Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hangover after Troj/rustok-N virus


  • This topic is locked This topic is locked
42 replies to this topic

#1 GLE3

GLE3

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 21 May 2009 - 03:04 PM

Noticed my PC was running really slow after I downloaded a couple drivers off the web. I didn’t specifically know that I had this until I tried to view some streaming video and the site wouldn’t let me saying I had the virus! The same site suggested I download Winbluesoft to correct the problem. So, like a moron, I did. After I figured out I didn’t want it, I removed it from windows using add/remove programs utility. Anyway, I looked into fixing things and this is what I have done so far.

Stuff I did before I found this site: Downloaded HiJackThis and ran a scan. Checked and fixed all entries starting with 017 – HKLM. Ran it again and they were gone. Next downloaded Avenger. Once unzipped I left the script box empty and checked both Scan for Rootkit & Disable Rootkits. Clicked execute and the computer rebooted and displayed a log that mentioned something about finding and removing a hidden driver(it was a sys file). I don’t remember anything more specific (sorry!). After that performance started improving but I am still getting infiltration alerts from winbluesoft, spyware alerts from the windows message center, and low memory warnings.

Could someone help me get rid of these spyware alerts and the like, please?

Here is my DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Jerry at 21:27:44.03 on Wed 05/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.224 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\setup2.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [setup2.exe] c:\windows\system32\setup2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinBlueSoft] c:\program files\winbluesoft software\winbluesoft\WinBlueSoft.exe -min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://www.gamehouse.com/games/NightshiftJaguarsEye.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://zone.msn.com/bingame/burg/default/GoBitGamesPlayer_v6.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://gamefilez.mofunzone.com/gamefilez/diner_dash_flo_on_the_go/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/games/zylom/zylomplayer.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.gamehouse.com/games/zuma/popcaploader.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [2009-3-7 193792]
R2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [2009-5-19 9600]
R2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [2009-5-19 33536]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2009-5-18 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2009-5-18 9600]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-3-9 33752]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]

=============== Created Last 30 ================

2009-05-20 18:35 <DIR> --d----- c:\program files\Trend Micro
2009-05-20 18:11 0 a------- c:\windows\system32\commonpriv.log.lock
2009-05-20 18:10 <DIR> --d----- c:\docume~1\jerry\applic~1\AVGTOOLBAR
2009-05-20 18:10 <DIR> --d----- c:\program files\AVG
2009-05-20 18:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-20 03:08 37,888 a------- c:\windows\system32\drivers\gxvxcykmovmpxeuhyigiifubxvmofahowxrer.sys
2009-05-20 03:08 26,625 a------- c:\windows\system32\gxvxctdkbweyabwwxidveemqpqsagqsnvpnxe.dll
2009-05-20 03:08 4 a------- c:\windows\system32\gxvxccounter
2009-05-20 03:07 345 ---shr-- C:\autorun.inf
2009-05-19 20:09 <DIR> --d----- c:\program files\Virtual VCR
2009-05-19 19:54 33,536 a------- c:\windows\system32\drivers\wf88tune.sys
2009-05-19 19:53 9,600 a------- c:\windows\system32\drivers\WF88XBAR.sys
2009-05-19 00:19 8,999 a------- c:\windows\32z30s5y15c9.cpl
2009-05-18 23:45 8,422 a------- c:\windows\system32\295z9spa5bot2ab.exe
2009-05-18 21:53 2 a------- c:\windows\system32\Dvbpws.dll
2009-05-18 21:44 162,944 a------- c:\windows\system32\drivers\cx88vid.sys
2009-05-18 21:44 50,816 a------- c:\windows\system32\drivers\cx88tune.sys
2009-05-18 21:44 9,728 a------- c:\windows\system32\drivers\cxavxbar.sys
2009-05-18 21:14 19,456 a------- c:\windows\system32\drivers\wf2ktunr.sys
2009-05-18 21:14 9,600 a------- c:\windows\system32\drivers\wf2kXbar.sys
2009-05-18 18:59 <DIR> --d----- c:\program files\Leadtek Research Inc
2009-05-18 18:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-05-18 18:40 <DIR> --d----- c:\program files\common files\Ulead Systems
2009-05-18 05:44 15,773 a------- c:\windows\z9584v9ru5276.dll
2009-05-15 17:12 <DIR> --d----- c:\windows\system32\Adobe
2009-05-15 13:26 15,140 a------- c:\windows\system32\194fsp9rs53z70.bin
2009-05-15 09:43 3,122 a------- c:\windows\system32\4a755ownl9adez917.cpl
2009-05-15 06:29 16,403 a------- c:\windows\2559zte5l2541.ocx
2009-05-13 18:43 7,002 a------- c:\windows\system32\25456hacktzo9119.dll
2009-05-13 02:37 6,713 a------- c:\windows\system32\10732h9cktzo5768.exe
2009-05-12 09:53 15,901 a------- c:\windows\997baddw5re13z8.dll
2009-05-11 19:04 15,625 a------- c:\windows\45cd9dd5arz709.cpl
2009-05-10 17:28 8,646 a------- c:\windows\798bthr5zt299239.exe
2009-05-10 13:16 12,200 a------- c:\windows\11705sz93a2.exe
2009-05-09 20:11 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-05-09 20:09 87 a------- c:\windows\usrwiz.ini
2009-05-09 20:09 <DIR> --d----- C:\Temp
2009-05-07 16:24 11,620 a------- c:\windows\669zdownloader2565.ocx
2009-05-07 01:04 3,708 a------- c:\windows\system32\11198wozm50a.cpl
2009-05-06 10:56 13,355 a------- c:\windows\system32\369b5hiez2605.cpl
2009-05-06 10:27 9,177 a------- c:\windows\9099s5ycz.exe
2009-05-05 20:32 11,119 a------- c:\windows\a525ack9oorz285.ocx
2009-05-05 17:53 4,940 a------- c:\windows\6175addwar91z55.exe
2009-05-04 06:36 10,515 a------- c:\windows\system32\9132addwaze541.bin
2009-05-02 10:17 <DIR> --d----- c:\program files\KingsIsle Entertainment
2009-05-02 00:46 17,914 a------- c:\windows\system32\14577ha9kzool5c7.cpl
2009-05-01 23:59 16,650 a------- c:\windows\52z21hacktool629.bin
2009-05-01 20:50 12,740 a------- c:\windows\system32\89zth9ef5636.exe
2009-04-29 00:59 <DIR> --d----- c:\program files\REALmagic
2009-04-28 05:47 499,712 a------- c:\windows\system32\msvcp71.dll
2009-04-28 05:47 348,160 a------- c:\windows\system32\msvcr71.dll
2009-04-27 19:43 13,479 a------- c:\windows\1929spamzo9725.exe
2009-04-26 20:22 5,734 a------- c:\windows\system32\2z52s5ar9e1557.bin
2009-04-24 23:03 10,036 a------- c:\windows\system32\5c78do5nzoa9er3265.cpl
2009-04-24 16:18 5,453 a------- c:\windows\system32\z125sp9ware2058.bin
2009-04-22 23:49 4,652 a------- c:\windows\25495hacktool2ze9.exe
2009-04-22 04:06 13,315 a------- c:\windows\3995downloaderz905.exe

