 0x73 0xD5 0xCF 0xB8 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0xCE 0x5A 0x45 0x40 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x62 0x6D 0x4D 0x11 ...

---- EOF - GMER 1.0.15 ----


Here is my RSIT log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Admin at 2009-05-04 21:32:58
Microsoft Windows XP Professional Service Pack 3
System drive C: has 4 GB (9%) free of 39 GB
Total RAM: 1007 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:04 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.109\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7904 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1202660629-1060284298-1003.job
C:\WINDOWS\tasks\kfcelznj.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-20 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"=C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe [2006-10-04 163840]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2008-10-04 950664]
"RegistryMechanic"=C:\Program Files\Registry Mechanic\RegMech.exe [2006-10-30 2287152]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-11-16 139264]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-21 50472]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2007-10-18 5724184]
"Google Update"=C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 133104]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll [2005-12-06 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoResolveTrack"=1
"NoResolveSearch"=1
"ForceStartMenuLogoff"=0
"NoStartMenuPinnedList"=1
"NoSMConfigurePrograms"=1
"NoUserNameInStartMenu"=1
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Valve\Steam\steamapps\betsbreezy\counter-strike\hl.exe"="C:\Program Files\Valve\Steam\steamapps\betsbreezy\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\WINDOWS\system32\taskmgr.exe"="C:\WINDOWS\system32\taskmgr.exe:*:Enabled:taskmgr"
"C:\Program Files\Windows Live\Messenger\usnsvc.exe"="C:\Program Files\Windows Live\Messenger\usnsvc.exe:*:Enabled:usnsvc"
"C:\Program Files\Eset\nod32krn.exe"="C:\Program Files\Eset\nod32krn.exe:*:Enabled:nod32krn"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
shell\AutoRun\command - I:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a7f0510-24c1-11de-ab25-000d8755d45e}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a7f0511-24c1-11de-ab25-000d8755d45e}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn


======List of files/folders created in the last 3 months======

65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zerakede.dll.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\midamuhi.dll.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\jasadiwi.dll.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\hebeferi.dll
2009-05-04 21:32:58 ----D---- C:\rsit
2009-04-28 22:23:52 ----D---- C:\!KillBox
2009-04-28 22:22:09 ----SHD---- C:\Config.Msi
2009-04-28 15:50:30 ----A---- C:\ComboFix.txt
2009-04-28 15:49:37 ----SHD---- C:\RECYCLER
2009-04-15 23:44:45 ----D---- C:\Program Files\Trend Micro
2009-04-15 23:29:16 ----A---- C:\Boot.bak
2009-04-15 23:29:11 ----RASHD---- C:\cmdcons
2009-04-15 23:26:20 ----A---- C:\WINDOWS\zip.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\vFind.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWSC.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWREG.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\sed.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\grep.exe
2009-04-15 23:26:14 ----D---- C:\WINDOWS\ERDNT
2009-04-15 23:25:55 ----D---- C:\Qoobox
2009-04-15 23:25:40 ----A---- C:\log2.txt
2009-04-15 23:25:40 ----A---- C:\log1.txt
2009-04-15 23:16:46 ----D---- C:\Documents and Settings\Admin\Application Data\True Sword
2009-04-15 23:13:32 ----A---- C:\WINDOWS\eSellerateEngine.dll
2009-04-15 23:13:32 ----A---- C:\WINDOWS\eSellerateControl350.dll
2009-04-15 23:13:31 ----D---- C:\Program Files\True Sword 5
2009-04-11 00:58:50 ----D---- C:\fixwareout
2009-04-10 17:33:19 ----D---- C:\Program Files\xerox
2009-04-10 17:33:18 ----D---- C:\WINDOWS\system32\xircom
2009-04-10 17:33:17 ----D---- C:\Program Files\microsoft frontpage
2009-04-10 17:33:10 ----D---- C:\WINDOWS\Prefetch
2009-04-10 16:55:43 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-04-10 16:55:24 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-04-10 16:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-04-10 16:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-04-10 16:54:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-04-10 16:54:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-04-10 16:53:39 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-04-10 16:53:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-04-10 16:52:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-04-10 16:51:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-04-10 16:49:35 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-04-10 16:46:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-04-10 16:46:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-04-10 16:46:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-04-10 16:45:46 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-04-10 16:44:34 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-04-10 16:42:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-04-10 16:41:54 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-04-10 16:40:51 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-04-10 16:18:08 ----D---- C:\WINDOWS\system32\scripting
2009-04-10 16:18:04 ----D---- C:\WINDOWS\l2schemas
2009-04-10 16:18:03 ----D---- C:\WINDOWS\system32\bits
2009-04-10 16:10:49 ----D---- C:\WINDOWS\ServicePackFiles
2009-04-10 15:58:09 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-04-07 20:26:52 ----D---- C:\Program Files\DIFX
2009-04-07 20:25:36 ----A---- C:\WINDOWS\system32\libusb0.dll
2009-04-06 14:09:12 ----A---- C:\WINDOWS\WORDPAD.INI
2009-04-04 08:02:32 ----D---- C:\Program Files\Winnydows
2009-04-01 23:06:34 ----D---- C:\mspformat
2009-04-01 23:06:31 ----D---- C:\msinst
2009-04-01 20:44:17 ----A---- C:\WINDOWS\system32\zlib1.dll
2009-04-01 20:36:27 ----D---- C:\Program Files\Delta
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\java.exe
2009-03-14 11:44:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-11 01:38:49 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-03-09 19:51:49 ----D---- C:\WINDOWS\system32\appmgmt
2009-03-09 19:48:31 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-07 18:52:13 ----D---- C:\Documents and Settings\Admin\Application Data\DMCache
2009-03-04 17:22:23 ----RSD---- C:\WINDOWS\assembly
2009-03-04 17:21:40 ----D---- C:\Program Files\Internet Explorer
2009-03-04 17:21:32 ----D---- C:\WINDOWS\Microsoft.NET
2009-03-04 17:15:32 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2009-02-16 17:35:40 ----D---- C:\Documents and Settings\Admin\Application Data\Viewpoint
2009-02-14 01:11:19 ----A---- C:\WINDOWS\GunzLauncher.INI
2009-02-08 02:26:41 ----D---- C:\Documents and Settings\All Users\Application Data\SwiftKit
2009-02-08 02:26:38 ----D---- C:\Program Files\SwiftKit

======List of files/folders modified in the last 3 months======

2009-05-04 21:31:02 ----D---- C:\WINDOWS\Temp
2009-05-04 21:20:37 ----D---- C:\Program Files\Mozilla Firefox
2009-05-04 21:19:25 ----D---- C:\WINDOWS\system32
2009-05-04 21:18:51 ----RD---- C:\Program Files
2009-05-04 21:17:56 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-04 20:50:19 ----A---- C:\WINDOWS\NeroDigital.ini
2009-05-04 18:31:00 ----D---- C:\Documents and Settings\Admin\Application Data\Azureus
2009-04-28 22:22:09 ----SHD---- C:\WINDOWS\Installer
2009-04-28 15:50:32 ----D---- C:\WINDOWS
2009-04-28 15:47:42 ----A---- C:\WINDOWS\system.ini
2009-04-28 15:46:32 ----D---- C:\WINDOWS\system32\drivers
2009-04-28 15:46:32 ----D---- C:\WINDOWS\AppPatch
2009-04-28 15:46:28 ----D---- C:\Program Files\Common Files
2009-04-28 15:44:32 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-27 15:40:58 ----D---- C:\Program Files\Registry Mechanic
2009-04-15 23:37:19 ----D---- C:\WINDOWS\system32\config
2009-04-15 23:29:16 ----RASH---- C:\boot.ini
2009-04-14 19:38:26 ----D---- C:\WINDOWS\system32\oodag
2009-04-13 17:10:30 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-12 20:54:52 ----D---- C:\Program Files\StepMania
2009-04-12 19:11:44 ----D---- C:\Program Files\Opera
2009-04-10 18:31:12 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-10 18:00:13 ----HD---- C:\WINDOWS\inf
2009-04-10 17:44:06 ----A---- C:\WINDOWS\OEWABLog.txt
2009-04-10 17:35:14 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-10 17:33:19 ----D---- C:\WINDOWS\system32\wbem
2009-04-10 17:33:19 ----D---- C:\WINDOWS\ime
2009-04-10 17:33:16 ----A---- C:\WINDOWS\setuplog.txt
2009-04-10 17:32:40 ----RSD---- C:\WINDOWS\Fonts
2009-04-10 17:32:40 ----D---- C:\WINDOWS\system32\Setup
2009-04-10 17:31:35 ----D---- C:\WINDOWS\security
2009-04-10 16:55:45 ----D---- C:\WINDOWS\system32\dllcache
2009-04-10 16:55:45 ----D---- C:\WINDOWS\system32\CatRoot
2009-04-10 16:42:00 ----D---- C:\Program Files\Messenger
2009-04-10 16:20:45 ----D---- C:\WINDOWS\WinSxS
2009-04-10 16:19:23 ----D---- C:\WINDOWS\system32\inetsrv
2009-04-10 16:19:21 ----D---- C:\WINDOWS\Network Diagnostic
2009-04-10 16:19:16 ----D---- C:\WINDOWS\Help
2009-04-10 16:18:11 ----D---- C:\WINDOWS\system32\usmt
2009-04-10 16:18:11 ----D---- C:\WINDOWS\system32\en-us
2009-04-10 16:18:03 ----D---- C:\WINDOWS\PeerNet
2009-04-10 16:18:02 ----D---- C:\Program Files\Movie Maker
2009-04-10 16:10:32 ----D---- C:\WINDOWS\system32\Restore
2009-04-10 16:10:32 ----D---- C:\WINDOWS\system32\npp
2009-04-10 16:10:31 ----D---- C:\WINDOWS\mui
2009-04-10 16:10:30 ----D---- C:\WINDOWS\msagent
2009-04-10 16:10:29 ----D---- C:\WINDOWS\srchasst
2009-04-10 16:10:28 ----D---- C:\Program Files\NetMeeting
2009-04-10 16:10:26 ----D---- C:\WINDOWS\system32\Com
2009-04-10 16:10:24 ----D---- C:\Program Files\Windows Media Player
2009-04-10 16:10:23 ----D---- C:\Program Files\Windows NT
2009-04-10 16:10:23 ----D---- C:\Program Files\Outlook Express
2009-04-10 16:10:19 ----D---- C:\Program Files\Common Files\System
2009-04-10 16:10:04 ----D---- C:\WINDOWS\system32\oobe
2009-04-10 16:10:03 ----D---- C:\WINDOWS\system
2009-04-10 16:04:39 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-04-10 15:58:04 ----D---- C:\WINDOWS\ehome
2009-04-10 15:31:10 ----SHD---- C:\System Volume Information
2009-04-07 20:25:36 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-04-04 09:35:52 ----SD---- C:\Documents and Settings\Admin\Application Data\Microsoft
2009-04-01 17:06:12 ----D---- C:\Program Files\Java
2009-03-23 19:17:06 ----A---- C:\WINDOWS\PhotoSnapViewer.INI
2009-03-14 22:02:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-12 18:13:49 ----D---- C:\Documents and Settings\Admin\Application Data\Adobe
2009-03-11 03:30:16 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-11 02:47:47 ----D---- C:\Program Files\Adobe
2009-03-11 02:05:52 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-11 01:54:03 ----D---- C:\Program Files\Common Files\Adobe
2009-03-09 19:56:49 ----D---- C:\Program Files\Counter-Strike 1.6
2009-03-09 19:52:36 ----D---- C:\Program Files\Warcraft III
2009-03-09 15:28:10 ----D---- C:\Documents and Settings
2009-02-18 19:57:57 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-02-11 21:48:59 ----SD---- C:\WINDOWS\Tasks
2009-02-08 02:29:25 ----D---- C:\WINDOWS\java

