Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with trojan proxy agent nci


  • This topic is locked This topic is locked
52 replies to this topic

#1 gclubo

gclubo

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 19 April 2009 - 11:49 AM

Hi guys i have been redirected here by the guys at the spywere removal forum where they were having problems removing a virus, they tried everything they could and then told me to post these logs here. everything they told me to do is in this topic
http://www.bleepingcomputer.com/forums/t/218125/think-i-may-be-infected/

here is the log they asked me to post


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 15:59:47.34 on 19/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.2162 [GMT 1:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\BACS\BPowMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Eset\nod32kui.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.111,85.255.112.200
TCP: {BD77DADD-6D0C-47D4-9946-C7137DDE8243} = 85.255.112.111,85.255.112.200
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: KvbDEo - {4C434CC7-E6E9-E66D-D168-893E6FB7A935} -
LSA: Notification Packages = :\windows\syste scecli scecli

============= SERVICES / DRIVERS ===============

R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bacs\BPowMon.exe [2005-4-13 65536]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-3-8 507904]
S0 cfyr;cfyr;c:\windows\system32\drivers\noxlg.sys --> c:\windows\system32\drivers\noxlg.sys [?]
S0 guiw;guiw;c:\windows\system32\drivers\nfpwyx.sys --> c:\windows\system32\drivers\nfpwyx.sys [?]
S2 amd64si;amd64si;\??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 VMwareService;VMwareService;"c:\windows\system\vmwareservice.exe" --> c:\windows\system\VMwareService.exe [?]

=============== Created Last 30 ================

2009-04-18 09:59 --d----- c:\program files\JavaFX
2009-04-18 09:58 --d----- c:\program files\Sun
2009-04-18 09:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-18 09:58 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-13 14:56 477 a------- C:\Shortcut to Shared Documents.lnk
2009-04-12 15:43 --d----- c:\documents and settings\owner\DoctorWeb
2009-04-11 23:57 --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-04-11 19:03 --d----- c:\program files\CCleaner
2009-04-10 18:35 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-04-07 09:52 28,725 a------- c:\windows\hpoins03.dat
2009-04-07 09:52 34,480 -------- c:\windows\hpomdl03.dat
2009-04-07 09:41 278,528 a------- c:\windows\system32\hpdjaio
2009-04-07 09:27 --d----- c:\program files\SonicWallES
2009-04-06 10:15 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-06 10:08 713,216 -c------ c:\windows\system32\dllcache\sxs.dll
2009-04-06 10:08 --d----- c:\program files\Zone Labs
2009-04-06 10:08 --d----- c:\windows\Internet Logs
2009-03-29 17:20 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-03-29 17:20 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-03-26 22:24 --d----- c:\program files\SpywareBlaster
2009-03-23 21:40 151 a------- c:\windows\PhotoSnapViewer.INI
2009-03-23 21:28 34,480 -------- c:\windows\hpomdl03.dat.temp
2009-03-23 21:28 28,726 -------- c:\windows\hpoins03.dat.temp
2009-03-22 22:05 225,664 -c------ c:\windows\system32\dllcache\tcpip6.sys
2009-03-22 22:05 100,352 -c------ c:\windows\system32\dllcache\6to4svc.dll
2009-03-22 22:05 8,453,632 -c------ c:\windows\system32\dllcache\shell32.dll
2009-03-22 22:05 617,472 -c------ c:\windows\system32\dllcache\comctl32.dll
2009-03-22 22:05 359,808 -c------ c:\windows\system32\dllcache\tcpip.sys
2009-03-22 22:05 453,120 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-22 22:05 174,592 -c------ c:\windows\system32\dllcache\rdbss.sys
2009-03-22 22:05 332,928 -c------ c:\windows\system32\dllcache\srv.sys
2009-03-22 22:05 1,494,016 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-03-22 22:05 111,616 -c------ c:\windows\system32\dllcache\dhcpcsvc.dll
2009-03-22 22:05 94,720 -c------ c:\windows\system32\dllcache\iphlpapi.dll
2009-03-22 22:04 332,288 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-03-22 22:04 148,480 -c------ c:\windows\system32\dllcache\dnsapi.dll
2009-03-22 22:04 8,192 -c------ c:\windows\system32\dllcache\rasadhlp.dll
2009-03-22 22:04 181,248 -c------ c:\windows\system32\dllcache\rasmans.dll
2009-03-22 22:04 1,435,648 -c------ c:\windows\system32\dllcache\query.dll
2009-03-22 22:04 69,120 -c------ c:\windows\system32\dllcache\ciodm.dll
2009-03-22 22:04 984,064 -c------ c:\windows\system32\dllcache\kernel32.dll
2009-03-22 22:04 546,304 -c------ c:\windows\system32\dllcache\hhctrl.ocx
2009-03-22 20:33 --d----- c:\docume~1\owner\applic~1\GrabIt
2009-03-22 20:32 --d----- c:\program files\GrabIt
2009-03-22 20:15 39,936 a------- c:\windows\system32\drivers\gaopdxbrxowbitudotpogkoltmxvnklyapqqji.sys
2009-03-22 20:15 4 a------- c:\windows\system32\gaopdxcounter
2009-03-22 17:51 69 a------- c:\windows\NeroDigital.ini
2009-03-22 17:46 0 a------t c:\windows\001008_.tmp
2009-03-22 16:56 526,848 a------- c:\windows\system32\p2psvc.dll
2009-03-22 16:56 49,152 a------- c:\windows\system32\powercfg.exe
2009-03-22 16:56 48,640 a------- c:\windows\system32\pnrpnsp.dll
2009-03-22 16:53 0 a------t c:\windows\003325_.tmp
2009-03-22 16:42 152,848 a------- c:\windows\system32\comdlg32.OCX
2009-03-22 16:42 124,688 a------- c:\windows\system32\mswinsck.ocx
2009-03-22 16:42 --d----- c:\program files\Bit Che
2009-03-22 16:42 --d----- c:\docume~1\owner\applic~1\Convivea
2009-03-22 16:08 12,288 a------- c:\windows\system32\ksolay.ax
2009-03-22 16:08 80,896 a------- c:\windows\system32\dxdllreg.exe
2009-03-22 15:52 46,352 a------- c:\windows\setdebug.exe
2009-03-22 15:52 139,536 a------- c:\windows\system32\javaee.dll
2009-03-21 20:04 --d----- c:\docume~1\owner\applic~1\Uniblue
2009-03-21 19:27 --d----- c:\program files\Nero
2009-03-21 17:55 11,886 a------- c:\windows\system32\drivers\kbfilter.sys
2009-03-20 21:14 --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-03-20 20:43 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-03-20 20:41 --d-h--- c:\windows\msdownld.tmp