==================== Find3M ====================

2009-05-20 17:54 1,097,728 a------- c:\windows\system32\setup2.exe
2009-05-19 20:02 193,792 a------- c:\windows\system32\drivers\wf88vcap.sys
2009-04-18 22:28 13,618 a------- c:\windows\5eeeaddwarez958.dll
2009-04-16 08:20 18,067 a------- c:\windows\system32\4815threa53449z.exe
2009-04-12 03:05 7,459 a------- c:\windows\system32\zf45dow9loader2436.dll
2009-04-09 13:21 3,616 a------- c:\windows\19z2backd5or583.bin
2009-04-09 04:53 7,261 a------- c:\windows\system32\386adownl5ader9z2.dll
2009-04-08 13:33 13,112 a------- c:\windows\19zabackd5or2721.exe
2009-04-05 01:00 12,633 a------- c:\windows\system32\424z5ir2079.exe
2009-04-04 16:59 3,594 a------- c:\windows\system32\z5a3th5ea91206.bin
2009-04-02 12:46 11,595 a------- c:\windows\system32\263185pazbot9d5.dll
2009-03-28 14:54 17,327 a------- c:\windows\system32\91382zor558f.dll
2009-03-27 19:25 9,186 a------- c:\windows\119z6spy357.dll
2009-03-25 22:05 11,372 a------- c:\windows\system32\376dspyw95e29z9.exe
2009-03-23 13:14 11,126 a------- c:\windows\system32\6732downlo5d9r476z.exe
2009-03-23 04:37 9,238 a------- c:\windows\541zbac9door6795.exe
2009-03-22 09:02 6,253 a------- c:\windows\system32\9z4325ot-a-virus4a8.exe
2009-03-22 08:40 17,815 a------- c:\windows\7z54hackt5o93e0.bin
2009-03-20 21:06 13,736 a------- c:\windows\2551zir2894.dll
2009-03-20 01:18 17,598 a------- c:\windows\system32\2092sparse5z93.dll
2009-03-19 00:41 14,492 a------- c:\windows\system32\30e9sparze155.exe
2009-03-17 10:42 14,721 a------- c:\windows\system32\z755worm5995.bin
2009-03-14 17:47 5,170 a------- c:\windows\z952back9oor1469.dll
2009-03-13 14:04 8,861 a------- c:\windows\z10059oj279.bin
2009-03-13 02:21 4,920 a------- c:\windows\system32\7z10not-5-vi9us470.bin
2009-03-12 15:12 3,374 a------- c:\windows\6109z5ambot50d.exe
2009-03-09 10:34 16,594 a------- c:\windows\system32\3839s5yze.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-07 13:23 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-07 08:08 2,694 a------- c:\windows\system32\94421vzrus752.bin
2009-03-07 00:54 7,087 a------- c:\windows\system32\498ct5rezt22469.exe
2009-03-06 23:09 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-01 09:03 8,952 a------- c:\windows\1339trzj558.dll
2009-02-28 12:36 6,130 a------- c:\windows\system32\9153not-a-vizus5c9.dll
2009-02-28 10:09 3,490 a------- c:\windows\7965pyzb6.exe
2009-02-27 01:09 13,690 a------- c:\windows\system32\81095orm7z59.exe
2009-02-26 09:10 17,634 a------- c:\windows\277fviz28985.dll
2009-02-22 15:02 16,167 a------- c:\windows\274169a5ktoolze7.exe
2009-02-22 07:45 6,233 a------- c:\windows\system32\z744spy9015.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll

============= FINISH: 21:28:00.40 ===============

Here is my latest HiJackThis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:15 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} (CPlayFirstNightshiftControl Object) - http://www.gamehouse.com/games/NightshiftJaguarsEye.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://zone.msn.com/bingame/burg/default/G...esPlayer_v6.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://gamefilez.mofunzone.com/gamefilez/d...tg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/games/zuma/popcaploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5537 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 21 May 2009 - 06:18 PM

Hi!

Welcome to Bleeping Computer. My name is etavares and I will be helping you with your log.

Please give me a little time to go through your log. I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.


Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you. If not sure how to subscribe, let me know and I can help you with that.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.



The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic. I'll respond quickly as well.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 GLE3

GLE3
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 21 May 2009 - 08:07 PM

Hi!

Welcome to Bleeping Computer. My name is etavares and I will be helping you with your log.

Please give me a little time to go through your log. I'd also like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.


Here's a few things to get started:

  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you. If not sure how to subscribe, let me know and I can help you with that.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.




The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic. I'll respond quickly as well.

Thanks!


Thanks for the quick reply! I've noticed some aren't as lucky. If you can give me a little more detail on how to subscribe to the topic, that would be great. Thanks!

Edited by GLE3, 21 May 2009 - 08:08 PM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 22 May 2009 - 05:42 PM

Hi GLE3-

You are right...there's a LOT of logs out there. That's why BC has created a training program to try and grow the capability to help others as fast as we can. That's where I come in. If I was a full BC staff member, I'd be working these in order. Fortunately for you, trainees need to find certain types of logs with certain types of infections, so we end up a little out of order sometimes. Your log fit a training need I have before I can take on more logs and help even more folks.

To subscribe to the log...
  • Go to the top to your first post. In the blue bar with "Hangover after Troj/rustok-N virus", click on Options on the right side of that bar.
  • Click on 'track this topic'.
  • Choose the notification you want. I would suggest 'immediate' if you want to get an email when I reply. If you don't want an email, choose "No email notification".
  • Click 'proceed' and you should be good to go.
For easy access to the topic, you can either click the link in the email if you choose "Immediate Email notification" or click on "My topics" at the top of any BC screen to have access if you selected "no email notification" or you don't have the link handy.

I'm still looking through your log and waiting for my coach to approve before I reply. I should be posting some instructions in the next couple of days.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 23 May 2009 - 02:13 PM

Hi GLE3-

You are right, you are still infected with a rogue antivirus program. Since Avenger found something, let's run Blacklight first to ensure that there is nothing hidden from DDS or HijackThis. Then, we'll run an great antimalware program to try and clean up the rogue antivirus program the 'easy' way.

Step 1 - Scan with Blacklight

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
If Blacklight does not work, please rename fsbl.exe to zsbl.exe and try running it again.