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2008-10-04 15424]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2006-11-06 30988]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2006-08-15 11264]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-03 12032]
R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2008-10-04 512096]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-12-27 62336]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2005-04-18 805440]
R3 ezplay;VSO Software ezplay; C:\WINDOWS\System32\Drivers\ezplay.sys [2008-10-04 94080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-04 47360]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2006-08-15 432384]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51; C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S2 npkcrypt;npkcrypt; \??\C:\Program Files\maplestory\npkcrypt.sys []
S3 aoc1zn43;aoc1zn43; C:\WINDOWS\system32\drivers\aoc1zn43.sys []
S3 aujasnkj;aujasnkj; \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\aujasnkj.sys []
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-12-10 25280]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120; C:\WINDOWS\system32\DRIVERS\libusb0.sys [2006-05-30 29184]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-12-27 12160]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Diskeeper;Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2006-10-04 892928]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2008-10-04 549256]
R2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [2006-06-02 339456]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-11 654848]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-09 138168]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-11-10 774144]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-05-04 21:33:06

======Uninstall list======

-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {471159EB-BECC-453C-B6F2-FE4FAB29B3F3}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
7-Zip 4.31-->"C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Professional-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AIM 6-->C:\Program Files\AIM6\uninst.exe
AoA Audio Extractor 1.0-->"C:\Program Files\AoA Audio Extractor\unins000.exe"
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASIO4ALL-->C:\Program Files\ASIO4ALL v2\uninstall.exe
Azureus-->C:\Program Files\Azureus\Uninstall.exe
BlindWrite 6.0.1.19-->"C:\Program Files\VSO\BlindWrite6\unins000.exe"
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
BSPlayer-->"C:\Program Files\Webteh\BSplayerPro\uninstall.exe"
C-Media WDM Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
Collab-->C:\Program Files\Image-Line\Collab\uninstall.exe
Counter-Strike-->"C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/10
DAEMON Tools Toolbar-->C:\Program Files\DAEMON Tools Toolbar\uninst.exe
Diskeeper 2007 Pro Premier-->MsiExec.exe /X{B1D8CAE1-62E8-4259-8B57-1755629F71EC}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FL Studio 7-->C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
Free M4a to MP3 Converter 6.0-->"C:\Program Files\Free M4a to MP3 Converter\unins000.exe"
GetRight Pro-->C:\PROGRA~1\Getright\PROGRA~1\GetRight\UNWISE.EXE C:\PROGRA~1\Getright\PROGRA~1\GetRight\INSTALL.LOG
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IL Download Manager-->C:\Program Files\Image-Line\Downloader\uninstall.exe
ISO Compressor by Winnydows-->C:\Program Files\Winnydows\ISO Compressor\Uninstall.exe
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Codec Pack 2.80 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Macromedia Shockwave Player-->MsiExec.exe /X{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}
Magic ISO Maker v5.0 (build 0166)-->C:\PROGRA~1\MagicISO\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory GL-->MsiExec.exe /I{1D896BB2-9A72-41AE-A63A-A0BB6BC85409}
MGTEK dopisp-->MsiExec.exe /I{C25D1742-3136-4B33-9D32-8F0F5E81F349}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nero 7-->MsiExec.exe /I{2D7D9D86-923A-41A8-919F-437332AB1033}
Network Play System (Patching)-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1-->"C:\Program Files\Eset\unins000.exe"
Nsauditor 1.8.4-->"C:\Program Files\Nsauditor\unins000.exe"
O&O Defrag Professional Edition-->MsiExec.exe /I{53480370-6CA2-47EC-BC05-02B4B9271C31}
OJOsoft Total Video Converter-->"C:\Program Files\OJOsoft\OJOsoft Total Video Converter\unins000.exe"
Opera -->MsiExec.exe /I{383FC531-66D6-4B3B-BB84-4C7EC3F71B39}
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
QuickTime Alternative 1.70-->"C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.49-->"C:\Program Files\Real Alternative\unins000.exe"
Registry Mechanic 6.0-->"C:\Program Files\Registry Mechanic\unins000.exe"
Royale Remixed Theme-->MsiExec.exe /I{54EF43F4-99D8-4FF8-B9FE-AC893A83B84E}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SiS 900 PCI Fast Ethernet Adapter Driver-->C:\WINDOWS\SiS\900\Uninst.exe
Steam-->C:\PROGRA~1\Valve\Steam\UNWISE.EXE C:\PROGRA~1\Valve\Steam\INSTALL.LOG
StepMania (remove only)-->"C:\Program Files\StepMania\uninstall.exe"
SwiftKit-->C:\Program Files\SwiftKit\Uninstall.exe
The Sims Deluxe Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\Setup.exe" -l0009
TightVNC 1.3.9-->"C:\Program Files\TightVNC\unins000.exe"
True Sword 5-->"C:\Program Files\True Sword 5\unins000.exe"
UltraISO Premium V8.6-->"C:\Program Files\UltraISO\unins000.exe"
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb958619)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {79B301C1-DBC0-467C-AFDA-2A6CDAFA4302}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Virtual DJ - Atomix Productions-->C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
Windows Driver Package - Sony PSP Type B (11/20/2005 20051120)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\psp_87D46C3F73EF6B7F5CD27D922EEE14783E1AD3BF\psp.inf
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Sidebar-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\Sidebar.inf,DefaultUnInstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinDVD-->MsiExec.exe /I{20471B27-D702-4FE8-8DEC-0702CC8C0A85}
WinFF 0.43-->"C:\Program Files\WinFF\unins000.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinRAR Themes Addon-->C:\PROGRA~1\WinRAR\Themes\UNWISE.EXE C:\PROGRA~1\WinRAR\Themes\INSTALL.LOG
WinZip 10 Pro-->C:\DOCUME~1\ADMINI~1\APPLIC~1\MICROS~1\Crypto\UNWISE.EXE C:\DOCUME~1\ADMINI~1\APPLIC~1\MICROS~1\Crypto\INSTALL.LOG

=====HijackThis Backups=====

O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing) [2009-04-15]
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing) [2009-04-15]

======Security center information======

AV: ESET NOD32 antivirus system 2.70 (outdated)

======System event log======

Computer Name: PAL
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 3133
Source Name: Tcpip
Time Written: 20090124191221.000000-480
Event Type: warning
User:

Computer Name: PAL
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 3132
Source Name: Tcpip
Time Written: 20090124143106.000000-480
Event Type: warning
User:

Computer Name: PAL
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 3131
Source Name: Tcpip
Time Written: 20090124123730.000000-480
Event Type: warning
User:

Computer Name: PAL
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 3090
Source Name: Tcpip
Time Written: 20090122170916.000000-480
Event Type: warning
User:

Computer Name: PAL
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 3089
Source Name: W32Time
Time Written: 20090122052434.000000-480
Event Type: warning
User:

=====Application event log=====

Computer Name: PAL
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 5608
Source Name: usnjsvc
Time Written: 20090401221801.000000-420
Event Type:
User:

Computer Name: PAL
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 5593
Source Name: usnjsvc
Time Written: 20090401213826.000000-420
Event Type:
User:

Computer Name: PAL
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 5578
Source Name: usnjsvc
Time Written: 20090401163009.000000-420
Event Type:
User:

Computer Name: PAL
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 5560
Source Name: usnjsvc
Time Written: 20090331184805.000000-420
Event Type:
User:

Computer Name: PAL
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 5548
Source Name: usnjsvc
Time Written: 20090331154450.000000-420
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;%VAIO%;C:\Program Files\Diskeeper Corporation\Diskeeper
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

-----------------EOF-----------------

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 PM

Posted 05 May 2009 - 01:50 AM

Hi bets777,



I notice there is sign of one P2P (Person to Person) File Sharing Programs on your computer. Even if you are using a "safe" P2P program, it is only the program that is safe.
You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
You are well advised to remove it. Go to start > control panel > programs and features. Right click on any instances of those files listed below and uninstall them.