==================== Find3M ====================

2009-04-17 09:33 300 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-04-12 16:21 506,368 a------- c:\windows\system32\winlogon.exe
2009-04-12 16:21 17,408 a------- c:\windows\system32\svchost.exe
2009-04-12 16:21 110,592 a------- c:\windows\system32\services.exe
2009-04-12 15:45 1,034,752 a------- c:\windows\explorer.exe
2009-04-11 11:58 563 a------- c:\program files\Shortcut to Malwarebytes' Anti-Malware.lnk
2009-03-29 17:20 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2009-03-29 17:20 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-29 17:20 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2009-03-22 17:57 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-22 15:52 2,678 a------- c:\windows\java\packages\data\tbdbj5r3.dat
2009-03-22 15:52 2,678 a------- c:\windows\java\packages\data\zfdb7h79.dat
2009-03-22 15:52 2,678 a------- c:\windows\java\packages\data\xjjnv1fd.dat
2009-03-22 15:52 2,678 a------- c:\windows\java\packages\data\gz9rlvd7.dat
2009-03-22 15:52 2,678 a------- c:\windows\java\packages\data\bpzvlflf.dat
2009-03-09 21:41 23,388 a------- c:\windows\system32\emptyregdb.dat
2009-03-08 16:30 274,432 a------- c:\windows\system32\imon.dll
2009-03-08 16:30 502,368 a------- c:\windows\system32\drivers\amon.sys
2009-03-07 20:30 17,801 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-07 14:18 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-03-07 05:40 558,142 a------- c:\windows\java\packages\8db9jvpz.zip
2009-03-07 05:40 155,995 a------- c:\windows\java\packages\lv1fdz33.zip
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2007-02-12 20:10 2,682,880 -------- c:\documents and settings\all users\VCREDI~3.EXE
2001-06-20 17:21 22,507 a------- c:\program files\bmgr.exe
2001-06-20 17:21 1,536 a------- c:\program files\boot.bin
2001-06-20 17:21 168 a------- c:\program files\bmgr.scr
1998-05-11 21:01 222,390 a------- c:\program files\io.sys
1998-05-11 21:01 93,880 a------- c:\program files\command.com
1998-05-11 21:01 18,967 a------- c:\program files\SYS.COM
1998-05-11 21:01 7 a------- c:\program files\MSDOS.SYS

============= FINISH: 16:00:06.67 ===============

Attached Files


Edited by Orange Blossom, 19 April 2009 - 01:25 PM.
Fix link. ~ OB


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 29 April 2009 - 02:06 PM

Hello gclubo :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)





When completed please post both both logs fromRSIT as well as the one from Kaspersky.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 gclubo

gclubo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 29 April 2009 - 05:08 PM

hi, thewall. thank you for helping me with this problem, followed your instructions as above but kaspersky database wont update and get the message update has failed, failed to connect to update source.This is whats been happening it wont let me download or run any antispyware at all. the only one that will run is nod 32 that is already installed on the p c. I have tried mbam. superantispywere, spybot, ad aware and avast but they either wont let me download or even go to there webpage,or they will download but not run, failed to connect to database message appears,hope this can assist you,

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 29 April 2009 - 06:13 PM

You're welcome. :thumbup2:


What about RSIT, did you try to run it
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 gclubo

gclubo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 30 April 2009 - 01:43 PM

managed to run RSIT, HERES THE LOGS

info.txt logfile of random's system information tool 1.06 2009-04-30 19:38:16

======Uninstall list======

-->C:\PROGRA~1\BLUEYO~1\Uninstall.exe blueyonder
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Bit Che-->"C:\Program Files\Bit Che\unins000.exe"
blueyonder Instant Support Tool-->C:\WINDOWS\Motive\blueyonder\MCCUninst.exe
Broadcom 440x 10/100 Integrated Controller-->MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
Broadcom Gigabit Integrated Controller-->MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
Broadcom Management Programs-->MsiExec.exe /X{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
ConvertXtoDVD 3.5.2.137-->"C:\Program Files\VSO\ConvertX\3\unins000.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_BDA1448D3D255554.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
GrabIt 1.7.2 Beta 3 (build 996)-->"C:\Program Files\GrabIt\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB943232)-->"C:\WINDOWS\$NtUninstallKB943232$\spuninst\spuninst.exe"
HP Photo & Imaging 3.1-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.0-->"C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update-->MsiExec.exe /X{CC0A24CB-87C9-4F1C-A1F2-F87D8D4DDCAF}
Java DB 10.4.1.3-->MsiExec.exe /X{998D6972-F58E-479D-9248-8F179E55AE38}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Java™ SE Development Kit 6 Update 13-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160130}
JavaFX™ 1.1 SDK-->MsiExec.exe /X{7396F7C8-EDD8-4473-BF6A-2CE4996716E1}
Lenovo System Toolbox-->C:\Program Files\PCDR5\uninst.exe
Memories Disc Creator 2.0-->MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Message Center Plus-->MsiExec.exe /X{3CE38F12-0D0E-43E1-867A-E1C0B78D089E}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft AutoRoute 2005-->MsiExec.exe /I{67E4EE98-59F4-4220-89A6-A20AF5BEC689}
Microsoft Encarta Encyclopedia Standard 2005-->MsiExec.exe /I{055A0044-64A6-4248-A026-9745C1E9E159}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Photo Premium 10-->"C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2005 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2005\Setup\Launcher.exe /ARP D:\
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Premium-->MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETGEAR WG111T 108Mbps Wireless USB2.0 Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51123D42-6B9C-4B93-900C-29F9EC5963C9}\Setup.exe"
NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1-->"C:\Program Files\Eset\unins001.exe"
NVIDIA Drivers-->C:\WINDOWS\System32\nvuninst.exe UninstallGUI
Security Update for Microsoft .NET Framework 2.0 (KB917283)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {967B098A-042D-4367-BAC9-8BC11684174F} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Microsoft .NET Framework 2.0 (KB922770)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {0E92DD42-76F5-4EF2-B381-F9C1D72BE23D} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
System Update-->MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WinAVIVideoConverter-->"C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins001.exe"

======Security center information======

AV: Eset NOD32 antivirus system 2.51

======System event log======

Computer Name: GERARDE123
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 3598
Source Name: Service Control Manager
Time Written: 20090407094421.000000+060
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 3595
Source Name: Service Control Manager
Time Written: 20090407094421.000000+060
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 3592
Source Name: Service Control Manager
Time Written: 20090407094420.000000+060
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 3588
Source Name: Service Control Manager
Time Written: 20090407094420.000000+060
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 3585
Source Name: Service Control Manager
Time Written: 20090407094420.000000+060
Event Type: error
User:

=====Application event log=====

Computer Name: GERARDE123
Event Code: 1000
Message:
Record Number: 1809
Source Name: Windows Live Messenger
Time Written: 20090318214210.000000+000
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.

Record Number: 1770
Source Name: Application Error
Time Written: 20090318200401.000000+000
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 1000
Message:
Record Number: 1760
Source Name: Windows Live Messenger
Time Written: 20090318190518.000000+000
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 1000
Message:
Record Number: 1721
Source Name: Windows Live Messenger
Time Written: 20090318172417.000000+000
Event Type: error
User:

Computer Name: GERARDE123
Event Code: 12001
Message:
Record Number: 1715
Source Name: usnjsvc
Time Written: 20090318172406.000000+000
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\JavaFX\javafx-sdk1.1\bin;C:\Program Files\JavaFX\javafx-sdk1.1\emulator\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\Common Files\Lenovo;C:\Program Files\Common Files\DivX Shared\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0401
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"TVT"=C:\Program Files\Lenovo
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-04-30 19:37:57
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 102 GB (68%) free of 149 GB
Total RAM: 2558 MB (82% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:11, on 30/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Broadcom\BACS\BPowMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD77DADD-6D0C-47D4-9946-C7137DDE8243}: NameServer = 85.255.112.111,85.255.112.200
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O21 - SSODL: KvbDEo - {4C434CC7-E6E9-E66D-D168-893E6FB7A935} - (no file)
O23 - Service: Broadcom Power monitoring service (BPowMon) - Broadcom Corp. - C:\Program Files\Broadcom\BACS\BPowMon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: VMwareService - Unknown owner - C:\WINDOWS\system\VMwareService.exe (file missing)