Step 2 - Scan with MBAM
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step 3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

Step 4
Please reply to this and include the following in your reply:
  • The Blacklight log from Step 1.
  • The MBAM log from step 2.
  • Log.txt and info.txt from Step 3.
Thanks!
-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 GLE3

GLE3
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 25 May 2009 - 09:27 PM

Hi GLE3-

You are right, you are still infected with a rogue antivirus program. Since Avenger found something, let's run Blacklight first to ensure that there is nothing hidden from DDS or HijackThis. Then, we'll run an great antimalware program to try and clean up the rogue antivirus program the 'easy' way.

Step 1 - Scan with Blacklight

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.

  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
If Blacklight does not work, please rename fsbl.exe to zsbl.exe and try running it again.


Here's the results form step one.

05/25/09 22:21:07 [Info]: BlackLight Engine 2.2.1092 initialized
05/25/09 22:21:07 [Info]: OS: 5.1 build 2600 (Service Pack 3)
05/25/09 22:21:07 [Note]: 7019 4
05/25/09 22:21:07 [Note]: 7005 0
05/25/09 22:21:18 [Note]: 7006 0
05/25/09 22:21:18 [Note]: 7022 0
05/25/09 22:21:18 [Note]: 7011 1624
05/25/09 22:21:18 [Note]: 7035 0
05/25/09 22:21:18 [Note]: 7026 0
05/25/09 22:21:18 [Note]: 7026 0
05/25/09 22:21:18 [Note]: FSRAW library version 1.7.1024
05/25/09 22:21:21 [Note]: 4013 51750
05/25/09 22:21:21 [Note]: 4020 51741 524288
05/25/09 22:21:21 [Note]: 4018 51741 524288
05/25/09 22:21:21 [Note]: 4013 51743
05/25/09 22:21:21 [Note]: 4020 51741 524288
05/25/09 22:21:21 [Note]: 4018 51741 524288
05/25/09 22:21:21 [Note]: 4014 51744
05/25/09 22:21:21 [Note]: 4020 51741 524288
05/25/09 22:21:21 [Note]: 4018 51741 524288
05/25/09 22:21:21 [Note]: 4013 51745
05/25/09 22:21:21 [Note]: 4020 51741 524288
05/25/09 22:21:21 [Note]: 4018 51741 524288
05/25/09 22:21:21 [Note]: 4013 51750
05/25/09 22:21:21 [Note]: 4020 51741 524288
05/25/09 22:21:21 [Note]: 4018 51741 524288
05/25/09 22:21:21 [Note]: 4017 51741
05/25/09 22:21:21 [Note]: 4027 51741 524288
05/25/09 22:21:21 [Note]: 4020 48446 1114112
05/25/09 22:21:21 [Note]: 4018 48446 1114112
05/25/09 22:21:21 [Note]: 4014 51775
05/25/09 22:21:21 [Note]: 4020 48446 1114112
05/25/09 22:21:21 [Note]: 4018 48446 1114112
05/25/09 22:21:21 [Note]: 4014 52043
05/25/09 22:21:21 [Note]: 4020 48446 1114112
05/25/09 22:21:21 [Note]: 4018 48446 1114112
05/25/09 22:21:21 [Note]: 4014 46376
05/25/09 22:21:21 [Note]: 4020 46376 1966080
05/25/09 22:21:21 [Note]: 4018 46376 1966080
05/25/09 22:21:21 [Note]: 4014 46723
05/25/09 22:21:21 [Note]: 4020 46376 1966080
05/25/09 22:21:21 [Note]: 4018 46376 1966080
05/25/09 22:21:21 [Note]: 4014 48085
05/25/09 22:21:21 [Note]: 4020 46376 1966080
05/25/09 22:21:21 [Note]: 4018 46376 1966080
05/25/09 22:21:21 [Note]: 4014 48085
05/25/09 22:21:21 [Note]: 4020 46376 1966080
05/25/09 22:21:21 [Note]: 4018 46376 1966080
05/25/09 22:21:21 [Note]: 4014 48101
05/25/09 22:21:21 [Note]: 4020 46376 1966080
05/25/09 22:21:21 [Note]: 4018 46376 1966080
05/25/09 22:21:21 [Note]: 4014 52099
05/25/09 22:21:21 [Note]: 4020 46376 1966080
05/25/09 22:21:21 [Note]: 4018 46376 1966080
05/25/09 22:21:21 [Note]: 4014 46331
05/25/09 22:21:21 [Note]: 4020 46331 2031616
05/25/09 22:21:21 [Note]: 4022 46331
05/25/09 22:21:21 [Note]: 4014 46376
05/25/09 22:21:21 [Note]: 4020 46331 2031616
05/25/09 22:21:21 [Note]: 4022 46331
05/25/09 22:21:21 [Note]: 4014 46591
05/25/09 22:21:21 [Note]: 4020 46331 2031616
05/25/09 22:21:21 [Note]: 4022 46331
05/25/09 22:21:21 [Note]: 4014 46591
05/25/09 22:21:21 [Note]: 4020 46331 2031616
05/25/09 22:21:21 [Note]: 4022 46331
05/25/09 22:21:21 [Note]: 4014 10908
05/25/09 22:21:21 [Note]: 4020 10908 720896
05/25/09 22:21:21 [Note]: 4022 10908
05/25/09 22:21:21 [Note]: 4014 10895
05/25/09 22:21:21 [Note]: 4020 10895 327680
05/25/09 22:21:21 [Note]: 4022 10895
05/25/09 22:21:21 [Note]: 4014 10908
05/25/09 22:21:21 [Note]: 4020 10895 327680
05/25/09 22:21:21 [Note]: 4022 10895
05/25/09 22:21:21 [Note]: 4014 3297
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 10895
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 50965
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 3298
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 3298
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 13319
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 15523
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 45208
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 45208
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 10318
05/25/09 22:21:21 [Note]: 4020 3297 65536
05/25/09 22:21:21 [Note]: 4018 3297 65536
05/25/09 22:21:21 [Note]: 4014 3217
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3297
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3404
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3414
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3414
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 5540
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3413
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3413
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3405
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3405
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3412
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3412
05/25/09 22:21:21 [Note]: 4020 3217 65536
05/25/09 22:21:21 [Note]: 4018 3217 65536
05/25/09 22:21:21 [Note]: 4014 3215
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 3217
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 3216
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 3216
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 9464
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 9488
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 9488
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 3194
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 3194
05/25/09 22:21:21 [Note]: 4020 3215 65536
05/25/09 22:21:21 [Note]: 4018 3215 65536
05/25/09 22:21:21 [Note]: 4014 5
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 3215
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 9890
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 61387
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 61387
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 61373
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 7013
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 7014
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 25108
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 25108
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 3179
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 3175
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 11070
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 20619
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 20619
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 3685
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 3685
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 19332
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 3213
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 3213
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 53966
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 28
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 40782
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:21:21 [Note]: 4014 40782
05/25/09 22:21:21 [Note]: 4020 5 327680
05/25/09 22:21:21 [Note]: 4018 5 327680
05/25/09 22:23:02 [Note]: 7007 0