Azureus


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar


Step1
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Step2
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
c:\windows\system32\hebeferi.dll
c:\windows\system32\jasadiwi.dll.tmp
c:\windows\system32\midamuhi.dll.tmp
c:\windows\system32\qzvfb.dll
c:\windows\system32\zerakede.dll.tmp
c:\windows\system32\drivers\gxvxcbgrkcgwwulxnaoykturrjxboxhijmgfv.sys
c:\windows\system32\gxvxcmsqtolkromqukvrndyiauqajolotgktb.dll
C:\WINDOWS\system32\dllhost.exe 
C:\WINDOWS\tasks\kfcelznj.job
C:\WINDOWS\system32\drivers\aoc1zn43.sys 

Driver::
zntksqrc
aoc1zn43
gxvxcserv.sys

NetSvc::
zntksqrc

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30110:TCP"=-
"7197:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a7f0510-24c1-11de-ab25-000d8755d45e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a7f0511-24c1-11de-ab25-000d8755d45e}]

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step3

Start>Run>type cmd>click OK>copy/paste the following bold into command prompt and press enter:

sc delete "SwPrv"

Repeat the process with the following blod.

sc delete "COMSysApp"

After that, Close command prompt.


Step4

Please run HijackThis! and click "Do a system scan only." Place checks next to the following entries,(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix Checked". Reboot your pc.


In your next reply, please post back:


1.Combofix log
2.RSIT log.txt
3.GooredFix log


Tell me how your pc is running now.

Edited by sundavis, 05 May 2009 - 02:00 AM.


#7 bets777

bets777
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 06 May 2009 - 01:19 AM

Thanks to you, I can view hidden files and visit antispyware sites now :]

Here's my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:02 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 7420 bytes

Here is the combofix log

ComboFix 09-05-05.03 - Admin 05/05/2009 16:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.597 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
* Resident AV is active


FILE ::
c:\windows\system32\dllhost.exe
c:\windows\system32\drivers\aoc1zn43.sys
c:\windows\system32\drivers\gxvxcbgrkcgwwulxnaoykturrjxboxhijmgfv.sys
c:\windows\system32\gxvxcmsqtolkromqukvrndyiauqajolotgktb.dll
c:\windows\system32\hebeferi.dll
c:\windows\system32\jasadiwi.dll.tmp
c:\windows\system32\midamuhi.dll.tmp
c:\windows\system32\qzvfb.dll
c:\windows\system32\zerakede.dll.tmp
c:\windows\tasks\kfcelznj.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hebeferi.dll
c:\windows\system32\jasadiwi.dll.tmp
c:\windows\system32\midamuhi.dll.tmp
c:\windows\system32\qzvfb.dll
c:\windows\system32\zerakede.dll.tmp
c:\windows\tasks\kfcelznj.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZNTKSQRC
-------\Service_zntksqrc


((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 04:32 . 2009-05-05 04:33 -------- d-----w C:\rsit
2009-04-29 05:23 . 2009-04-29 05:49 -------- d-----w C:\!KillBox
2009-04-16 06:44 . 2009-04-16 06:44 -------- d-----w c:\program files\Trend Micro
2009-04-16 06:16 . 2009-04-16 06:16 -------- d-----w c:\documents and settings\Admin\Application Data\True Sword
2009-04-16 06:13 . 2005-10-11 21:40 356352 ----a-w c:\windows\eSellerateEngine.dll
2009-04-16 06:13 . 2003-06-06 18:21 81920 ----a-w c:\windows\eSellerateControl350.dll
2009-04-16 06:13 . 2009-04-16 06:16 -------- d-----w c:\program files\True Sword 5
2009-04-11 07:58 . 2009-04-11 20:50 -------- d-----w C:\fixwareout
2009-04-11 00:33 . 2009-04-11 00:33 -------- d-----w c:\windows\system32\xircom
2009-04-11 00:33 . 2009-04-11 00:33 -------- d-----w c:\program files\microsoft frontpage
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\system32\scripting
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\l2schemas
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\system32\bits
2009-04-10 23:10 . 2009-04-10 23:10 -------- d-----w c:\windows\ServicePackFiles
2009-04-08 03:26 . 2009-04-08 03:26 -------- d-----w c:\program files\DIFX
2009-04-08 03:25 . 2006-05-30 14:53 42496 ----a-w c:\windows\system32\libusb0.dll
2009-04-08 03:25 . 2006-05-30 14:53 29184 ----a-w c:\windows\system32\drivers\libusb0.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 06:55 . 2008-10-05 15:06 77208 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 03:54 . 2009-01-09 02:30 -------- d-----w c:\program files\StepMania
2009-04-13 02:11 . 2008-10-05 02:30 -------- d-----w c:\program files\Opera
2009-04-11 01:31 . 2009-01-04 02:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 23:33 . 2008-10-05 01:15 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-04 15:02 . 2009-04-04 15:02 -------- d-----w c:\program files\Winnydows
2009-04-02 03:36 . 2009-04-02 03:36 -------- d-----w c:\program files\Delta
2009-04-02 00:06 . 2008-10-10 02:58 -------- d-----w c:\program files\Java
2009-03-11 08:54 . 2008-10-05 02:14 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 08:38 . 2009-03-11 08:38 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-10 02:56 . 2008-12-25 06:14 -------- d-----w c:\program files\Counter-Strike 1.6
2009-03-10 02:52 . 2008-10-09 06:37 -------- d-----w c:\program files\Warcraft III
2009-03-09 12:19 . 2009-03-14 18:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-15 21:05 . 2009-02-01 06:58 736 ----a-w c:\windows\eReg.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_06.39.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-05 23:10 . 2009-05-05 23:10 16384 c:\windows\Temp\Perflib_Perfdata_c4.dat
+ 2009-05-05 23:10 . 2009-05-05 23:10 16384 c:\windows\Temp\Perflib_Perfdata_188.dat
+ 2009-05-05 06:53 . 2009-05-05 06:53 16384 c:\windows\Temp\Perflib_Perfdata_114.dat
+ 2008-10-05 01:09 . 2004-08-04 04:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2008-10-10 10:47 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-10-10 10:47 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-19 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-10-05 950664]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-10-30 2287152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-12-08 1253376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-10-16 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-07 04:16 176128 ----a-w c:\program files\Stardock\Object Desktop\Windowblinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\betsbreezy\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\usnsvc.exe"=
"c:\\Program Files\\Eset\\nod32krn.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [10/4/2008 7:27 PM 15424]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [4/7/2009 8:25 PM 29184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
c:\windows\system32\hidec /W c:\vaio\Tools\REGTLIB.EXE "c:\program files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"c:\program files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"c:\program files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s c:\vaio\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1202660629-1060284298-1003.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 23:10]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
LSP: c:\windows\system32\imon.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\8dl4wzc5.default\
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 16:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0d809737-fa53-423f-a890-0df43ba35b23}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005f
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{33f4e7e7-9619-40ac-ac00-4cdb4b7198a7}]
@Denied: (Full) (Everyone)
"Model"=dword:00000079
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,98,07,ff,fc,5d,
df,1c,2f,3b,8a,0a,32,11,89,01,b5,36,e1,59,98,7b,44,bd,5b,b1,03,98,8a,fc,3c,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ce,5a,45,40,a6,49,2a,3f,d9,49,df,c2,6d,17,6c,4b,46,28,ec,18,f1,
fe,45,df,d4,f3,97,c5,26,26,50,34,87,ba,37,2b,3e,ac,43,f4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):62,6d,4d,11,a7,a2,01,a6,b4,59,74,e0,a5,54,ac,33,22,61,3b,ca,90,
06,86,a9,ec,53,b9,17,40,b8,2c,1d,f0,b5,17,80,03,e0,5e,d1,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\Stardock\Object Desktop\Windowblinds\wbsrv.dll

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(2436)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\oodag.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-05-05 16:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 23:22
ComboFix2.txt 2009-04-28 22:50
ComboFix3.txt 2009-04-28 06:15
ComboFix4.txt 2009-04-16 06:47

Pre-Run: 3,842,822,144 bytes free
Post-Run: 4,478,914,560 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
231 --- E O F --- 2009-04-10 23:55

Here is the RSIT log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Admin at 2009-05-05 23:16:28
Microsoft Windows XP Professional Service Pack 3
System drive C: has 4 GB (10%) free of 39 GB
Total RAM: 1007 MB (36% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:39 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\ad-aware.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.661\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 8025 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1202660629-1060284298-1003.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-20 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"=C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe [2006-10-04 163840]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2008-10-04 950664]
"RegistryMechanic"=C:\Program Files\Registry Mechanic\RegMech.exe [2006-10-30 2287152]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"nmctxth"=C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [2008-12-12 642856]
"Linksys Wireless Manager"=C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe [2009-02-16 1358384]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-11-16 139264]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-21 50472]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2007-10-18 5724184]
"Google Update"=C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 133104]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll [2005-12-06 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoResolveTrack"=1
"NoResolveSearch"=1
"ForceStartMenuLogoff"=0
"NoStartMenuPinnedList"=1
"NoSMConfigurePrograms"=1
"NoUserNameInStartMenu"=1
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Valve\Steam\steamapps\betsbreezy\counter-strike\hl.exe"="C:\Program Files\Valve\Steam\steamapps\betsbreezy\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\WINDOWS\system32\taskmgr.exe"="C:\WINDOWS\system32\taskmgr.exe:*:Enabled:taskmgr"
"C:\Program Files\Windows Live\Messenger\usnsvc.exe"="C:\Program Files\Windows Live\Messenger\usnsvc.exe:*:Enabled:usnsvc"
"C:\Program Files\Eset\nod32krn.exe"="C:\Program Files\Eset\nod32krn.exe:*:Enabled:nod32krn"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
shell\AutoRun\command - I:\Setup.exe