--
End of file - 5596 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-17 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-10-06 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-04-29 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-15 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-29 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-18 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-18 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-04-29 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2009-03-08 921600]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-07-26 13570048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-03-07 39408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-10-06 122940]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd.exe [2003-06-25 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InetChk]
C:\DOCUME~1\Owner\LOCALS~1\Temp\ms1238343003.exe work []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2008-07-26 13570048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\System32\NvMcTray.dll [2008-07-26 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Owner]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-18 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-03-07 39408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2008-08-21 487424]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2003-07-07 233472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
KvbDEo - {4C434CC7-E6E9-E66D-D168-893E6FB7A935}
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
:\WINDOWS\syste
scecli
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Disabled:BitLord"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ENABLE"
"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ENABLE"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d76db29-0a8b-11de-8563-806d6172696f}]
shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ef8d02-268c-11de-abf4-000d60dd7435}]
shell\AutoRun\command - E:\setupSNK.exe


======List of files/folders created in the last 1 months======

2009-04-30 19:37:57 ----D---- C:\rsit
2009-04-30 19:37:57 ----D---- C:\Program Files\trend micro
2009-04-20 20:29:40 ----A---- C:\WINDOWS\imsins.BAK
2009-04-20 19:17:56 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
2009-04-19 20:27:56 ----D---- C:\Program Files\microsoft money 2005
2009-04-19 20:09:18 ----D---- C:\Program Files\WinAVIVideoConverter
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxinsi64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxinsa64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxcpyi64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxcpya64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxafs.dll
2009-04-19 20:04:33 ----D---- C:\Program Files\Common Files\DivX Shared
2009-04-18 09:59:07 ----D---- C:\Program Files\JavaFX
2009-04-18 09:58:23 ----D---- C:\Program Files\Sun
2009-04-18 09:58:11 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-18 09:58:11 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-18 09:58:11 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-04-18 09:58:10 ----A---- C:\WINDOWS\system32\java.exe
2009-04-18 09:55:44 ----D---- C:\Documents and Settings\Owner\Application Data\Sun
2009-04-15 21:24:40 ----A---- C:\WINDOWS\system32\dpl100.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx11.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx0c.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx0a.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx07.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\DivX.dll
2009-04-12 15:41:43 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-12 14:59:54 ----D---- C:\Avenger
2009-04-11 23:57:30 ----D---- C:\Documents and Settings\All Users\Application Data\vsosdk
2009-04-11 19:03:15 ----D---- C:\Program Files\CCleaner
2009-04-11 12:23:41 ----A---- C:\avenger.txt
2009-04-10 18:35:22 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-04-08 09:38:05 ----D---- C:\Program Files\Registry Mechanic
2009-04-07 09:27:42 ----D---- C:\Program Files\SonicWallES
2009-04-06 10:09:06 ----HDC---- C:\WINDOWS\$NtUninstallKB943232$
2009-04-06 10:08:49 ----D---- C:\Program Files\Zone Labs
2009-04-06 10:08:32 ----D---- C:\WINDOWS\Internet Logs
2009-04-06 09:58:43 ----D---- C:\Documents and Settings\Owner\Application Data\Mozilla

======List of files/folders modified in the last 1 months======

2009-04-30 19:38:03 ----D---- C:\WINDOWS\Prefetch
2009-04-30 19:37:57 ----RD---- C:\Program Files
2009-04-30 19:37:54 ----D---- C:\WINDOWS\Temp
2009-04-30 19:36:16 ----D---- C:\Program Files\Mozilla Firefox
2009-04-30 17:38:58 ----D---- C:\WINDOWS
2009-04-30 00:02:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-29 23:09:21 ----SHD---- C:\WINDOWS\Installer
2009-04-29 22:24:22 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-29 22:19:57 ----HD---- C:\WINDOWS\inf
2009-04-29 22:17:17 ----D---- C:\WINDOWS\system32\CatRoot
2009-04-29 22:17:11 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-29 21:59:57 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-04-28 21:05:46 ----RASH---- C:\boot.ini
2009-04-28 21:05:46 ----A---- C:\WINDOWS\win.ini
2009-04-28 21:05:46 ----A---- C:\WINDOWS\system.ini
2009-04-28 20:46:10 ----D---- C:\WINDOWS\system32\drivers
2009-04-20 21:19:36 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2009-04-20 21:10:48 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-20 21:10:44 ----D---- C:\WINDOWS\system32
2009-04-20 21:10:44 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-20 21:10:42 ----D---- C:\WINDOWS\security
2009-04-20 19:45:51 ----D---- C:\Documents and Settings
2009-04-19 20:05:26 ----D---- C:\Program Files\DivX
2009-04-19 20:04:33 ----D---- C:\Program Files\Common Files
2009-04-19 19:52:40 ----D---- C:\Program Files\Xvid
2009-04-18 12:33:02 ----RSD---- C:\WINDOWS\Fonts
2009-04-18 09:56:26 ----D---- C:\Program Files\Java
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\VXBLOCK.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\PxWave.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\PxSFS.DLL
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\PxMas.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\Px.dll
2009-04-12 16:21:32 ----A---- C:\WINDOWS\system32\winlogon.exe
2009-04-12 16:21:26 ----A---- C:\WINDOWS\system32\svchost.exe
2009-04-12 16:21:24 ----A---- C:\WINDOWS\system32\services.exe
2009-04-12 15:45:20 ----A---- C:\WINDOWS\explorer.exe
2009-04-11 22:56:29 ----D---- C:\Program Files\Essentials Codec Pack
2009-04-11 22:52:06 ----D---- C:\2c2594450c9c67bac7dc565487
2009-04-11 22:26:27 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-11 21:45:26 ----D---- C:\Documents and Settings\All Users\Application Data\PCDr
2009-04-11 19:08:38 ----SHD---- C:\RECYCLER
2009-04-11 19:04:49 ----D---- C:\WINDOWS\Debug
2009-04-08 22:00:00 ----D---- C:\WINDOWS\system32\config
2009-04-07 10:11:53 ----D---- C:\WINDOWS\pss
2009-04-07 10:03:10 ----RSD---- C:\WINDOWS\assembly
2009-04-07 09:55:16 ----D---- C:\WINDOWS\twain_32
2009-04-07 09:42:48 ----D---- C:\WINDOWS\system32\NtmsData
2009-04-06 10:08:36 ----D---- C:\WINDOWS\WinSxS
2009-04-02 20:48:04 ----D---- C:\Program Files\SpywareBlaster
2009-04-02 20:47:42 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-04-02 20:47:31 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-31 21:31:09 ----D---- C:\Documents and Settings\Owner\Application Data\Vso

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-08 35840]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2009-03-07 17801]
R2 AMON;AMON; \??\C:\WINDOWS\system32\drivers\amon.sys []
R2 BASFND;BASFND; \??\C:\Program Files\Broadcom\BACS\BASFND.sys []
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-10-06 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-10-06 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-10-06 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-10-06 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-10-06 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-10-06 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-10-06 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2006-05-11 156160]
R3 cmpci;TerraTec Aureon 5.1 (WDM); C:\WINDOWS\system32\drivers\cmaudio.sys [2002-07-16 379726]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-08-29 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-08-29 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-07-26 6097536]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2009-03-29 47360]
R3 portio;TPM Service; C:\WINDOWS\System32\DRIVERS\NscTpmDD.sys [2004-05-19 13757]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\System32\DRIVERS\psadd.sys [2009-03-07 30144]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-03-28 220992]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
S2 amd64si;amd64si; \??\C:\WINDOWS\system32\drivers\amd64si.sys []
S2 ati64si;ati64si; \??\C:\WINDOWS\system32\drivers\ati64si.sys []
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-10-23 100384]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-08-11 51056]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-08-11 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-08-11 21488]
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BPowMon;Broadcom Power monitoring service; C:\Program Files\Broadcom\BACS\BPowMon.exe [2005-04-13 65536]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-18 152984]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2009-03-08 507904]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2008-07-26 159812]
R2 SUService;System Update; C:\Program Files\Lenovo\System Update\SUService.exe [2008-10-20 28672]
R2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-09-26 644408]
R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2008-08-21 1155072]
S2 VMwareService;VMwareService; C:\WINDOWS\system\VMwareService.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-29 182768]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\System32\tcpsvcs.exe [2002-08-29 19456]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-06-29 800040]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-08-11 65795]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2009-04-12 17408]