#7 GLE3

GLE3
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 25 May 2009 - 10:30 PM

Step 2 - Scan with MBAM
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step 2

Malwarebytes' Anti-Malware 1.36
Database version: 2179
Windows 5.1.2600 Service Pack 3

5/25/2009 11:26:27 PM
mbam-log-2009-05-25 (23-26-27).txt

Scan type: Quick Scan
Objects scanned: 90060
Time elapsed: 10 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-3-9-31-100028910-100001027-100006970-5117.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\97725teal2071z.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-1970640.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxctdkbweyabwwxidveemqpqsagqsnvpnxe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxcemxfmldlwxwmkltpuxylqibapqbfaswv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxclfsfyxjbvdhmdyhkdyibhbktqskwkbpa.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxcykmovmpxeuhyigiifubxvmofahowxrer.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 28 May 2009 - 06:08 PM

Hi GLE3-

Thanks for starting the scans. I've started to look at these. Please do not forget to post an RSIT log (step 3), that information will complement the other scans to give us a complete picture. There is definitely malware on this machine. Once I get the RSIT log, I'll be able to reply with the right fixes.

Also, you do not have to quote the instructions. It is easier for me to work when they are not quoted. That way, I will not miss anything you say as I scroll down.

Thanks!
-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 31 May 2009 - 10:03 AM

Hi GLE3, can you let me know if you still require my help or if you have resolved your issues.

Please let me no so this topic can be closed.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 GLE3

GLE3
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 31 May 2009 - 08:45 PM

Step 3 - Sorry to drag my feet. I am not noticing any performance problems currently...


ogfile of random's system information tool 1.06 (written by random/random)
Run by Jerry at 2009-05-31 21:42:40
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 78 GB (51%) free of 153 GB
Total RAM: 502 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:44 PM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jerry\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Jerry.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinBlueSoft] C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
O4 - HKCU\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} (CPlayFirstNightshiftControl Object) - http://www.gamehouse.com/games/NightshiftJaguarsEye.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://zone.msn.com/bingame/burg/default/G...esPlayer_v6.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://gamefilez.mofunzone.com/gamefilez/d...tg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/games/zuma/popcaploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6254 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-04-05 94208]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-04-05 77824]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2005-04-05 114688]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"WinBlueSoft"=C:\Program Files\WinBlueSoft Software\WinBlueSoft\WinBlueSoft.exe -min []
"WinFastDTV"=C:\Program Files\WinFast\WFDTV\DTVSchdl.exe [2009-01-16 90112]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2009-04-29 188728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-03-23 321344]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"setup2.exe"=C:\WINDOWS\system32\setup2.exe [2009-05-20 1097728]
"WinFast Schedule"=C:\Program Files\WinFast\WFDTV\WFWIZ.exe [2009-01-12 2908160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-04-05 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.vbs - edit -
.vbs - open -