======List of files/folders created in the last 3 months======

2009-05-05 23:11:47 ----SHD---- C:\RECYCLER
2009-05-05 23:05:36 ----D---- C:\Program Files\Linksys
2009-05-05 23:04:51 ----D---- C:\Program Files\Common Files\Pure Networks Shared
2009-05-05 23:03:52 ----D---- C:\Documents and Settings\All Users\Application Data\Pure Networks
2009-05-05 23:03:17 ----A---- C:\WINDOWS\system32\RaCoInst.dll
2009-05-05 23:02:03 ----D---- C:\WINDOWS\LastGood
2009-05-05 16:22:18 ----A---- C:\ComboFix.txt
2009-05-05 15:58:57 ----RASHD---- C:\autorun.inf
2009-05-04 21:32:58 ----D---- C:\rsit
2009-04-28 22:23:52 ----D---- C:\!KillBox
2009-04-28 22:22:09 ----SHD---- C:\Config.Msi
2009-04-15 23:44:45 ----D---- C:\Program Files\Trend Micro
2009-04-15 23:29:16 ----A---- C:\Boot.bak
2009-04-15 23:29:11 ----RASHD---- C:\cmdcons
2009-04-15 23:26:20 ----A---- C:\WINDOWS\zip.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\vFind.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWSC.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWREG.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\sed.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\grep.exe
2009-04-15 23:26:14 ----D---- C:\WINDOWS\ERDNT
2009-04-15 23:25:55 ----D---- C:\Qoobox
2009-04-15 23:25:40 ----A---- C:\log2.txt
2009-04-15 23:25:40 ----A---- C:\log1.txt
2009-04-15 23:16:46 ----D---- C:\Documents and Settings\Admin\Application Data\True Sword
2009-04-15 23:13:32 ----A---- C:\WINDOWS\eSellerateEngine.dll
2009-04-15 23:13:32 ----A---- C:\WINDOWS\eSellerateControl350.dll
2009-04-15 23:13:31 ----D---- C:\Program Files\True Sword 5
2009-04-11 00:58:50 ----D---- C:\fixwareout
2009-04-10 17:33:19 ----D---- C:\Program Files\xerox
2009-04-10 17:33:18 ----D---- C:\WINDOWS\system32\xircom
2009-04-10 17:33:17 ----D---- C:\Program Files\microsoft frontpage
2009-04-10 17:33:10 ----D---- C:\WINDOWS\Prefetch
2009-04-10 16:55:43 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-04-10 16:55:24 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-04-10 16:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-04-10 16:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-04-10 16:54:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-04-10 16:54:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-04-10 16:53:39 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-04-10 16:53:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-04-10 16:52:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-04-10 16:51:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-04-10 16:49:35 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-04-10 16:46:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-04-10 16:46:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-04-10 16:46:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-04-10 16:45:46 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-04-10 16:44:34 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-04-10 16:42:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-04-10 16:41:54 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-04-10 16:40:51 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-04-10 16:18:08 ----D---- C:\WINDOWS\system32\scripting
2009-04-10 16:18:04 ----D---- C:\WINDOWS\l2schemas
2009-04-10 16:18:03 ----D---- C:\WINDOWS\system32\bits
2009-04-10 16:10:49 ----D---- C:\WINDOWS\ServicePackFiles
2009-04-10 15:58:09 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-04-07 20:26:52 ----D---- C:\Program Files\DIFX
2009-04-07 20:25:36 ----A---- C:\WINDOWS\system32\libusb0.dll
2009-04-06 14:09:12 ----A---- C:\WINDOWS\WORDPAD.INI
2009-04-04 08:02:32 ----D---- C:\Program Files\Winnydows
2009-04-01 23:06:34 ----D---- C:\mspformat
2009-04-01 23:06:31 ----D---- C:\msinst
2009-04-01 20:44:17 ----A---- C:\WINDOWS\system32\zlib1.dll
2009-04-01 20:36:27 ----D---- C:\Program Files\Delta
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\java.exe
2009-03-14 11:44:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-11 01:38:49 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-03-09 19:51:49 ----D---- C:\WINDOWS\system32\appmgmt
2009-03-09 19:48:31 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-07 18:52:13 ----D---- C:\Documents and Settings\Admin\Application Data\DMCache
2009-03-04 17:22:23 ----RSD---- C:\WINDOWS\assembly
2009-03-04 17:21:40 ----D---- C:\Program Files\Internet Explorer
2009-03-04 17:21:32 ----D---- C:\WINDOWS\Microsoft.NET
2009-03-04 17:15:32 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2009-02-14 01:11:19 ----A---- C:\WINDOWS\GunzLauncher.INI
2009-02-08 02:26:41 ----D---- C:\Documents and Settings\All Users\Application Data\SwiftKit
2009-02-08 02:26:38 ----D---- C:\Program Files\SwiftKit

======List of files/folders modified in the last 3 months======

2009-05-05 23:17:41 ----D---- C:\WINDOWS\Temp
2009-05-05 23:05:36 ----RD---- C:\Program Files
2009-05-05 23:05:30 ----SHD---- C:\WINDOWS\Installer
2009-05-05 23:05:16 ----D---- C:\WINDOWS\system32\drivers
2009-05-05 23:05:15 ----HD---- C:\WINDOWS\inf
2009-05-05 23:05:14 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-05-05 23:04:51 ----D---- C:\WINDOWS\WinSxS
2009-05-05 23:04:51 ----D---- C:\Program Files\Common Files
2009-05-05 23:04:32 ----D---- C:\WINDOWS\system32
2009-05-05 23:04:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-05 23:02:03 ----D---- C:\WINDOWS
2009-05-05 23:02:02 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-05 21:47:16 ----D---- C:\Program Files\Mozilla Firefox
2009-05-05 21:44:25 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-05 21:33:12 ----A---- C:\WINDOWS\NeroDigital.ini
2009-05-05 16:11:30 ----A---- C:\WINDOWS\system.ini
2009-05-05 16:09:10 ----D---- C:\WINDOWS\system32\config
2009-05-05 16:07:51 ----D---- C:\WINDOWS\AppPatch
2009-05-05 16:06:21 ----SD---- C:\WINDOWS\Tasks
2009-05-05 15:58:00 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-05-04 18:31:00 ----D---- C:\Documents and Settings\Admin\Application Data\Azureus
2009-04-27 15:40:58 ----D---- C:\Program Files\Registry Mechanic
2009-04-15 23:29:16 ----RASH---- C:\boot.ini
2009-04-14 19:38:26 ----D---- C:\WINDOWS\system32\oodag
2009-04-13 17:10:30 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-12 20:54:52 ----D---- C:\Program Files\StepMania
2009-04-12 19:11:44 ----D---- C:\Program Files\Opera
2009-04-10 18:31:12 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-10 17:44:06 ----A---- C:\WINDOWS\OEWABLog.txt
2009-04-10 17:33:19 ----D---- C:\WINDOWS\system32\wbem
2009-04-10 17:33:19 ----D---- C:\WINDOWS\ime
2009-04-10 17:33:16 ----A---- C:\WINDOWS\setuplog.txt
2009-04-10 17:32:40 ----RSD---- C:\WINDOWS\Fonts
2009-04-10 17:32:40 ----D---- C:\WINDOWS\system32\Setup
2009-04-10 17:31:35 ----D---- C:\WINDOWS\security
2009-04-10 16:55:45 ----D---- C:\WINDOWS\system32\dllcache
2009-04-10 16:55:45 ----D---- C:\WINDOWS\system32\CatRoot
2009-04-10 16:42:00 ----D---- C:\Program Files\Messenger
2009-04-10 16:19:23 ----D---- C:\WINDOWS\system32\inetsrv
2009-04-10 16:19:21 ----D---- C:\WINDOWS\Network Diagnostic
2009-04-10 16:19:16 ----D---- C:\WINDOWS\Help
2009-04-10 16:18:11 ----D---- C:\WINDOWS\system32\usmt
2009-04-10 16:18:11 ----D---- C:\WINDOWS\system32\en-us
2009-04-10 16:18:03 ----D---- C:\WINDOWS\PeerNet
2009-04-10 16:18:02 ----D---- C:\Program Files\Movie Maker
2009-04-10 16:10:32 ----D---- C:\WINDOWS\system32\Restore
2009-04-10 16:10:32 ----D---- C:\WINDOWS\system32\npp
2009-04-10 16:10:31 ----D---- C:\WINDOWS\mui
2009-04-10 16:10:30 ----D---- C:\WINDOWS\msagent
2009-04-10 16:10:29 ----D---- C:\WINDOWS\srchasst
2009-04-10 16:10:28 ----D---- C:\Program Files\NetMeeting
2009-04-10 16:10:26 ----D---- C:\WINDOWS\system32\Com
2009-04-10 16:10:24 ----D---- C:\Program Files\Windows Media Player
2009-04-10 16:10:23 ----D---- C:\Program Files\Windows NT
2009-04-10 16:10:23 ----D---- C:\Program Files\Outlook Express
2009-04-10 16:10:19 ----D---- C:\Program Files\Common Files\System
2009-04-10 16:10:04 ----D---- C:\WINDOWS\system32\oobe
2009-04-10 16:10:03 ----D---- C:\WINDOWS\system
2009-04-10 16:04:39 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-04-10 15:58:04 ----D---- C:\WINDOWS\ehome
2009-04-10 15:31:10 ----SHD---- C:\System Volume Information
2009-04-04 09:35:52 ----SD---- C:\Documents and Settings\Admin\Application Data\Microsoft
2009-04-01 17:06:12 ----D---- C:\Program Files\Java
2009-03-23 19:17:06 ----A---- C:\WINDOWS\PhotoSnapViewer.INI
2009-03-14 22:02:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-12 18:13:49 ----D---- C:\Documents and Settings\Admin\Application Data\Adobe
2009-03-11 03:30:16 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-11 02:47:47 ----D---- C:\Program Files\Adobe
2009-03-11 02:05:52 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-11 01:54:03 ----D---- C:\Program Files\Common Files\Adobe
2009-03-09 19:56:49 ----D---- C:\Program Files\Counter-Strike 1.6
2009-03-09 19:52:36 ----D---- C:\Program Files\Warcraft III
2009-03-09 15:28:10 ----D---- C:\Documents and Settings
2009-02-18 19:57:57 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-02-08 02:29:25 ----D---- C:\WINDOWS\java