-----------------EOF-----------------

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 30 April 2009 - 03:31 PM

Ok, I will go over all of the info you gave me. The way it works since I am a Senior Trainee is I put together a fix for what I see and it then has to be approved by one of our coaches. This is to protect both the poster and to aid our training. Since we are really busy it may take a day or so. Don't think I have abandoned you though and I will get back just as soon as possible.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 01 May 2009 - 07:38 AM

OK let's do the following:


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 gclubo

gclubo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 01 May 2009 - 01:26 PM

hope this is what you are looking for

ComboFix 09-05-01.1 - Owner 01/05/2009 19:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.2086 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\combo-fix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\windows\system32\drivers\gaopdxbrxowbitudotpogkoltmxvnklyapqqji.sys
c:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-30 18:37 . 2009-04-30 18:38 -------- d-----w c:\program files\trend micro
2009-04-30 18:37 . 2009-04-30 18:38 -------- d-----w C:\rsit
2009-04-29 21:00 . 2009-04-29 21:00 59056 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 19:46 . 2009-04-28 19:45 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-28 19:44 . 2009-04-28 19:46 -------- d-----w c:\documents and settings\Owner\.housecall6.6
2009-04-20 18:17 . 2009-04-20 18:17 -------- d-----w c:\documents and settings\Owner\Application Data\DivX
2009-04-19 19:27 . 2009-04-19 19:27 -------- d-----w c:\program files\microsoft money 2005
2009-04-19 19:09 . 2009-04-19 19:09 -------- d-----w c:\program files\WinAVIVideoConverter
2009-04-19 19:05 . 2009-04-15 20:25 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-19 19:05 . 2009-04-15 20:25 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-19 19:05 . 2009-04-15 20:25 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-04-19 19:05 . 2009-04-15 20:25 118520 ------w c:\windows\system32\pxinsi64.exe
2009-04-19 19:05 . 2009-04-15 20:25 129784 ------w c:\windows\system32\pxafs.dll
2009-04-19 19:04 . 2009-04-19 19:04 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-18 08:59 . 2009-04-18 08:59 -------- d-----w c:\program files\JavaFX
2009-04-18 08:58 . 2009-04-18 08:58 -------- d-----w c:\program files\Sun
2009-04-18 08:58 . 2009-04-18 08:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w c:\windows\system32\DivX.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-04-12 14:43 . 2009-04-12 14:43 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-04-11 22:57 . 2009-04-11 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-04-11 18:03 . 2009-04-11 18:03 -------- d-----w c:\program files\CCleaner
2009-04-10 17:35 . 2009-04-10 17:35 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-07 08:52 . 2009-04-07 09:04 28725 ------w c:\windows\hpoins03.dat
2009-04-07 08:52 . 2003-08-11 10:44 34480 ------w c:\windows\hpomdl03.dat
2009-04-07 08:27 . 2009-04-07 08:27 -------- d-----w c:\program files\SonicWallES
2009-04-06 09:15 . 2009-04-06 09:21 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-06 09:08 . 2008-01-17 17:59 713216 -c----w c:\windows\system32\dllcache\sxs.dll
2009-04-06 09:08 . 2009-04-06 09:08 -------- d-----w c:\program files\Zone Labs
2009-04-06 09:08 . 2009-04-11 21:32 -------- d-----w c:\windows\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 19:40 . 2009-03-07 07:45 1136 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-04-19 19:05 . 2008-01-27 19:22 -------- d-----w c:\program files\DivX
2009-04-19 18:52 . 2009-01-20 21:48 -------- d-----w c:\program files\Xvid
2009-04-18 08:56 . 2008-06-23 20:50 -------- d-----w c:\program files\Java
2009-04-15 20:25 . 2005-04-25 10:03 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-04-12 15:21 . 2002-08-29 12:00 506368 ----a-w c:\windows\system32\winlogon.exe
2009-04-12 15:21 . 2002-08-29 12:00 17408 ----a-w c:\windows\system32\svchost.exe
2009-04-12 15:21 . 2002-08-29 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-04-12 14:45 . 2002-08-29 12:00 1034752 ----a-w c:\windows\explorer.exe
2009-04-11 22:55 . 2009-03-10 12:49 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-11 21:56 . 2008-01-25 13:01 -------- d-----w c:\program files\Essentials Codec Pack
2009-04-11 10:58 . 2009-04-11 10:58 563 ----a-w c:\program files\Shortcut to Malwarebytes' Anti-Malware.lnk
2009-04-02 19:48 . 2009-03-26 21:24 -------- d-----w c:\program files\SpywareBlaster
2009-03-29 16:20 . 2009-03-11 22:32 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-29 16:20 . 2009-03-11 22:32 47360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-03-29 16:20 . 2008-01-26 17:58 -------- d-----w c:\program files\VSO
2009-03-24 21:13 . 2008-01-24 22:29 -------- d-----w c:\program files\PCDR5
2009-03-22 19:32 . 2009-03-22 19:32 -------- d-----w c:\program files\GrabIt
2009-03-22 16:57 . 2009-03-07 04:39 76487 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-22 16:46 . 2009-03-22 16:46 0 ----atw c:\windows\001008_.tmp
2009-03-22 15:53 . 2009-03-22 15:53 0 ----atw c:\windows\003325_.tmp
2009-03-22 15:42 . 2009-03-22 15:42 -------- d-----w c:\program files\Bit Che
2009-03-22 15:20 . 2009-03-07 08:05 59056 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 15:18 . 2009-03-22 15:16 -------- d-----w c:\program files\Common Files\Ahead
2009-03-22 15:16 . 2009-03-21 18:27 -------- d-----w c:\program files\Nero
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\tbdbj5r3.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\zfdb7h79.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\xjjnv1fd.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\gz9rlvd7.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\bpzvlflf.dat
2009-03-18 23:07 . 2008-02-17 16:25 -------- d-----w c:\program files\QuickTime
2009-03-18 23:05 . 2009-02-22 17:47 -------- d-----w c:\program files\Apple Software Update
2009-03-18 13:08 . 2009-03-18 13:08 -------- d-----w c:\program files\PowerISO
2009-03-12 21:50 . 2009-03-12 21:50 -------- d-----w c:\program files\Adobe Type Manager
2009-03-12 21:49 . 2009-03-12 21:48 -------- d-----w c:\program files\PhotoDeluxe 2.0
2009-03-12 20:37 . 2008-06-29 18:24 -------- d-----w c:\program files\Common Files\Nero
2009-03-11 21:27 . 2008-02-14 20:20 -------- d-----w c:\program files\DVD Shrink
2009-03-11 21:06 . 2009-03-11 21:06 0 ----a-w c:\windows\nsreg.dat
2009-03-11 19:18 . 2009-03-11 19:18 -------- d-----w c:\program files\MSN Messenger
2009-03-10 21:50 . 2009-03-10 21:50 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-03-10 21:28 . 2008-01-08 20:35 -------- d-----w c:\program files\Microsoft AutoRoute
2009-03-10 21:22 . 2008-01-08 20:28 -------- d-----w c:\program files\Picture It! Premium 10
2009-03-10 21:17 . 2008-01-08 20:22 -------- d-----w c:\program files\Microsoft Works
2009-03-10 21:04 . 2008-01-21 20:27 -------- d-----w c:\program files\Eset
2009-03-09 22:01 . 2009-03-09 22:01 -------- d-----w c:\program files\NETGEAR
2009-03-09 22:01 . 2008-01-17 21:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 20:42 . 2002-08-29 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-09 20:41 . 2009-03-07 04:37 23388 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-08 15:30 . 2009-03-08 15:31 274432 ----a-w c:\windows\system32\imon.dll
2009-03-08 15:30 . 2009-03-08 15:31 502368 ----a-w c:\windows\system32\drivers\amon.sys
2009-03-07 20:05 . 2009-03-07 19:39 -------- d-----w c:\program files\Broadcom
2009-03-07 19:48 . 2008-01-10 20:44 -------- d-----w c:\program files\blueyonder IST
2009-03-07 19:30 . 2009-03-07 19:30 17801 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-07 16:11 . 2008-01-22 21:26 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-07 13:52 . 2009-03-07 13:46 -------- d-----w c:\program files\Analog Devices
2009-03-07 13:46 . 2008-01-17 21:26 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-07 13:31 . 2008-01-24 22:32 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-03-07 13:18 . 2008-01-24 21:18 -------- d-----w c:\program files\Common Files\Lenovo
2009-03-07 13:18 . 2008-01-24 21:18 -------- d-----w c:\program files\Lenovo
2009-03-07 13:18 . 2009-03-07 13:18 30144 ----a-w c:\windows\system32\drivers\psadd.sys
2009-03-07 12:35 . 2008-01-25 13:06 -------- d-----w c:\program files\Google
2009-03-07 06:53 . 2008-01-31 10:43 -------- d-----w c:\program files\Common Files\Adobe
2009-03-07 04:50 . 2008-01-22 00:01 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-07 04:40 . 2009-03-22 15:55 558142 ----a-w c:\windows\java\Packages\8db9jvpz.zip
2009-03-07 04:40 . 2009-03-22 15:55 155995 ----a-w c:\windows\java\Packages\lv1fdz33.zip
2009-03-05 23:59 . 2009-03-18 23:05 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 23:59 . 2009-03-18 23:05 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2001-06-20 16:21 . 2008-01-13 13:09 1536 ----a-w c:\program files\boot.bin
2001-06-20 16:21 . 2008-01-13 13:08 22507 ----a-w c:\program files\bmgr.exe
2001-06-20 16:21 . 2008-01-13 13:09 168 ----a-w c:\program files\bmgr.scr
1998-05-11 20:01 . 2008-01-13 13:10 18967 ----a-w c:\program files\SYS.COM
1998-05-11 20:01 . 2008-01-13 13:10 7 ----a-w c:\program files\MSDOS.SYS
1998-05-11 20:01 . 2008-01-13 13:09 93880 ----a-w c:\program files\command.com
1998-05-11 20:01 . 2008-01-13 13:09 222390 ----a-w c:\program files\io.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2004-08-04 00:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2009-04-12 15:21 17408 F9304809C3CA8F45153674A253DC670C c:\windows\system32\svchost.exe