======List of files/folders created in the last 1 months======

2009-12-28 16:02:12 ----A---- C:\WINDOWS\709bsteal954z.exe
2009-12-28 14:35:13 ----A---- C:\WINDOWS\9576vizu5337.dll
2009-12-26 07:41:31 ----A---- C:\WINDOWS\system32\10599w9rm50dz.dll
2009-12-13 10:56:08 ----A---- C:\WINDOWS\275375pzm9ot51c.dll
2009-12-11 06:53:08 ----A---- C:\WINDOWS\system32\9821do5nloadez1450.dll
2009-12-05 20:46:44 ----A---- C:\WINDOWS\297z5hac9tool405.dll
2009-12-05 07:38:30 ----A---- C:\WINDOWS\system32\zbec9ddw5re37.exe
2009-12-02 22:25:07 ----A---- C:\WINDOWS\system32\930915py5z3.exe
2009-11-21 00:16:44 ----A---- C:\WINDOWS\10772sp9mbotz445.exe
2009-11-20 03:46:45 ----A---- C:\WINDOWS\1z27spa9b5t4d0.dll
2009-11-15 00:31:09 ----A---- C:\WINDOWS\system32\1dc79teal5092z.exe
2009-11-08 16:54:26 ----A---- C:\WINDOWS\system32\469not-a-9iruz559.dll
2009-11-05 00:50:09 ----A---- C:\WINDOWS\15260hazkt9ol215.dll
2009-10-28 11:41:51 ----A---- C:\WINDOWS\3z9875py7cd.dll
2009-10-09 11:15:12 ----A---- C:\WINDOWS\98580spambzt737.exe
2009-10-09 10:02:18 ----A---- C:\WINDOWS\system32\z8479pambot5e3.dll
2009-10-09 03:40:56 ----A---- C:\WINDOWS\z66a9hief30735.exe
2009-10-06 04:40:26 ----A---- C:\WINDOWS\system32\1548zhief5659.dll
2009-10-03 02:11:02 ----A---- C:\WINDOWS\system32\3394not9a-virzs5a2.exe
2009-10-01 07:34:01 ----A---- C:\WINDOWS\system32\6e69hief5z67.dll
2009-09-21 11:00:17 ----A---- C:\WINDOWS\9f78z5r1591.dll
2009-09-19 16:28:28 ----A---- C:\WINDOWS\18816s95zbot2d5.dll
2009-09-16 12:17:22 ----A---- C:\WINDOWS\system32\1779steal935z.exe
2009-09-16 01:49:15 ----A---- C:\WINDOWS\system32\6336sz95bf.exe
2009-09-13 21:07:39 ----A---- C:\WINDOWS\system32\42dzspyw59e1851.dll
2009-09-11 22:50:07 ----A---- C:\WINDOWS\system32\5253zspy6a9.exe
2009-09-11 19:23:26 ----A---- C:\WINDOWS\system32\9288szarse5844.exe
2009-09-08 13:17:17 ----A---- C:\WINDOWS\system32\1aaspywaz55249.dll
2009-09-08 11:03:17 ----A---- C:\WINDOWS\system32\5590szy3b4.dll
2009-09-01 13:17:00 ----A---- C:\WINDOWS\265dspy9zre2958.dll
2009-08-28 03:14:18 ----A---- C:\WINDOWS\51d4steal995z5.dll
2009-08-25 23:27:27 ----A---- C:\WINDOWS\system32\508zaddware4925.dll
2009-08-22 03:59:51 ----A---- C:\WINDOWS\system32\7056zpar9e3057.exe
2009-08-17 03:36:52 ----A---- C:\WINDOWS\21153no9-a-virusz05.exe
2009-08-15 20:41:31 ----A---- C:\WINDOWS\566thizf569.exe
2009-08-13 10:52:10 ----A---- C:\WINDOWS\system32\791hacktool5z.exe
2009-08-08 16:47:11 ----A---- C:\WINDOWS\4z80threa925625.dll
2009-08-04 08:02:00 ----A---- C:\WINDOWS\452z9hief2597.exe
2009-07-26 15:43:48 ----A---- C:\WINDOWS\system32\35bespzware495.exe
2009-07-15 19:19:31 ----A---- C:\WINDOWS\586ztroj4e9.dll
2009-07-14 14:57:08 ----A---- C:\WINDOWS\system32\598zhacktool657.dll
2009-07-13 00:55:36 ----A---- C:\WINDOWS\25dbthi5914z6.dll
2009-07-11 07:47:21 ----A---- C:\WINDOWS\system32\53c7spyz9re537.dll
2009-07-08 16:13:15 ----A---- C:\WINDOWS\system32\244899oz-a5virus188.dll
2009-07-02 21:39:34 ----A---- C:\WINDOWS\6606zi5us9de.exe
2009-07-02 14:42:35 ----A---- C:\WINDOWS\4a15downlzader1978.exe
2009-06-28 06:22:33 ----A---- C:\WINDOWS\system32\7089dowzloader6845.exe
2009-06-26 08:41:15 ----A---- C:\WINDOWS\system32\49b5th9ezt3120.dll
2009-06-22 22:20:32 ----A---- C:\WINDOWS\system32\5ab9thiefz654.dll
2009-06-20 11:50:13 ----A---- C:\WINDOWS\4505backdzo91444.dll
2009-06-15 08:41:28 ----A---- C:\WINDOWS\system32\78efvi9z9925.exe
2009-06-14 18:34:37 ----A---- C:\WINDOWS\system32\6fa1addzare8995.exe
2009-06-10 21:06:28 ----A---- C:\WINDOWS\system32\29670zot-a-vi5us2eb.exe
2009-06-09 13:57:44 ----A---- C:\WINDOWS\46f4tzief9859.exe
2009-06-01 14:46:48 ----A---- C:\WINDOWS\7925spamzot1569.dll
2009-05-31 21:42:40 ----D---- C:\rsit
2009-05-28 07:17:34 ----A---- C:\WINDOWS\31795szy339.exe
2009-05-25 23:13:39 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
2009-05-25 23:13:34 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-25 23:13:34 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-25 22:18:13 ----A---- C:\fsbl.exe
2009-05-24 05:34:46 ----A---- C:\WINDOWS\system32\4542steaz32559.exe
2009-05-23 11:26:13 ----D---- C:\Program Files\Virtual VCR
2009-05-21 20:30:15 ----D---- C:\Program Files\Windows Sidebar
2009-05-20 18:35:09 ----D---- C:\Program Files\Trend Micro
2009-05-20 18:10:16 ----D---- C:\Documents and Settings\Jerry\Application Data\AVGTOOLBAR
2009-05-20 18:10:08 ----D---- C:\Program Files\AVG
2009-05-20 18:10:08 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-20 17:57:11 ----A---- C:\WINDOWS\system32\7394addwar52691z.exe
2009-05-20 17:57:11 ----A---- C:\WINDOWS\system32\3bf9addwaze7925.exe
2009-05-20 17:57:11 ----A---- C:\WINDOWS\system32\14299hazkt5ol7b9.exe
2009-05-20 17:57:11 ----A---- C:\WINDOWS\489cspars51z99.exe
2009-05-20 17:57:11 ----A---- C:\WINDOWS\3912steal9z825.exe
2009-05-20 17:57:11 ----A---- C:\WINDOWS\123z55a9ktool2e7.exe
2009-05-20 17:57:10 ----A---- C:\WINDOWS\system32\956z4virus71a.dll
2009-05-20 17:57:10 ----A---- C:\WINDOWS\system32\5e3fthreat58919z.dll
2009-05-20 17:57:10 ----A---- C:\WINDOWS\system32\23760spa9bozdc5.exe
2009-05-20 17:57:10 ----A---- C:\WINDOWS\system32\22845hzef9529.exe
2009-05-20 17:57:10 ----A---- C:\WINDOWS\833zviru9695.exe
2009-05-20 17:57:10 ----A---- C:\WINDOWS\15486zp9mbot20c.exe
2009-05-20 17:57:10 ----A---- C:\WINDOWS\1459zvirus36.dll
2009-05-20 17:57:09 ----A---- C:\WINDOWS\z0554trojc9.dll
2009-05-20 17:57:09 ----A---- C:\WINDOWS\system32\7dbcspywa9z2952.dll
2009-05-20 17:57:09 ----A---- C:\WINDOWS\system32\68469ot-a-viru54ez.exe
2009-05-20 17:57:09 ----A---- C:\WINDOWS\system32\326265r9z589.exe
2009-05-20 17:57:09 ----A---- C:\WINDOWS\7c8zadd5are359.exe
2009-05-20 17:57:08 ----A---- C:\WINDOWS\z5210sp9mbot15c.dll
2009-05-20 17:57:08 ----A---- C:\WINDOWS\system32\800zparse15839.dll
2009-05-20 17:57:08 ----A---- C:\WINDOWS\system32\638fvi9135z.dll
2009-05-20 17:57:08 ----A---- C:\WINDOWS\system32\1525995zmbot320.dll
2009-05-20 17:57:08 ----A---- C:\WINDOWS\system32\1241z9ir5s5d.dll
2009-05-20 17:57:08 ----A---- C:\WINDOWS\305daddwaz91576.exe
2009-05-20 17:57:08 ----A---- C:\WINDOWS\2ad5thiez15009.dll
2009-05-20 17:57:08 ----A---- C:\WINDOWS\208z9h5cktoo95d7.exe
2009-05-20 17:57:08 ----A---- C:\WINDOWS\18017vizu54129.dll
2009-05-20 17:57:07 ----A---- C:\WINDOWS\system32\zspambot59c.dll
2009-05-20 17:57:07 ----A---- C:\WINDOWS\system32\59699zck5oor1104.exe
2009-05-20 17:57:07 ----A---- C:\WINDOWS\system32\23022not-5-vzr9s5c9.exe
2009-05-20 17:57:07 ----A---- C:\WINDOWS\system32\1z296sp5mbot54b.dll
2009-05-20 17:57:07 ----A---- C:\WINDOWS\5955sparsz2385.dll
2009-05-20 17:57:07 ----A---- C:\WINDOWS\52z86hacktoo91a7.exe
2009-05-20 17:57:07 ----A---- C:\WINDOWS\4c77s5eal9z03.dll
2009-05-20 17:57:07 ----A---- C:\WINDOWS\27c0zir28519.exe
2009-05-20 17:57:06 ----A---- C:\WINDOWS\system32\99zcb5ckdoor1475.dll
2009-05-20 17:57:06 ----A---- C:\WINDOWS\system32\9557thzef836.exe
2009-05-20 17:57:06 ----A---- C:\WINDOWS\system32\43z2hac5to9l4c7.exe
2009-05-20 17:57:06 ----A---- C:\WINDOWS\system32\2z986wo5m969.exe
2009-05-20 17:57:06 ----A---- C:\WINDOWS\system32\24955hac9tzol70.dll
2009-05-20 17:57:06 ----A---- C:\WINDOWS\7z529teal1490.dll
2009-05-20 17:57:06 ----A---- C:\WINDOWS\1z3cspy9ar5135.exe
2009-05-20 17:57:05 ----A---- C:\WINDOWS\system32\setup2.exe
2009-05-18 23:45:11 ----A---- C:\WINDOWS\system32\295z9spa5bot2ab.exe
2009-05-18 21:53:27 ----A---- C:\WINDOWS\system32\Dvbpws.dll
2009-05-18 18:59:49 ----D---- C:\Program Files\Leadtek Research Inc
2009-05-18 18:40:59 ----D---- C:\Documents and Settings\Jerry\Application Data\ArcSoft
2009-05-18 18:40:38 ----D---- C:\Documents and Settings\All Users\Application Data\ArcSoft
2009-05-18 18:40:37 ----D---- C:\Program Files\Common Files\ArcSoft
2009-05-18 18:40:27 ----D---- C:\Program Files\Common Files\Ulead Systems
2009-05-18 18:23:51 ----D---- C:\Documents and Settings\Jerry\Application Data\InstallShield
2009-05-18 05:44:34 ----A---- C:\WINDOWS\z9584v9ru5276.dll
2009-05-15 17:17:59 ----D---- C:\Documents and Settings\Jerry\Application Data\Google
2009-05-15 17:13:09 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-05-15 17:13:03 ----D---- C:\Program Files\Google
2009-05-15 17:12:25 ----D---- C:\WINDOWS\system32\Adobe
2009-05-13 18:43:39 ----A---- C:\WINDOWS\system32\25456hacktzo9119.dll
2009-05-13 02:37:25 ----A---- C:\WINDOWS\system32\10732h9cktzo5768.exe
2009-05-12 09:53:55 ----A---- C:\WINDOWS\997baddw5re13z8.dll
2009-05-10 17:28:24 ----A---- C:\WINDOWS\798bthr5zt299239.exe
2009-05-10 13:16:03 ----A---- C:\WINDOWS\11705sz93a2.exe
2009-05-09 20:09:52 ----D---- C:\Temp
2009-05-09 20:09:52 ----A---- C:\WINDOWS\usrwiz.ini
2009-05-06 10:27:35 ----A---- C:\WINDOWS\9099s5ycz.exe
2009-05-05 17:53:17 ----A---- C:\WINDOWS\6175addwar91z55.exe
2009-05-02 10:17:25 ----D---- C:\Program Files\KingsIsle Entertainment
2009-05-01 20:50:03 ----A---- C:\WINDOWS\system32\89zth9ef5636.exe