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2008-10-04 15424]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2006-11-06 30988]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2006-08-15 11264]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-03 12032]
R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2008-10-04 512096]
R2 pnarp;Pure Networks Device Discovery Driver; C:\WINDOWS\system32\DRIVERS\pnarp.sys [2008-12-12 23984]
R2 purendis;Pure Networks Wireless Driver; C:\WINDOWS\system32\DRIVERS\purendis.sys [2008-12-12 25264]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-12-27 62336]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2005-04-18 805440]
R3 ezplay;VSO Software ezplay; C:\WINDOWS\System32\Drivers\ezplay.sys [2008-10-04 94080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-04 47360]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2006-08-15 432384]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51; C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S2 npkcrypt;npkcrypt; \??\C:\Program Files\maplestory\npkcrypt.sys []
S3 aaetsspz;aaetsspz; C:\WINDOWS\system32\drivers\aaetsspz.sys []
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-12-10 25280]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120; C:\WINDOWS\system32\DRIVERS\libusb0.sys [2006-05-30 29184]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-12-27 12160]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter; C:\WINDOWS\system32\DRIVERS\WUSB54GCv3.sys [2008-12-04 627072]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Diskeeper;Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2006-10-04 892928]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2008-12-12 642856]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2008-10-04 549256]
R2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [2006-06-02 339456]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-11 654848]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-09 138168]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-11-10 774144]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 PM

Posted 06 May 2009 - 08:13 AM

Hi bets777,



I notice you have an outdated java leftover (Java™ 6 Update 7). Please unisntall it via Add/Remove Programs.

It seemed that your antivirus program is an outdated version. You can uninstall it via Add/Remove Programs and choose a free one in the following:

AVG Free 8.0 for Windows
AntiVir Free Edition


Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
C:\WINDOWS\system32\drivers\aaetsspz.sys 

Driver::
aaetsspz


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.KAS Scan Report
2.New RSIT log.txt
3.Combofix log

How is your pc running now?

#9 bets777

bets777
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 07 May 2009 - 08:59 AM

I haven't noticed a change, but my computer seems to be running fine.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 07, 2009 07:11:54
Records in database: 2141082
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 91371
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:54:39


File name / Threat name / Threats count
C:\Program Files\Angry IP Scanner\Angry IP Scanner 2.21.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcmsqtolkromqukvrndyiauqajolotgktb.dll.vir Infected: Trojan.Win32.Agent2.hoq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hebeferi.dll.vir Infected: Packed.Win32.Krap.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_qzvfb_.dll.zip Infected: Net-Worm.Win32.Kido.ih 1
C:\System Volume Information\_restore{7B988B2D-19D7-4C7E-8885-C308775A1568}\RP14\A0002037.dll Infected: Packed.Win32.Krap.f 1
C:\System Volume Information\_restore{7B988B2D-19D7-4C7E-8885-C308775A1568}\RP2\A0000002.dll Infected: Trojan.Win32.Agent2.hoq 1
C:\WINDOWS\system32\32123.,151 Infected: Packed.Win32.Krap.f 1

The selected area was scanned.


RSIT

Logfile of random's system information tool 1.06 (written by random/random)
Run by Admin at 2009-05-07 06:57:17
Microsoft Windows XP Professional Service Pack 3
System drive C: has 8 GB (21%) free of 39 GB
Total RAM: 1007 MB (46% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:22 AM, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.754\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 8165 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1202660629-1060284298-1003.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-20 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"=C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe [2006-10-04 163840]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"RegistryMechanic"=C:\Program Files\Registry Mechanic\RegMech.exe [2006-10-30 2287152]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"nmctxth"=C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [2008-12-12 642856]
"Linksys Wireless Manager"=C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe [2009-02-16 1358384]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-11-16 139264]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-21 50472]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2007-10-18 5724184]
"Google Update"=C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 133104]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Linksys Wireless Guard.lnk - C:\Program Files\Linksys Wireless Guard\WscGuard.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll [2005-12-06 176128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoResolveTrack"=1
"NoResolveSearch"=1
"ForceStartMenuLogoff"=0
"NoStartMenuPinnedList"=1
"NoSMConfigurePrograms"=1
"NoUserNameInStartMenu"=1
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Valve\Steam\steamapps\betsbreezy\counter-strike\hl.exe"="C:\Program Files\Valve\Steam\steamapps\betsbreezy\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\WINDOWS\system32\taskmgr.exe"="C:\WINDOWS\system32\taskmgr.exe:*:Enabled:taskmgr"
"C:\Program Files\Windows Live\Messenger\usnsvc.exe"="C:\Program Files\Windows Live\Messenger\usnsvc.exe:*:Enabled:usnsvc"
"C:\Program Files\Eset\nod32krn.exe"="C:\Program Files\Eset\nod32krn.exe:*:Enabled:nod32krn"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
shell\AutoRun\command - I:\Setup.exe


======List of files/folders created in the last 3 months======

2009-05-06 21:38:51 ----D---- C:\Program Files\InstallShield Installation Information
2009-05-06 21:36:04 ----D---- C:\Documents and Settings\All Users\Application Data\WSC Guard
2009-05-06 21:36:03 ----D---- C:\Program Files\Linksys Wireless Guard
2009-05-06 21:32:08 ----D---- C:\WINDOWS\Downloaded Installations
2009-05-06 17:48:08 ----D---- C:\Documents and Settings\Admin\Application Data\XLink Kai
2009-05-06 17:47:26 ----D---- C:\Program Files\XLink Kai
2009-05-06 16:08:36 ----SHD---- C:\RECYCLER
2009-05-06 15:58:05 ----A---- C:\ComboFix.txt
2009-05-06 03:07:14 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-06 03:07:07 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-06 03:05:45 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-05-06 03:05:36 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-06 03:03:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-06 03:02:57 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-06 03:02:46 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-06 03:02:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-06 03:02:10 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-05-06 03:02:01 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-06 03:01:34 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-06 03:01:26 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-06 03:01:16 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-05-06 03:01:10 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-05-06 03:01:03 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-06 03:00:50 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-05 23:05:36 ----D---- C:\Program Files\Linksys
2009-05-05 23:04:51 ----D---- C:\Program Files\Common Files\Pure Networks Shared
2009-05-05 23:03:52 ----D---- C:\Documents and Settings\All Users\Application Data\Pure Networks
2009-05-05 23:03:17 ----A---- C:\WINDOWS\system32\RaCoInst.dll
2009-05-05 16:22:35 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-05-05 15:58:57 ----RASHD---- C:\autorun.inf
2009-05-04 21:32:58 ----D---- C:\rsit
2009-04-28 22:23:52 ----D---- C:\!KillBox
2009-04-28 22:22:09 ----SHD---- C:\Config.Msi
2009-04-15 23:44:45 ----D---- C:\Program Files\Trend Micro
2009-04-15 23:29:16 ----A---- C:\Boot.bak
2009-04-15 23:29:11 ----RASHD---- C:\cmdcons
2009-04-15 23:26:20 ----A---- C:\WINDOWS\zip.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\vFind.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWSC.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\SWREG.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\sed.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-15 23:26:20 ----A---- C:\WINDOWS\grep.exe
2009-04-15 23:26:14 ----D---- C:\WINDOWS\ERDNT
2009-04-15 23:25:55 ----D---- C:\Qoobox
2009-04-15 23:25:40 ----A---- C:\log2.txt
2009-04-15 23:25:40 ----A---- C:\log1.txt
2009-04-15 23:16:46 ----D---- C:\Documents and Settings\Admin\Application Data\True Sword
2009-04-15 23:13:31 ----D---- C:\Program Files\True Sword 5
2009-04-11 00:58:50 ----D---- C:\fixwareout
2009-04-10 17:33:19 ----D---- C:\Program Files\xerox
2009-04-10 17:33:18 ----D---- C:\WINDOWS\system32\xircom
2009-04-10 17:33:17 ----D---- C:\Program Files\microsoft frontpage
2009-04-10 17:33:10 ----D---- C:\WINDOWS\Prefetch
2009-04-10 16:55:43 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-04-10 16:55:24 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-04-10 16:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-04-10 16:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-04-10 16:54:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-04-10 16:54:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-04-10 16:53:39 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-04-10 16:53:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-04-10 16:52:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-04-10 16:51:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-04-10 16:49:35 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-04-10 16:46:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-04-10 16:46:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-04-10 16:46:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-04-10 16:45:46 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-04-10 16:44:34 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-04-10 16:42:48 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-04-10 16:41:54 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-04-10 16:40:51 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-04-10 16:18:08 ----D---- C:\WINDOWS\system32\scripting
2009-04-10 16:18:04 ----D---- C:\WINDOWS\l2schemas
2009-04-10 16:18:03 ----D---- C:\WINDOWS\system32\bits
2009-04-10 16:10:49 ----D---- C:\WINDOWS\ServicePackFiles
2009-04-10 15:58:09 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-04-07 20:26:52 ----D---- C:\Program Files\DIFX
2009-04-07 20:25:36 ----A---- C:\WINDOWS\system32\libusb0.dll
2009-04-06 14:09:12 ----A---- C:\WINDOWS\WORDPAD.INI
2009-04-04 08:02:32 ----D---- C:\Program Files\Winnydows
2009-04-01 23:06:34 ----D---- C:\mspformat
2009-04-01 23:06:31 ----D---- C:\msinst
2009-04-01 20:44:17 ----A---- C:\WINDOWS\system32\zlib1.dll
2009-04-01 20:36:27 ----D---- C:\Program Files\Delta
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-01 17:06:17 ----A---- C:\WINDOWS\system32\java.exe
2009-03-14 11:44:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-11 01:38:49 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-03-09 19:51:49 ----D---- C:\WINDOWS\system32\appmgmt
2009-03-09 19:48:31 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-07 18:52:13 ----D---- C:\Documents and Settings\Admin\Application Data\DMCache
2009-03-04 17:22:23 ----RSD---- C:\WINDOWS\assembly
2009-03-04 17:21:40 ----D---- C:\Program Files\Internet Explorer
2009-03-04 17:21:32 ----D---- C:\WINDOWS\Microsoft.NET
2009-03-04 17:15:32 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2009-02-14 01:11:19 ----A---- C:\WINDOWS\GunzLauncher.INI
2009-02-08 02:26:41 ----D---- C:\Documents and Settings\All Users\Application Data\SwiftKit
2009-02-08 02:26:38 ----D---- C:\Program Files\SwiftKit