[-] 2004-08-04 00:56 502272 50DF290E01181F57562BCFC2E93E79BE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 00:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2009-04-12 15:21 506368 1386A976BE507C9CBAFFA6D3F39CBF1E c:\windows\system32\winlogon.exe

[7] 2004-08-03 23:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2004-08-03 23:00 29056 ACA96CF6F78D2CAAAAF847F2EE0BEB14 c:\windows\system32\drivers\ip6fw.sys

[-] 2009-04-12 14:45 1034752 E52221CA17B56885CD8BBF32BE7DF49E c:\windows\explorer.exe
[7] 2004-08-04 00:56 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2004-08-04 00:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-04-12 15:21 110592 3A7225391E3029AE511362F899B32223 c:\windows\system32\services.exe

[7] 2004-08-04 00:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2004-08-04 00:56 14336 110FB3121C028E5AAEDF3307223787CD c:\windows\system32\lsass.exe

[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[7] 2004-08-04 00:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 23:53 58368 3513A57EC257DF60F641D20031ACB383 c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-08 921600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Owner

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 cfyr;cfyr; [x]
R0 guiw;guiw; [x]
R2 amd64si;amd64si; [x]
R2 ati64si;ati64si; [x]
R2 VMwareService;VMwareService; [x]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BACS\BPowMon.exe [2005-04-13 65536]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ef8d02-268c-11de-abf4-000d60dd7435}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
- - - - ORPHANS REMOVED - - - -

SSODL-KvbDEo-{4C434CC7-E6E9-E66D-D168-893E6FB7A935} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1x1e23du.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 19:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(3448)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\imon.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\System Update\SUService.exe
.
**************************************************************************
.
Completion time: 2009-05-01 19:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 18:18

Pre-Run: 109,763,674,112 bytes free
Post-Run: 112,735,670,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
242 --- E O F --- 2009-03-22 22:05


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:21, on 01/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\BACS\BPowMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Broadcom Power monitoring service (BPowMon) - Broadcom Corp. - C:\Program Files\Broadcom\BACS\BPowMon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: VMwareService - Unknown owner - C:\WINDOWS\system\VMwareService.exe (file missing)

--
End of file - 5386 bytes

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 04 May 2009 - 02:47 PM

Sorry about the delay.

The Recover Console was not installed with ComboFix and we really need to get it up and running. If you have another computer you can use we would like you to do the following. If not let me know but do not delete your copy you have now.

If you do have use of another computer delete the current ComboFix you have on your machine and complete the instructions below to download a new copy with the Recovery Console installed and run it.




Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

ESET NOD32 ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • click it -> click on the Posted Image button.
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You successfully disabled the NOD32 Guard.





Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 gclubo

gclubo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 05 May 2009 - 02:16 PM

Hi again, right done everything you asked from a laptop then to the infected desktop, everything was going to plan until the recovery console tried to install, got a message popup saying the application failed to initialize (0xc0000096) so it did not install. Here is the log combofix created