======List of files/folders modified in the last 1 months======

2009-05-31 21:42:30 ----D---- C:\WINDOWS\Prefetch
2009-05-31 21:33:35 ----D---- C:\Documents and Settings\Jerry\Application Data\DNA
2009-05-31 15:31:02 ----D---- C:\WINDOWS\system32
2009-05-29 01:47:12 ----D---- C:\WINDOWS\Temp
2009-05-29 01:46:49 ----D---- C:\Program Files\DNA
2009-05-29 01:46:16 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-29 01:46:01 ----D---- C:\Documents and Settings\Jerry\Application Data\BitTorrent
2009-05-25 23:32:10 ----D---- C:\WINDOWS\system32\drivers
2009-05-25 23:32:10 ----D---- C:\WINDOWS
2009-05-25 23:13:34 ----RD---- C:\Program Files
2009-05-25 22:20:48 ----SHD---- C:\RECYCLER
2009-05-25 12:02:28 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-23 16:47:36 ----SD---- C:\Documents and Settings\Jerry\Application Data\Microsoft
2009-05-23 11:15:31 ----HD---- C:\WINDOWS\inf
2009-05-22 23:38:43 ----SHD---- C:\WINDOWS\Installer
2009-05-21 20:31:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-21 20:30:18 ----D---- C:\Program Files\WinFast
2009-05-21 18:48:09 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-20 14:27:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-20 01:10:52 ----D---- C:\Documents and Settings\Jerry\Application Data\Move Networks
2009-05-18 21:52:14 ----D---- C:\WinFast WorkArea
2009-05-18 18:59:50 ----D---- C:\WINDOWS\system32\WinFast
2009-05-18 18:40:37 ----D---- C:\Program Files\Common Files
2009-05-18 18:28:47 ----RSD---- C:\WINDOWS\Fonts
2009-05-15 17:13:11 ----D---- C:\Documents and Settings\Jerry\Application Data\Adobe
2009-05-07 03:16:29 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 CX23880;WinFast CX2388x WDM Video Capture.; C:\WINDOWS\system32\drivers\cx88vid.sys [2006-10-18 162944]
R2 CXAVXBAR;WinFast CX2388x WDM Crossbar.; C:\WINDOWS\system32\drivers\cxavxbar.sys [2006-10-18 9728]
R2 CXTUNE;WinFast CX2388x WDM TVTuner.; C:\WINDOWS\system32\drivers\CX88TUNE.sys [2006-10-18 50816]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-04-05 830684]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-02-28 12160]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner; C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar; C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 9600]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 maxidemo;Maxi_Vista_Demo_Driver; C:\WINDOWS\system32\DRIVERS\maxidemo.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2009-02-06 109056]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-12-13 49152]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-15 182768]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-05-31 21:42:48