======List of files/folders modified in the last 3 months======

2009-05-07 06:57:14 ----D---- C:\WINDOWS\Temp
2009-05-07 02:49:03 ----A---- C:\WINDOWS\NeroDigital.ini
2009-05-06 22:26:00 ----D---- C:\Program Files\Mozilla Firefox
2009-05-06 22:13:47 ----RD---- C:\Program Files
2009-05-06 22:13:45 ----D---- C:\Documents and Settings\Admin\Application Data\Lavasoft
2009-05-06 22:07:45 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-06 22:00:38 ----D---- C:\WINDOWS
2009-05-06 22:00:30 ----D---- C:\WINDOWS\system32
2009-05-06 21:53:52 ----SD---- C:\WINDOWS\Tasks
2009-05-06 21:50:02 ----D---- C:\WINDOWS\system32\dllcache
2009-05-06 21:50:00 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-06 21:48:47 ----HD---- C:\WINDOWS\inf
2009-05-06 21:48:31 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-06 21:44:01 ----SHD---- C:\WINDOWS\Installer
2009-05-06 21:40:32 ----D---- C:\Program Files\Eset
2009-05-06 21:37:28 ----D---- C:\WINDOWS\system32\drivers
2009-05-06 21:31:46 ----D---- C:\Program Files\Common Files\InstallShield
2009-05-06 15:55:44 ----A---- C:\WINDOWS\system.ini
2009-05-06 15:54:36 ----D---- C:\WINDOWS\AppPatch
2009-05-06 15:54:31 ----D---- C:\Program Files\Common Files
2009-05-06 06:52:47 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-05-06 03:29:43 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-06 03:23:23 ----D---- C:\WINDOWS\system32\wbem
2009-05-06 03:07:13 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-06 03:07:11 ----A---- C:\WINDOWS\imsins.BAK
2009-05-06 03:02:46 ----D---- C:\WINDOWS\WinSxS
2009-05-06 02:09:49 ----D---- C:\Documents and Settings\Admin\Application Data\Azureus
2009-05-05 23:05:14 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-05-05 23:03:30 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-05-05 16:09:10 ----D---- C:\WINDOWS\system32\config
2009-05-05 15:58:00 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-04-27 15:40:58 ----D---- C:\Program Files\Registry Mechanic
2009-04-15 23:29:16 ----RASH---- C:\boot.ini
2009-04-14 19:38:26 ----D---- C:\WINDOWS\system32\oodag
2009-04-13 17:10:30 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-12 20:54:52 ----D---- C:\Program Files\StepMania
2009-04-12 19:11:44 ----D---- C:\Program Files\Opera
2009-04-10 18:31:12 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-10 17:44:06 ----A---- C:\WINDOWS\OEWABLog.txt
2009-04-10 17:33:19 ----D---- C:\WINDOWS\ime
2009-04-10 17:33:16 ----A---- C:\WINDOWS\setuplog.txt
2009-04-10 17:32:40 ----RSD---- C:\WINDOWS\Fonts
2009-04-10 17:32:40 ----D---- C:\WINDOWS\system32\Setup
2009-04-10 17:31:35 ----D---- C:\WINDOWS\security
2009-04-10 16:42:00 ----D---- C:\Program Files\Messenger
2009-04-10 16:19:23 ----D---- C:\WINDOWS\system32\inetsrv
2009-04-10 16:19:21 ----D---- C:\WINDOWS\Network Diagnostic
2009-04-10 16:19:16 ----D---- C:\WINDOWS\Help
2009-04-10 16:18:11 ----D---- C:\WINDOWS\system32\usmt
2009-04-10 16:18:11 ----D---- C:\WINDOWS\system32\en-us
2009-04-10 16:18:03 ----D---- C:\WINDOWS\PeerNet
2009-04-10 16:18:02 ----D---- C:\Program Files\Movie Maker
2009-04-10 16:10:32 ----D---- C:\WINDOWS\system32\Restore
2009-04-10 16:10:32 ----D---- C:\WINDOWS\system32\npp
2009-04-10 16:10:31 ----D---- C:\WINDOWS\mui
2009-04-10 16:10:30 ----D---- C:\WINDOWS\msagent
2009-04-10 16:10:29 ----D---- C:\WINDOWS\srchasst
2009-04-10 16:10:28 ----D---- C:\Program Files\NetMeeting
2009-04-10 16:10:26 ----D---- C:\WINDOWS\system32\Com
2009-04-10 16:10:24 ----D---- C:\Program Files\Windows Media Player
2009-04-10 16:10:23 ----D---- C:\Program Files\Windows NT
2009-04-10 16:10:23 ----D---- C:\Program Files\Outlook Express
2009-04-10 16:10:19 ----D---- C:\Program Files\Common Files\System
2009-04-10 16:10:04 ----D---- C:\WINDOWS\system32\oobe
2009-04-10 16:10:03 ----D---- C:\WINDOWS\system
2009-04-10 15:58:04 ----D---- C:\WINDOWS\ehome
2009-04-10 15:31:10 ----SHD---- C:\System Volume Information
2009-04-04 09:35:52 ----SD---- C:\Documents and Settings\Admin\Application Data\Microsoft
2009-04-01 17:06:12 ----D---- C:\Program Files\Java
2009-03-23 19:17:06 ----A---- C:\WINDOWS\PhotoSnapViewer.INI
2009-03-21 07:06:58 ----A---- C:\WINDOWS\system32\kernel32.dll
2009-03-14 22:02:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-12 18:13:49 ----D---- C:\Documents and Settings\Admin\Application Data\Adobe
2009-03-11 03:30:16 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-11 02:47:47 ----D---- C:\Program Files\Adobe
2009-03-11 02:05:52 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-11 01:54:03 ----D---- C:\Program Files\Common Files\Adobe
2009-03-10 22:18:20 ----N---- C:\WINDOWS\system32\LegitCheckControl.dll
2009-03-10 22:18:14 ----N---- C:\WINDOWS\system32\WgaTray.exe
2009-03-10 22:18:00 ----A---- C:\WINDOWS\system32\WgaLogon.dll
2009-03-09 19:56:49 ----D---- C:\Program Files\Counter-Strike 1.6
2009-03-09 19:52:36 ----D---- C:\Program Files\Warcraft III
2009-03-09 15:28:10 ----D---- C:\Documents and Settings
2009-03-06 07:22:18 ----A---- C:\WINDOWS\system32\pdh.dll
2009-02-09 05:10:49 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-02-09 05:10:48 ----A---- C:\WINDOWS\system32\rpcss.dll
2009-02-09 05:10:48 ----A---- C:\WINDOWS\system32\ntdll.dll
2009-02-09 05:10:48 ----A---- C:\WINDOWS\system32\advapi32.dll
2009-02-08 02:29:25 ----D---- C:\WINDOWS\java

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2006-11-06 30988]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2006-08-15 11264]
R2 pnarp;Pure Networks Device Discovery Driver; C:\WINDOWS\system32\DRIVERS\pnarp.sys [2008-12-12 23984]
R2 purendis;Pure Networks Wireless Driver; C:\WINDOWS\system32\DRIVERS\purendis.sys [2008-12-12 25264]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-12-27 62336]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2005-04-18 805440]
R3 ezplay;VSO Software ezplay; C:\WINDOWS\System32\Drivers\ezplay.sys [2008-10-04 94080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-04 47360]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2006-08-15 432384]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51; C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 WscNetDr;WSC Filter Miniport; C:\WINDOWS\system32\DRIVERS\WscNetDr.sys [2004-04-18 76640]
S2 npkcrypt;npkcrypt; \??\C:\Program Files\maplestory\npkcrypt.sys []
S3 a9z9pvom;a9z9pvom; C:\WINDOWS\system32\drivers\a9z9pvom.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys []
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-12-10 25280]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120; C:\WINDOWS\system32\DRIVERS\libusb0.sys [2006-05-30 29184]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-12-27 12160]
S3 PsSdk41;PsSdk41; \??\C:\WINDOWS\system32\Drivers\pssdk41.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter; C:\WINDOWS\system32\DRIVERS\WUSB54GCv3.sys [2008-12-04 627072]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-03 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Diskeeper;Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2006-10-04 892928]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2008-12-12 642856]
R2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [2006-06-02 339456]
R2 WSCNetManager;Linksys Wireless Guard Network Manager Service; C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe [2004-04-18 663635]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-11 654848]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-09 138168]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-11-10 774144]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

Combofix


ComboFix 09-05-06.02 - Admin 05/06/2009 15:53.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.543 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFscript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
* Resident AV is active


FILE ::
c:\windows\system32\drivers\aaetsspz.sys
.