ComboFix 09-05-04.A3 - Owner 05/05/2009 20:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.2182 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-04-30 18:37 . 2009-05-01 18:24 -------- d-----w c:\program files\trend micro
2009-04-30 18:37 . 2009-04-30 18:38 -------- d-----w C:\rsit
2009-04-29 21:00 . 2009-04-29 21:00 59056 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 19:46 . 2009-04-28 19:45 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-28 19:44 . 2009-04-28 19:46 -------- d-----w c:\documents and settings\Owner\.housecall6.6
2009-04-20 18:17 . 2009-04-20 18:17 -------- d-----w c:\documents and settings\Owner\Application Data\DivX
2009-04-19 19:27 . 2009-04-19 19:27 -------- d-----w c:\program files\microsoft money 2005
2009-04-19 19:09 . 2009-04-19 19:09 -------- d-----w c:\program files\WinAVIVideoConverter
2009-04-19 19:05 . 2009-04-15 20:25 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-19 19:05 . 2009-04-15 20:25 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-04-19 19:05 . 2009-04-15 20:25 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-04-19 19:05 . 2009-04-15 20:25 118520 ------w c:\windows\system32\pxinsi64.exe
2009-04-19 19:05 . 2009-04-15 20:25 129784 ------w c:\windows\system32\pxafs.dll
2009-04-19 19:04 . 2009-04-19 19:04 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-18 08:59 . 2009-04-18 08:59 -------- d-----w c:\program files\JavaFX
2009-04-18 08:58 . 2009-04-18 08:58 -------- d-----w c:\program files\Sun
2009-04-18 08:58 . 2009-04-18 08:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w c:\windows\system32\DivX.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-04-12 14:43 . 2009-04-12 14:43 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-04-11 22:57 . 2009-04-11 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-04-11 18:03 . 2009-04-11 18:03 -------- d-----w c:\program files\CCleaner
2009-04-10 17:35 . 2009-04-10 17:35 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-07 08:52 . 2009-04-07 09:04 28725 ------w c:\windows\hpoins03.dat
2009-04-07 08:52 . 2003-08-11 10:44 34480 ------w c:\windows\hpomdl03.dat
2009-04-07 08:27 . 2009-04-07 08:27 -------- d-----w c:\program files\SonicWallES
2009-04-06 09:15 . 2009-04-06 09:21 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-06 09:08 . 2008-01-17 17:59 713216 -c----w c:\windows\system32\dllcache\sxs.dll
2009-04-06 09:08 . 2009-04-06 09:08 -------- d-----w c:\program files\Zone Labs
2009-04-06 09:08 . 2009-04-11 21:32 -------- d-----w c:\windows\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 19:57 . 2008-01-22 00:01 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-04 16:10 . 2009-03-10 12:49 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-02 14:15 . 2009-03-07 07:45 1136 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-04-19 19:05 . 2008-01-27 19:22 -------- d-----w c:\program files\DivX
2009-04-19 18:52 . 2009-01-20 21:48 -------- d-----w c:\program files\Xvid
2009-04-18 08:56 . 2008-06-23 20:50 -------- d-----w c:\program files\Java
2009-04-15 20:25 . 2005-04-25 10:03 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-04-12 15:21 . 2002-08-29 12:00 506368 ----a-w c:\windows\system32\winlogon.exe
2009-04-12 15:21 . 2002-08-29 12:00 17408 ----a-w c:\windows\system32\svchost.exe
2009-04-12 15:21 . 2002-08-29 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-04-12 14:45 . 2002-08-29 12:00 1034752 ----a-w c:\windows\explorer.exe
2009-04-11 21:56 . 2008-01-25 13:01 -------- d-----w c:\program files\Essentials Codec Pack
2009-04-11 10:58 . 2009-04-11 10:58 563 ----a-w c:\program files\Shortcut to Malwarebytes' Anti-Malware.lnk
2009-04-02 19:48 . 2009-03-26 21:24 -------- d-----w c:\program files\SpywareBlaster
2009-03-29 16:20 . 2009-03-11 22:32 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-29 16:20 . 2009-03-11 22:32 47360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-03-29 16:20 . 2008-01-26 17:58 -------- d-----w c:\program files\VSO
2009-03-24 21:13 . 2008-01-24 22:29 -------- d-----w c:\program files\PCDR5
2009-03-22 19:32 . 2009-03-22 19:32 -------- d-----w c:\program files\GrabIt
2009-03-22 16:57 . 2009-03-07 04:39 76487 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-22 16:46 . 2009-03-22 16:46 0 ----atw c:\windows\001008_.tmp
2009-03-22 15:53 . 2009-03-22 15:53 0 ----atw c:\windows\003325_.tmp
2009-03-22 15:42 . 2009-03-22 15:42 -------- d-----w c:\program files\Bit Che
2009-03-22 15:20 . 2009-03-07 08:05 59056 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 15:18 . 2009-03-22 15:16 -------- d-----w c:\program files\Common Files\Ahead
2009-03-22 15:16 . 2009-03-21 18:27 -------- d-----w c:\program files\Nero
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\tbdbj5r3.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\zfdb7h79.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\xjjnv1fd.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\gz9rlvd7.dat
2009-03-22 14:52 . 2009-03-22 15:55 2678 ----a-w c:\windows\java\Packages\Data\bpzvlflf.dat
2009-03-18 23:07 . 2008-02-17 16:25 -------- d-----w c:\program files\QuickTime
2009-03-18 23:05 . 2009-02-22 17:47 -------- d-----w c:\program files\Apple Software Update
2009-03-18 13:08 . 2009-03-18 13:08 -------- d-----w c:\program files\PowerISO
2009-03-12 21:50 . 2009-03-12 21:50 -------- d-----w c:\program files\Adobe Type Manager
2009-03-12 21:49 . 2009-03-12 21:48 -------- d-----w c:\program files\PhotoDeluxe 2.0
2009-03-12 20:37 . 2008-06-29 18:24 -------- d-----w c:\program files\Common Files\Nero
2009-03-11 21:27 . 2008-02-14 20:20 -------- d-----w c:\program files\DVD Shrink
2009-03-11 21:06 . 2009-03-11 21:06 0 ----a-w c:\windows\nsreg.dat
2009-03-11 19:18 . 2009-03-11 19:18 -------- d-----w c:\program files\MSN Messenger
2009-03-10 21:50 . 2009-03-10 21:50 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-03-10 21:28 . 2008-01-08 20:35 -------- d-----w c:\program files\Microsoft AutoRoute
2009-03-10 21:22 . 2008-01-08 20:28 -------- d-----w c:\program files\Picture It! Premium 10
2009-03-10 21:17 . 2008-01-08 20:22 -------- d-----w c:\program files\Microsoft Works
2009-03-10 21:04 . 2008-01-21 20:27 -------- d-----w c:\program files\Eset
2009-03-09 22:01 . 2009-03-09 22:01 -------- d-----w c:\program files\NETGEAR
2009-03-09 22:01 . 2008-01-17 21:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 20:42 . 2002-08-29 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-09 20:41 . 2009-03-07 04:37 23388 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-08 15:30 . 2009-03-08 15:31 274432 ----a-w c:\windows\system32\imon.dll
2009-03-08 15:30 . 2009-03-08 15:31 502368 ----a-w c:\windows\system32\drivers\amon.sys
2009-03-07 20:05 . 2009-03-07 19:39 -------- d-----w c:\program files\Broadcom
2009-03-07 19:48 . 2008-01-10 20:44 -------- d-----w c:\program files\blueyonder IST
2009-03-07 19:30 . 2009-03-07 19:30 17801 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-07 16:11 . 2008-01-22 21:26 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-07 13:52 . 2009-03-07 13:46 -------- d-----w c:\program files\Analog Devices
2009-03-07 13:46 . 2008-01-17 21:26 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-07 13:31 . 2008-01-24 22:32 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-03-07 13:18 . 2008-01-24 21:18 -------- d-----w c:\program files\Common Files\Lenovo
2009-03-07 13:18 . 2008-01-24 21:18 -------- d-----w c:\program files\Lenovo
2009-03-07 13:18 . 2009-03-07 13:18 30144 ----a-w c:\windows\system32\drivers\psadd.sys
2009-03-07 12:35 . 2008-01-25 13:06 -------- d-----w c:\program files\Google
2009-03-07 06:53 . 2008-01-31 10:43 -------- d-----w c:\program files\Common Files\Adobe
2009-03-07 04:40 . 2009-03-22 15:55 558142 ----a-w c:\windows\java\Packages\8db9jvpz.zip
2009-03-07 04:40 . 2009-03-22 15:55 155995 ----a-w c:\windows\java\Packages\lv1fdz33.zip
2009-03-05 23:59 . 2009-03-18 23:05 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 23:59 . 2009-03-18 23:05 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2001-06-20 16:21 . 2008-01-13 13:09 1536 ----a-w c:\program files\boot.bin
2001-06-20 16:21 . 2008-01-13 13:08 22507 ----a-w c:\program files\bmgr.exe
2001-06-20 16:21 . 2008-01-13 13:09 168 ----a-w c:\program files\bmgr.scr
1998-05-11 20:01 . 2008-01-13 13:10 18967 ----a-w c:\program files\SYS.COM
1998-05-11 20:01 . 2008-01-13 13:10 7 ----a-w c:\program files\MSDOS.SYS
1998-05-11 20:01 . 2008-01-13 13:09 93880 ----a-w c:\program files\command.com
1998-05-11 20:01 . 2008-01-13 13:09 222390 ----a-w c:\program files\io.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2004-08-04 00:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2009-04-12 15:21 17408 F9304809C3CA8F45153674A253DC670C c:\windows\system32\svchost.exe