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Groove Playback Engine-->RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
3DVIA player 4.1-->MsiExec.exe /X{4E868D3D-6EEB-4273-926C-2287236B5B79}
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Citrix Presentation Server Client-->MsiExec.exe /I{E89956F9-5B89-470E-818D-BD46102D0A01}
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
getPlus® for Adobe-->"C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_BDA1448D3D255554.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Connections Drivers-->Prounstl.exe
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaInfo 0.7.13-->C:\Program Files\MediaInfo\uninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2000 SR-1-->MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 2001 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe D:\
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Virtual VCR-->"C:\Program Files\Virtual VCR\Uninstall.exe" "C:\Program Files\Virtual VCR\install.log"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinFast Codec-TS SDK-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28FB7853-A6ED-4F67-8635-9F0E863FC0AD}\Setup.exe" -l0x9
WinFast De-interlace SDK-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0E0340-C3D7-42D1-96D4-64179FD456AE}\Setup.exe" -l0x9
WinFast Entertainment Center(WDM Driver)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE4AA694-815A-4045-BD49-C94F2BED7458}\setup.exe"
WinFast Multimedia Driver Installation-->C:\Program Files\InstallShield Installation Information\{418EC9DD-25EE-4C3F-8827-B7AA9B26405B}\setup.exe -runfromtemp -l0x0009 -removeonly
WinFast PVR2-->C:\Program Files\InstallShield Installation Information\{C92C584E-C781-475E-A8E2-C67D993A6B95}\setup.exe -runfromtemp -l0x0009 -removeonly
WinFast TT-SB SDK-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AF9848E2-5F19-4E49-9E6E-044FBDC28404}\Setup.exe" -l0x9
Wizard101-->"C:\Program Files\InstallShield Installation Information\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\setup.exe" -runfromtemp -l0x0009 -removeonly

=====HijackThis Backups=====

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-20]
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-20]
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-20]
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-20]
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-05-20]
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-20]
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-05-20]
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-20]
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.125,85.255.112.159 [2009-05-20]
O17 - HKLM\System\CS1\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.125,85.255.112.159 [2009-05-20]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.125,85.255.112.159 [2009-05-20]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.125,85.255.112.159 [2009-05-20]
O17 - HKLM\System\CS1\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.24,85.255.112.118 [2009-05-21]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118 [2009-05-21]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.24,85.255.112.118 [2009-05-21]
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.24,85.255.112.118 [2009-05-21]
O17 - HKLM\System\CS1\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.95,85.255.112.171 [2009-05-25]
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.95,85.255.112.171 [2009-05-25]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.95,85.255.112.171 [2009-05-25]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.95,85.255.112.171 [2009-05-25]
O17 - HKLM\System\CS1\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.119,85.255.112.101 [2009-05-25]
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A49C340-CC98-47BD-A7C4-D0C9542C0FB5}: NameServer = 85.255.112.119,85.255.112.101 [2009-05-25]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.119,85.255.112.101 [2009-05-25]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.119,85.255.112.101 [2009-05-25]

======System event log======

Computer Name: JERRY-60A4C1B99
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 1234
Source Name: W32Time
Time Written: 20090324090011.000000-240
Event Type: warning
User:

Computer Name: JERRY-60A4C1B99
Event Code: 1002
Message: The IP address lease 192.168.1.64 for the Network Card with network address 001320D53AFF has been
denied by the DHCP server 192.168.123.254 (The DHCP Server sent a DHCPNACK message).

Record Number: 1206
Source Name: Dhcp
Time Written: 20090323141352.000000-240
Event Type: error
User:

Computer Name: JERRY-60A4C1B99
Event Code: 1002
Message: The IP address lease 192.168.123.101 for the Network Card with network address 001320D53AFF has been
denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

Record Number: 1204
Source Name: Dhcp
Time Written: 20090323141324.000000-240
Event Type: error
User:

Computer Name: JERRY-60A4C1B99
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 1160
Source Name: W32Time
Time Written: 20090322151802.000000-240
Event Type: warning
User:

Computer Name: JERRY-60A4C1B99
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 1159
Source Name: Tcpip
Time Written: 20090322030302.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: JERRY-60A4C1B99
Event Code: 1001
Message: Detection of product '{00170409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Record Number: 166
Source Name: MsiInstaller
Time Written: 20090322185358.000000-240
Event Type: warning
User: JERRY-60A4C1B99\Jerry

Computer Name: JERRY-60A4C1B99
Event Code: 11706
Message: Product: Microsoft Word 2000 SR-1 -- Error 1706. No valid source could be found for product Microsoft Word 2000 SR-1. The Windows installer cannot continue.

Record Number: 164
Source Name: MsiInstaller
Time Written: 20090322185357.000000-240
Event Type: error
User: JERRY-60A4C1B99\Jerry

Computer Name: JERRY-60A4C1B99
Event Code: 1001
Message: Detection of product '{00170409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Record Number: 163
Source Name: MsiInstaller
Time Written: 20090322185308.000000-240
Event Type: warning
User: JERRY-60A4C1B99\Jerry

Computer Name: JERRY-60A4C1B99
Event Code: 1001
Message: Detection of product '{00170409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Record Number: 161
Source Name: MsiInstaller
Time Written: 20090322185304.000000-240
Event Type: warning
User: JERRY-60A4C1B99\Jerry

Computer Name: JERRY-60A4C1B99
Event Code: 1517
Message: Windows saved user JERRY-60A4C1B99\Jerry registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 158
Source Name: Userenv
Time Written: 20090322010822.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\Common Files\ArcSoft\Bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Edited by GLE3, 31 May 2009 - 08:46 PM.


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 06 June 2009 - 09:17 AM

Hi GLE3-

Sorry for the delay in responding. I'm very glad to hear your system's performance is still better. MBAM definitely made a dent. However, WinBlueSoft is still installed on your machine, along with a lot of trojans. I think it's a good idea to get rid of it before we call your system clean.

One other note, before we get into the remaining steps. I see you have a Peer-to-Peer program installed. These can be a security risk. You may not want to have it running on startup, but rather start and shut it down manually. When running, it can degrade system performance and consume vast amounts of storage. It also is a security risk as outsiders are granted access to internal files. They're also often bundled with adware and spyware. Please be aware of the risks of using them.

Now, let's try and eliminate the last rogue program and those trojans.