((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 10:07 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-06 10:07 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-06 10:07 . 2009-05-06 10:07 -------- d-----w c:\windows\system32\KB905474
2009-05-06 06:05 . 2009-05-06 06:05 -------- d-----w c:\program files\Linksys
2009-05-06 06:05 . 2008-12-13 01:05 23984 ----a-w c:\windows\system32\drivers\pnarp.sys
2009-05-06 06:05 . 2008-12-13 01:05 25264 ----a-w c:\windows\system32\drivers\purendis.sys
2009-05-06 06:04 . 2009-05-06 06:04 -------- d-----w c:\program files\Common Files\Pure Networks Shared
2009-05-06 06:03 . 2009-05-06 06:05 -------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2009-05-06 06:03 . 2008-12-04 13:17 15312 ----a-r c:\windows\system32\RaCoInst.dat
2009-05-06 06:03 . 2008-12-04 13:17 221184 ----a-w c:\windows\system32\RaCoInst.dll
2009-05-06 06:03 . 2008-12-04 13:17 627072 ----a-r c:\windows\system32\drivers\WUSB54GCv3.sys
2009-05-05 23:27 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-05-05 23:27 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-05-05 23:25 . 2008-12-16 12:30 354304 ------w c:\windows\system32\dllcache\winhttp.dll
2009-05-05 23:24 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-05 23:24 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-05-05 23:24 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-05 23:24 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-05 23:24 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-05 23:24 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 23:24 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 23:24 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 23:24 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-05 23:24 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-05 23:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-05 23:22 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-05 04:32 . 2009-05-05 04:33 -------- d-----w C:\rsit
2009-04-29 05:23 . 2009-04-29 05:49 -------- d-----w C:\!KillBox
2009-04-16 06:44 . 2009-04-16 06:44 -------- d-----w c:\program files\Trend Micro
2009-04-16 06:16 . 2009-04-16 06:16 -------- d-----w c:\documents and settings\Admin\Application Data\True Sword
2009-04-16 06:13 . 2005-10-11 21:40 356352 ----a-w c:\windows\eSellerateEngine.dll
2009-04-16 06:13 . 2003-06-06 18:21 81920 ----a-w c:\windows\eSellerateControl350.dll
2009-04-16 06:13 . 2009-04-16 06:16 -------- d-----w c:\program files\True Sword 5
2009-04-11 07:58 . 2009-04-11 20:50 -------- d-----w C:\fixwareout
2009-04-11 00:33 . 2009-04-11 00:33 -------- d-----w c:\windows\system32\xircom
2009-04-11 00:33 . 2009-04-11 00:33 -------- d-----w c:\program files\microsoft frontpage
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\system32\scripting
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\l2schemas
2009-04-10 23:18 . 2009-04-10 23:18 -------- d-----w c:\windows\system32\bits
2009-04-10 23:10 . 2009-04-10 23:10 -------- d-----w c:\windows\ServicePackFiles
2009-04-08 03:26 . 2009-04-08 03:26 -------- d-----w c:\program files\DIFX
2009-04-08 03:25 . 2006-05-30 14:53 42496 ----a-w c:\windows\system32\libusb0.dll
2009-04-08 03:25 . 2006-05-30 14:53 29184 ----a-w c:\windows\system32\drivers\libusb0.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 06:55 . 2008-10-05 15:06 77208 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 03:54 . 2009-01-09 02:30 -------- d-----w c:\program files\StepMania
2009-04-13 02:11 . 2008-10-05 02:30 -------- d-----w c:\program files\Opera
2009-04-11 01:31 . 2009-01-04 02:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 23:33 . 2008-10-05 01:15 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-04 15:02 . 2009-04-04 15:02 -------- d-----w c:\program files\Winnydows
2009-04-02 03:36 . 2009-04-02 03:36 -------- d-----w c:\program files\Delta
2009-04-02 00:06 . 2008-10-10 02:58 -------- d-----w c:\program files\Java
2009-03-11 08:54 . 2008-10-05 02:14 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 08:38 . 2009-03-11 08:38 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-10 02:56 . 2008-12-25 06:14 -------- d-----w c:\program files\Counter-Strike 1.6
2009-03-10 02:52 . 2008-10-09 06:37 -------- d-----w c:\program files\Warcraft III
2009-03-09 12:19 . 2009-03-14 18:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-15 21:05 . 2009-02-01 06:58 736 ----a-w c:\windows\eReg.dat
2009-02-09 12:10 . 2006-12-28 05:48 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-12-28 05:49 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-04 04:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-12-28 05:50 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2006-10-12 03:45 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-12-28 05:49 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 04:00 35328 ----a-w c:\windows\system32\sc.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_06.39.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 22:30 . 2009-05-06 22:30 16384 c:\windows\Temp\Perflib_Perfdata_208.dat
+ 2009-05-06 22:30 . 2009-05-06 22:30 16384 c:\windows\Temp\Perflib_Perfdata_184.dat
- 2006-12-28 05:50 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll
+ 2006-12-28 05:50 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
- 2008-10-05 02:31 . 2007-08-11 03:46 26488 c:\windows\system32\spupdsvc.exe
+ 2008-10-05 02:31 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
+ 2008-10-18 05:55 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2008-10-18 05:55 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 04:00 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2009-05-06 06:03 . 2008-12-04 13:17 15312 c:\windows\system32\ReinstallBackups\0002\DriverFiles\RaCoInst.dat
+ 2004-08-04 04:00 . 2009-05-06 10:29 59440 c:\windows\system32\perfc009.dat
- 2004-08-04 04:00 . 2009-04-11 00:35 59440 c:\windows\system32\perfc009.dat
- 2008-10-05 01:09 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2008-10-05 01:09 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
+ 2006-12-28 05:49 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2006-12-28 05:49 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
- 2008-10-05 01:09 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2008-10-05 01:09 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
+ 2008-10-05 01:09 . 2004-08-04 04:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2009-05-06 06:02 . 2008-12-04 13:17 15312 c:\windows\system32\DRVSTORE\rt2870_5954B493B0C8D1AABA9F1868B686DAD0107D2009\RaCoInst.dat
+ 2009-05-06 06:05 . 2008-12-13 01:05 25264 c:\windows\system32\DRVSTORE\purendis_2BB5C0100CC7696D211EF8B1803C647F3FC3AE04\purendis.sys
+ 2009-05-06 06:05 . 2008-12-13 01:05 23984 c:\windows\system32\DRVSTORE\pnarp_A922F7B3F866D334887D355D2A481D18B7F7B54E\pnarp.sys
+ 2009-05-05 23:26 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll
+ 2009-05-05 23:26 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2009-05-05 23:26 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2009-05-05 23:26 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2008-10-05 02:25 . 2008-12-13 20:32 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-10-10 10:47 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-10-10 10:47 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
- 2006-12-28 05:50 . 2008-04-14 00:12 155648 c:\windows\system32\wscript.exe
+ 2006-12-28 05:50 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
+ 2004-08-04 04:00 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2004-08-04 04:00 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2008-10-05 01:09 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2008-10-05 01:09 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2008-10-05 01:09 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2006-12-28 05:50 . 2008-05-09 10:53 430080 c:\windows\system32\vbscript.dll
- 2006-12-28 05:49 . 2008-04-14 00:12 172032 c:\windows\system32\scrrun.dll
+ 2006-12-28 05:49 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll
+ 2006-12-28 05:49 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll
- 2006-12-28 05:49 . 2008-04-14 00:12 180224 c:\windows\system32\scrobj.dll
+ 2004-08-04 04:00 . 2008-12-05 06:54 144896 c:\windows\system32\schannel.dll
+ 2009-05-06 06:03 . 2008-12-04 13:17 627072 c:\windows\system32\ReinstallBackups\0002\DriverFiles\rt2870.sys
+ 2009-05-06 06:03 . 2008-12-04 13:17 221184 c:\windows\system32\ReinstallBackups\0002\DriverFiles\RaCoInst.dll
- 2004-08-04 04:00 . 2009-04-11 00:35 395200 c:\windows\system32\perfh009.dat
+ 2004-08-04 04:00 . 2009-05-06 10:29 395200 c:\windows\system32\perfh009.dat
+ 2008-10-05 01:09 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2008-10-05 01:09 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
- 2008-10-05 01:09 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2008-10-05 01:09 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2008-10-05 01:09 . 2008-06-13 02:53 428032 c:\windows\system32\msdtcprx.dll
- 2006-12-28 05:48 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2006-12-28 05:48 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2006-12-28 05:48 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
- 2006-12-28 05:48 . 2008-04-14 00:11 512000 c:\windows\system32\jscript.dll
+ 2009-05-06 06:02 . 2008-12-04 13:17 627072 c:\windows\system32\DRVSTORE\rt2870_5954B493B0C8D1AABA9F1868B686DAD0107D2009\rt2870.sys
+ 2009-05-06 06:02 . 2008-12-04 13:17 221184 c:\windows\system32\DRVSTORE\rt2870_5954B493B0C8D1AABA9F1868B686DAD0107D2009\RaCoInst.dll
+ 2006-12-28 05:50 . 2008-12-11 10:57 333952 c:\windows\system32\drivers\srv.sys
+ 2009-05-05 23:26 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe
+ 2009-05-05 23:26 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2008-10-14 23:02 . 2008-12-11 10:57 333952 c:\windows\system32\dllcache\srv.sys
+ 2009-05-05 23:26 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll
+ 2009-05-05 23:26 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll
+ 2009-05-05 23:26 . 2008-12-05 06:54 144896 c:\windows\system32\dllcache\schannel.dll
+ 2009-05-05 23:26 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2009-05-05 23:26 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-13 02:53 . 2008-06-13 02:53 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2009-05-05 23:26 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
+ 2009-05-05 23:26 . 2008-05-09 08:45 135168 c:\windows\system32\dllcache\cscript.exe
+ 2006-12-28 05:48 . 2008-05-09 08:45 135168 c:\windows\system32\cscript.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-05-05 23:24 . 2008-04-15 17:47 1724416 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
+ 2006-12-28 05:50 . 2008-06-17 19:02 8461312 c:\windows\system32\shell32.dll
- 2006-12-28 05:50 . 2008-04-14 00:12 8461312 c:\windows\system32\shell32.dll
- 2006-12-28 05:49 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2006-12-28 05:49 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
+ 2008-08-30 04:06 . 2008-09-10 01:14 1307648 c:\windows\system32\msxml6.dll
- 2008-10-04 17:54 . 2009-04-11 00:34 1572304 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-04 17:54 . 2009-05-06 10:24 1572304 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-14 23:02 . 2009-02-09 11:13 1846784 c:\windows\system32\dllcache\win32k.sys
+ 2009-05-05 23:26 . 2008-06-17 19:02 8461312 c:\windows\system32\dllcache\shell32.dll
- 2008-10-09 17:05 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-09 17:05 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-14 23:02 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-14 23:02 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-14 23:02 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-14 23:02 . 2009-02-08 02:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-14 23:02 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-14 23:02 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-14 23:02 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-10 10:46 . 2008-09-10 01:14 1307648 c:\windows\system32\dllcache\msxml6.dll
+ 2008-10-05 02:25 . 2009-05-06 13:52 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-10-05 02:25 . 2009-05-06 13:52 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-10-05 02:25 . 2008-12-13 20:32 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-10-14 23:02 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-14 23:02 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 23:02 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 23:02 . 2009-02-08 02:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 23:02 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 23:02 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-14 23:02 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2004-08-04 04:00 . 2008-11-12 01:34 10838016 c:\windows\system32\wmp.dll
+ 2009-05-06 10:03 . 2009-04-06 14:57 24921544 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-19 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-10-05 950664]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-10-30 2287152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-12-08 1253376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-10-16 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-07 04:16 176128 ----a-w c:\program files\Stardock\Object Desktop\Windowblinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\betsbreezy\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\usnsvc.exe"=
"c:\\Program Files\\Eset\\nod32krn.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [10/4/2008 7:27 PM 15424]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [4/7/2009 8:25 PM 29184]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [5/5/2009 11:03 PM 627072]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
c:\windows\system32\hidec /W c:\vaio\Tools\REGTLIB.EXE "c:\program files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"c:\program files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"c:\program files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s c:\vaio\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1202660629-1060284298-1003.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 23:10]