[-] 2004-08-04 00:56 502272 50DF290E01181F57562BCFC2E93E79BE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 00:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2009-04-12 15:21 506368 1386A976BE507C9CBAFFA6D3F39CBF1E c:\windows\system32\winlogon.exe

[7] 2004-08-03 23:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ip6fw.sys
[-] 2004-08-03 23:00 29056 ACA96CF6F78D2CAAAAF847F2EE0BEB14 c:\windows\system32\drivers\ip6fw.sys

[-] 2009-04-12 14:45 1034752 E52221CA17B56885CD8BBF32BE7DF49E c:\windows\explorer.exe
[7] 2004-08-04 00:56 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe

[7] 2004-08-04 00:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\services.exe
[-] 2009-04-12 15:21 110592 3A7225391E3029AE511362F899B32223 c:\windows\system32\services.exe

[7] 2004-08-04 00:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\lsass.exe
[-] 2004-08-04 00:56 14336 110FB3121C028E5AAEDF3307223787CD c:\windows\system32\lsass.exe

[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[7] 2004-08-04 00:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2005-06-10 23:53 58368 3513A57EC257DF60F641D20031ACB383 c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-05-01_18.14.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-01 23:08 . 2006-12-01 23:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 00:08 . 2006-12-02 00:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2009-05-05 18:51 . 2009-05-05 18:51 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
+ 2009-03-08 15:03 . 2004-08-04 00:56 67584 c:\windows\system32\dllcache\srclient.dll
+ 2009-03-07 14:51 . 2004-08-03 23:06 73472 c:\windows\system32\dllcache\sr.sys
+ 2009-05-04 19:58 . 2009-05-04 19:58 11264 c:\windows\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
- 2009-03-07 07:19 . 2009-04-30 19:40 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2009-03-07 07:19 . 2009-05-02 14:15 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2009-03-10 21:16 . 2009-04-30 19:40 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-03-10 21:16 . 2009-05-02 14:15 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-03-10 21:16 . 2009-05-02 14:15 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2009-03-10 21:16 . 2009-04-30 19:40 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2009-03-10 21:16 . 2009-04-30 19:40 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2009-03-10 21:16 . 2009-05-02 14:15 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2009-03-07 07:19 . 2009-04-30 19:40 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2009-03-07 07:19 . 2009-05-02 14:15 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2009-03-10 21:16 . 2009-04-30 19:40 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2009-03-10 21:16 . 2009-05-02 14:15 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2009-03-07 07:19 . 2009-04-30 19:40 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2009-03-07 07:19 . 2009-05-02 14:15 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2009-03-08 15:03 . 2004-08-04 00:56 170496 c:\windows\system32\dllcache\srsvc.dll
+ 2009-03-08 15:03 . 2004-08-04 00:56 239104 c:\windows\system32\dllcache\srrstr.dll
+ 2009-03-08 15:03 . 2004-08-04 00:56 380416 c:\windows\system32\dllcache\rstrui.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-07 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-08 921600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-21 487424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-18 148888]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-07-26 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-07-26 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BACS\BPowMon.exe [13/04/2005 01:52 65536]
S0 cfyr;cfyr;c:\windows\system32\drivers\noxlg.sys --> c:\windows\system32\drivers\noxlg.sys [?]
S0 guiw;guiw;c:\windows\system32\drivers\nfpwyx.sys --> c:\windows\system32\drivers\nfpwyx.sys [?]
S2 amd64si;amd64si;\??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 VMwareService;VMwareService;"c:\windows\system\VMwareService.exe" --> c:\windows\system\VMwareService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1x1e23du.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 20:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(1468)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\imon.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-05 20:09
ComboFix-quarantined-files.txt 2009-05-05 19:09
ComboFix2.txt 2009-05-01 18:18

Pre-Run: 117,929,697,280 bytes free
Post-Run: 117,930,242,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
266 --- E O F --- 2009-03-22 22:05

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 05 May 2009 - 02:49 PM

A question for you here: ComboFix is showing(as I posted below) your antivirus as being enabled during the scan. Did you have trouble disabling it or did you follow the instructions and it failed to disable? This is important to the running of ComboFix and we need to try and figure out why so we can correct it if possible.


AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
* Resident AV is active
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 gclubo

gclubo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 05 May 2009 - 03:05 PM

I DID AS YOU SAID RIGHT CLICK ON SYSTEM TRAY AND CLICK ON QUIT, QUITTING WILL DISABLE VIRUS WARNING DO YOU REALLY WANT TO QUIT AND I CLICK YES AND THE ICON DISSAPEARS FROM THE TRAY

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 05 May 2009 - 08:20 PM

There was nothing wrong with what you did I just had to check to make sure if it was the Malware causing the problem with the antivirus. It's a process of elimination thing.


We need for you to have some files checked.

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe

Click Submit.
Please post the results of this scan to this thread.

Do the same for c:\windows\system32\spoolsv.exe




Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe

Click Send.
Do the same for c:\windows\system32\spoolsv.exe

Please post the results of this scan to this thread.



I also need for you to run RSIT again and post the log from it. There will be only one log produced this time.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 gclubo

gclubo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 06 May 2009 - 01:45 PM

Scan taken on 06 May 2009 18:37:11 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Scan taken on 06 May 2009 18:40:25 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-05-06 19:43:17
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 112 GB (76%) free of 149 GB
Total RAM: 2558 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:22, on 06/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\BACS\BPowMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.111,85.255.112.200
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Broadcom Power monitoring service (BPowMon) - Broadcom Corp. - C:\Program Files\Broadcom\BACS\BPowMon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: VMwareService - Unknown owner - C:\WINDOWS\system\VMwareService.exe (file missing)

--
End of file - 6526 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-17 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-10-06 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-04-29 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-15 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-29 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-18 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-18 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-04-29 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2009-03-08 921600]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-07-26 13570048]
"TVT Scheduler Proxy"=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2008-08-21 487424]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-18 148888]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\System32\NvMcTray.dll [2008-07-26 86016]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd.exe [2003-06-25 49152]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-10-06 122940]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-03-07 39408]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2003-07-07 233472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Disabled:BitLord"
"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-05-05 20:09:03 ----A---- C:\ComboFix.txt
2009-05-01 19:07:31 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-01 19:07:29 ----A---- C:\WINDOWS\zip.exe
2009-05-01 19:07:29 ----A---- C:\WINDOWS\vFind.exe
2009-05-01 19:07:29 ----A---- C:\WINDOWS\SWREG.exe
2009-05-01 19:07:29 ----A---- C:\WINDOWS\sed.exe
2009-05-01 19:07:29 ----A---- C:\WINDOWS\grep.exe
2009-05-01 19:07:28 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-01 19:07:28 ----A---- C:\WINDOWS\SWSC.exe
2009-05-01 19:07:19 ----D---- C:\WINDOWS\ERDNT
2009-05-01 19:06:32 ----D---- C:\Qoobox
2009-04-30 19:37:57 ----D---- C:\rsit
2009-04-30 19:37:57 ----D---- C:\Program Files\trend micro
2009-04-20 20:29:40 ----A---- C:\WINDOWS\imsins.BAK
2009-04-20 19:17:56 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
2009-04-19 20:27:56 ----D---- C:\Program Files\microsoft money 2005
2009-04-19 20:09:18 ----D---- C:\Program Files\WinAVIVideoConverter
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxinsi64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxinsa64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxcpyi64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxcpya64.exe
2009-04-19 20:05:15 ----N---- C:\WINDOWS\system32\pxafs.dll
2009-04-19 20:04:33 ----D---- C:\Program Files\Common Files\DivX Shared
2009-04-18 09:59:07 ----D---- C:\Program Files\JavaFX
2009-04-18 09:58:23 ----D---- C:\Program Files\Sun
2009-04-18 09:58:11 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-18 09:58:11 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-18 09:58:11 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-04-18 09:58:10 ----A---- C:\WINDOWS\system32\java.exe
2009-04-18 09:55:44 ----D---- C:\Documents and Settings\Owner\Application Data\Sun
2009-04-15 21:24:40 ----A---- C:\WINDOWS\system32\dpl100.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx11.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx0c.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx0a.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\divx_xx07.dll
2009-04-15 21:24:38 ----A---- C:\WINDOWS\system32\DivX.dll
2009-04-12 15:41:43 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-11 23:57:30 ----D---- C:\Documents and Settings\All Users\Application Data\vsosdk
2009-04-11 19:03:15 ----D---- C:\Program Files\CCleaner
2009-04-11 12:23:41 ----A---- C:\avenger.txt
2009-04-10 18:35:22 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-04-08 09:38:05 ----D---- C:\Program Files\Registry Mechanic
2009-04-07 09:27:42 ----D---- C:\Program Files\SonicWallES

======List of files/folders modified in the last 1 months======

2009-05-06 19:43:22 ----D---- C:\WINDOWS\Prefetch
2009-05-06 19:38:21 ----D---- C:\Program Files\Mozilla Firefox
2009-05-06 19:27:04 ----D---- C:\WINDOWS\Temp
2009-05-05 21:43:05 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-05 21:37:34 ----A---- C:\WINDOWS\NeroDigital.ini
2009-05-05 20:09:05 ----D---- C:\WINDOWS\system32
2009-05-05 20:09:04 ----D---- C:\WINDOWS
2009-05-05 20:07:23 ----A---- C:\WINDOWS\system.ini
2009-05-05 20:06:36 ----D---- C:\WINDOWS\system32\drivers
2009-05-05 20:06:36 ----D---- C:\WINDOWS\AppPatch
2009-05-05 20:06:26 ----D---- C:\Program Files\Common Files
2009-05-05 20:05:27 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-04 21:49:22 ----D---- C:\WINDOWS\SoftwareDistribution
2009-05-04 21:46:32 ----SHD---- C:\System Volume Information
2009-05-04 21:46:32 ----D---- C:\WINDOWS\system32\Restore
2009-05-04 21:43:52 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-04 21:42:01 ----D---- C:\WINDOWS\security
2009-05-04 21:10:15 ----RASH---- C:\boot.ini
2009-05-04 21:10:15 ----A---- C:\WINDOWS\win.ini
2009-05-04 20:58:04 ----SHD---- C:\WINDOWS\Installer
2009-05-04 20:57:09 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-01 19:40:08 ----HD---- C:\WINDOWS\inf
2009-05-01 19:39:58 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-01 19:39:33 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-05-01 19:23:37 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-01 19:11:58 ----D---- C:\WINDOWS\system32\config
2009-05-01 15:31:07 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2009-04-30 19:37:57 ----RD---- C:\Program Files
2009-04-29 21:59:57 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-04-20 21:10:44 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-20 19:45:51 ----D---- C:\Documents and Settings
2009-04-19 20:05:26 ----D---- C:\Program Files\DivX
2009-04-19 19:52:40 ----D---- C:\Program Files\Xvid
2009-04-18 12:33:02 ----RSD---- C:\WINDOWS\Fonts
2009-04-18 09:56:26 ----D---- C:\Program Files\Java
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\VXBLOCK.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\PxWave.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\PxSFS.DLL
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\PxMas.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-04-15 21:25:42 ----N---- C:\WINDOWS\system32\Px.dll
2009-04-12 16:21:32 ----A---- C:\WINDOWS\system32\winlogon.exe
2009-04-12 16:21:26 ----A---- C:\WINDOWS\system32\svchost.exe
2009-04-12 16:21:24 ----A---- C:\WINDOWS\system32\services.exe
2009-04-12 15:45:20 ----A---- C:\WINDOWS\explorer.exe
2009-04-11 22:56:29 ----D---- C:\Program Files\Essentials Codec Pack
2009-04-11 22:52:06 ----D---- C:\2c2594450c9c67bac7dc565487
2009-04-11 22:32:41 ----D---- C:\WINDOWS\Internet Logs
2009-04-11 22:26:27 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-11 21:45:26 ----D---- C:\Documents and Settings\All Users\Application Data\PCDr
2009-04-11 19:04:49 ----D---- C:\WINDOWS\Debug
2009-04-07 10:11:53 ----D---- C:\WINDOWS\pss
2009-04-07 10:03:10 ----RSD---- C:\WINDOWS\assembly
2009-04-07 09:55:16 ----D---- C:\WINDOWS\twain_32
2009-04-07 09:42:48 ----D---- C:\WINDOWS\system32\NtmsData

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-08 35840]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2009-03-07 17801]
R2 AMON;AMON; \??\C:\WINDOWS\system32\drivers\amon.sys []
R2 BASFND;BASFND; \??\C:\Program Files\Broadcom\BACS\BASFND.sys []
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-10-06 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-10-06 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-10-06 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-10-06 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-10-06 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-10-06 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-10-06 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2006-05-11 156160]
R3 cmpci;TerraTec Aureon 5.1 (WDM); C:\WINDOWS\system32\drivers\cmaudio.sys [2002-07-16 379726]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-08-29 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-08-29 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-07-26 6097536]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2009-03-29 47360]
R3 portio;TPM Service; C:\WINDOWS\System32\DRIVERS\NscTpmDD.sys [2004-05-19 13757]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\System32\DRIVERS\psadd.sys [2009-03-07 30144]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-03-28 220992]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 gaopdxserv.sys;gaopdxserv.sys; C:\WINDOWS\system32\drivers\gaopdxbrxowbitudotpogkoltmxvnklyapqqji.sys []
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
S2 amd64si;amd64si; \??\C:\WINDOWS\system32\drivers\amd64si.sys []
S2 ati64si;ati64si; \??\C:\WINDOWS\system32\drivers\ati64si.sys []
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-10-23 100384]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2004-08-03 71552]
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-08-11 51056]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-08-11 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-08-11 21488]
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BPowMon;Broadcom Power monitoring service; C:\Program Files\Broadcom\BACS\BPowMon.exe [2005-04-13 65536]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-18 152984]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2009-03-08 507904]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2008-07-26 159812]
R2 SUService;System Update; C:\Program Files\Lenovo\System Update\SUService.exe [2008-10-20 28672]
R2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-09-26 644408]
R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2008-08-21 1155072]
S2 VMwareService;VMwareService; C:\WINDOWS\system\VMwareService.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-29 182768]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\System32\tcpsvcs.exe [2002-08-29 19456]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-06-29 800040]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-08-11 65795]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2009-04-12 17408]

-----------------EOF-----------------
hope this is the three logs you are looking for

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:35 PM

Posted 07 May 2009 - 07:45 AM

Yes, those were the right logs. Sorry it's going so slow but due to not being able to install the Recovery Console and the antivirus remaining active we are having to take a different approach as we proceed. Hang in here with us though because we are trying to get you cleaned up.


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image

  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users