2009-05-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
LSP: c:\windows\system32\imon.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\8dl4wzc5.default\
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 15:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0d809737-fa53-423f-a890-0df43ba35b23}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005f
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{33f4e7e7-9619-40ac-ac00-4cdb4b7198a7}]
@Denied: (Full) (Everyone)
"Model"=dword:00000079
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,98,07,ff,fc,5d,
df,1c,2f,3b,8a,0a,32,11,89,01,b5,36,e1,59,98,7b,44,bd,5b,b1,03,98,8a,fc,3c,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ce,5a,45,40,a6,49,2a,3f,d9,49,df,c2,6d,17,6c,4b,46,28,ec,18,f1,
fe,45,df,d4,f3,97,c5,26,26,50,34,87,ba,37,2b,3e,ac,43,f4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):62,6d,4d,11,a7,a2,01,a6,b4,59,74,e0,a5,54,ac,33,22,61,3b,ca,90,
06,86,a9,ec,53,b9,17,40,b8,2c,1d,f0,b5,17,80,03,e0,5e,d1,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\Stardock\Object Desktop\Windowblinds\wbsrv.dll

- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\imon.dll
.
Completion time: 2009-05-06 15:58
ComboFix-quarantined-files.txt 2009-05-06 22:57
ComboFix2.txt 2009-05-05 23:22
ComboFix3.txt 2009-04-28 22:50
ComboFix4.txt 2009-04-28 06:15
ComboFix5.txt 2009-05-06 22:51

Pre-Run: 4,439,838,720 bytes free
Post-Run: 4,427,091,968 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
353 --- E O F --- 2009-05-06 13:52

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 PM

Posted 07 May 2009 - 01:33 PM

Hi bets777,




Use Windows Explorer to find and delete this file:

C:\WINDOWS\system32\32123.,151

C:\Program Files\Angry IP Scanner\Angry IP Scanner 2.21.exe --->This file may be a false postive by Kas. you may keep or delete it as you wish.

The Kas online scan detected 3 files in the Qoobox quarantine folder, and 2 files in System Volume Information which would be addressed by uninstalling it in the following:

Other than that, you are all clean now. :thumbup2: Do you have any remaining issues on your pc? If not, let's do some tidy up.

Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2
  • Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Remember to delete tools and all the logs we have used.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update your Your Adobe Acrobat Reader

    Old versions may render vulnerabilities that malware can use to infect your system. Please download Adobe Reader 9 to your desktop.
    Uninstall the old Adobe Reader from Start > Control Panel > Add/Remove Programs. Install the new one.

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 PM

Posted 08 May 2009 - 07:42 AM

Hi bets777,


Message Received.

Please detail the problem you're experiencing. Thanks.

Edited by sundavis, 08 May 2009 - 10:03 PM.


#12 bets777

bets777
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 09 May 2009 - 10:52 AM

Every time I start up my computer it takes about 5 minutes until my desktop shows up. The computer lags and sometimes change the theme to classic.

Edited by bets777, 09 May 2009 - 10:53 AM.


#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 PM

Posted 09 May 2009 - 12:34 PM

Hi bets777,


Please download the attached file(restorethemes.reg)on your desktop. Double click the reg file and an information box will pop up asking if you want to merge the information in the file into the registry,

click yes. After that, restart your pc and reset the theme.

Your system installs both Diskeeper 2007 Pro Premier and O&O Defrag Professional Edition and running it simultaneously. This way will slow down your startup and compromise your pc performance.

You are well advised to uninstall either one. and fixed check the following entries. Those programs are not necessary to keep it running at startup. you can use it while needed.


Step1

1.Start HJT and click the Scan button to perform Do a system scan only. Place checks next to the following entries(if present):

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

Close all browsers and windows except HijackThis, and click "Fix checked". Reboot your pc.



Step2
  • Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from Here :
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.

Step3

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

In your next reply, please post back:


1.BitDefender online report
2.New HJT log

Tell me how it goes.

Attached Files



#14 bets777

bets777
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 10 May 2009 - 03:19 PM

I couldn't find the online scan, but I have a HJT log. The Online Shield detected something called PCHealth and I blocked it, but I can't seem to get rid of it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:56 PM, on 5/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O4 - Global Startup: VersionTrackerPro.lnk = ?
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 8848 bytes

Edited by bets777, 10 May 2009 - 03:20 PM.


#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:47 PM

Posted 10 May 2009 - 05:10 PM

Hi bets777,


I couldn't find the online scan


What do you mean by that? :thumbup2:

Diskeeper and O&O Defrag seemed to be still on board. Which one did you uninstall it? Online Armor may block something else which need the approval of your descision to allow it or block it while some programs

need the approved right to access internet. Then, make it a rule to regulate all items while connecting the internet. That is normal. While performing the online scan, you should disable it for temporarily.


Step1.

Please go toJotti's Scan or Virus Total for scanning one suspicious file.
Copy /paste the below files path into the text box next to the Browse button at the top of the page

C:\WINDOWS\system32\drivers\a9z9pvom.sys

Click the Submit or Send File button and copy "Scanner results", and paste the contents into your next reply.


Step2

Let's try the following instead.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.

I will give you another one, just in case. :)


Please go to F-Secure Online Scanner Next Generation
  • Click on the link "Start your scan".
  • You may receive an alert on the address bar at this point to install the ActiveX control.
  • Read the license agreement and click "Accept".
  • Click "Full System Scan" to download the scanning components and begin scan and cleaning.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • When done click "Show report" and copy/paste its contents into your next reply.

In you next reply, please post back:

1.Virus Total report
2.ESET online scan report

Tell me how your pc is running now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users