1. Backup Registry
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

* Please download erunt-setup.exe to your desktop.
* Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
* Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


2. We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".


    :files
    C:\Program Files\WinBlueSoft Software\
    c:\windows\system32\commonpriv.log.lock
    c:\windows\system32\drivers\gxvxcykmovmpxeuhyigiifubxvmofahowxrer.sys
    c:\windows\system32\gxvxctdkbweyabwwxidveemqpqsagqsnvpnxe.dll
    c:\windows\system32\gxvxccounter
    c:\windows\32z30s5y15c9.cpl
    c:\windows\system32\Dvbpws.dll
    c:\windows\system32\194fsp9rs53z70.bin
    c:\windows\system32\4a755ownl9adez917.cpl
    c:\windows\2559zte5l2541.ocx
    c:\windows\45cd9dd5arz709.cpl
    c:\windows\669zdownloader2565.ocx
    c:\windows\system32\11198wozm50a.cpl
    c:\windows\system32\369b5hiez2605.cpl
    c:\windows\a525ack9oorz285.ocx
    c:\windows\system32\9132addwaze541.bin
    c:\windows\system32\14577ha9kzool5c7.cpl
    c:\windows\52z21hacktool629.bin
    c:\windows\1929spamzo9725.exe
    c:\windows\system32\2z52s5ar9e1557.bin
    c:\windows\system32\5c78do5nzoa9er3265.cpl
    c:\windows\system32\z125sp9ware2058.bin
    c:\windows\25495hacktool2ze9.exe
    c:\windows\3995downloaderz905.exe
    C:\WINDOWS\709bsteal954z.exe
    C:\WINDOWS\9576vizu5337.dll
    C:\WINDOWS\system32\10599w9rm50dz.dll
    C:\WINDOWS\275375pzm9ot51c.dll
    C:\WINDOWS\system32\9821do5nloadez1450.dll
    C:\WINDOWS\297z5hac9tool405.dll
    C:\WINDOWS\system32\zbec9ddw5re37.exe
    C:\WINDOWS\system32\930915py5z3.exe
    C:\WINDOWS\10772sp9mbotz445.exe
    C:\WINDOWS\1z27spa9b5t4d0.dll
    C:\WINDOWS\system32\1dc79teal5092z.exe
    C:\WINDOWS\system32\469not-a-9iruz559.dll
    C:\WINDOWS\15260hazkt9ol215.dll
    C:\WINDOWS\3z9875py7cd.dll
    C:\WINDOWS\98580spambzt737.exe
    C:\WINDOWS\system32\z8479pambot5e3.dll
    C:\WINDOWS\z66a9hief30735.exe
    C:\WINDOWS\system32\1548zhief5659.dll
    C:\WINDOWS\system32\3394not9a-virzs5a2.exe
    C:\WINDOWS\system32\6e69hief5z67.dll
    C:\WINDOWS\9f78z5r1591.dll
    C:\WINDOWS\18816s95zbot2d5.dll
    C:\WINDOWS\system32\1779steal935z.exe
    C:\WINDOWS\system32\6336sz95bf.exe
    C:\WINDOWS\system32\42dzspyw59e1851.dll
    C:\WINDOWS\system32\5253zspy6a9.exe
    C:\WINDOWS\system32\9288szarse5844.exe
    C:\WINDOWS\system32\1aaspywaz55249.dll
    C:\WINDOWS\system32\5590szy3b4.dll
    C:\WINDOWS\265dspy9zre2958.dll
    C:\WINDOWS\51d4steal995z5.dll
    C:\WINDOWS\system32\508zaddware4925.dll
    C:\WINDOWS\system32\7056zpar9e3057.exe
    C:\WINDOWS\21153no9-a-virusz05.exe
    C:\WINDOWS\566thizf569.exe
    C:\WINDOWS\system32\791hacktool5z.exe
    C:\WINDOWS\4z80threa925625.dll
    C:\WINDOWS\452z9hief2597.exe
    C:\WINDOWS\system32\35bespzware495.exe
    C:\WINDOWS\586ztroj4e9.dll
    C:\WINDOWS\system32\598zhacktool657.dll
    C:\WINDOWS\25dbthi5914z6.dll
    C:\WINDOWS\system32\53c7spyz9re537.dll
    C:\WINDOWS\system32\244899oz-a5virus188.dll
    C:\WINDOWS\6606zi5us9de.exe
    C:\WINDOWS\4a15downlzader1978.exe
    C:\WINDOWS\system32\7089dowzloader6845.exe
    C:\WINDOWS\system32\49b5th9ezt3120.dll
    C:\WINDOWS\system32\5ab9thiefz654.dll
    C:\WINDOWS\4505backdzo91444.dll
    C:\WINDOWS\system32\78efvi9z9925.exe
    C:\WINDOWS\system32\6fa1addzare8995.exe
    C:\WINDOWS\system32\29670zot-a-vi5us2eb.exe
    C:\WINDOWS\46f4tzief9859.exe
    C:\WINDOWS\7925spamzot1569.dll
    C:\WINDOWS\31795szy339.exe
    C:\WINDOWS\system32\4542steaz32559.exe
    C:\WINDOWS\system32\7394addwar52691z.exe
    C:\WINDOWS\system32\3bf9addwaze7925.exe
    C:\WINDOWS\system32\14299hazkt5ol7b9.exe
    C:\WINDOWS\489cspars51z99.exe
    C:\WINDOWS\3912steal9z825.exe
    C:\WINDOWS\123z55a9ktool2e7.exe
    C:\WINDOWS\system32\956z4virus71a.dll
    C:\WINDOWS\system32\5e3fthreat58919z.dll
    C:\WINDOWS\system32\23760spa9bozdc5.exe
    C:\WINDOWS\system32\22845hzef9529.exe
    C:\WINDOWS\833zviru9695.exe
    C:\WINDOWS\15486zp9mbot20c.exe
    C:\WINDOWS\1459zvirus36.dll
    C:\WINDOWS\z0554trojc9.dll
    C:\WINDOWS\system32\7dbcspywa9z2952.dll
    C:\WINDOWS\system32\68469ot-a-viru54ez.exe
    C:\WINDOWS\system32\326265r9z589.exe
    C:\WINDOWS\7c8zadd5are359.exe
    C:\WINDOWS\z5210sp9mbot15c.dll
    C:\WINDOWS\system32\800zparse15839.dll
    C:\WINDOWS\system32\638fvi9135z.dll
    C:\WINDOWS\system32\1525995zmbot320.dll
    C:\WINDOWS\system32\1241z9ir5s5d.dll
    C:\WINDOWS\305daddwaz91576.exe
    C:\WINDOWS\2ad5thiez15009.dll
    C:\WINDOWS\208z9h5cktoo95d7.exe
    C:\WINDOWS\18017vizu54129.dll
    C:\WINDOWS\system32\zspambot59c.dll
    C:\WINDOWS\system32\59699zck5oor1104.exe
    C:\WINDOWS\system32\23022not-5-vzr9s5c9.exe
    C:\WINDOWS\system32\1z296sp5mbot54b.dll
    C:\WINDOWS\5955sparsz2385.dll
    C:\WINDOWS\52z86hacktoo91a7.exe
    C:\WINDOWS\4c77s5eal9z03.dll
    C:\WINDOWS\27c0zir28519.exe
    C:\WINDOWS\system32\99zcb5ckdoor1475.dll
    C:\WINDOWS\system32\9557thzef836.exe
    C:\WINDOWS\system32\43z2hac5to9l4c7.exe
    C:\WINDOWS\system32\2z986wo5m969.exe
    C:\WINDOWS\system32\24955hac9tzol70.dll
    C:\WINDOWS\7z529teal1490.dll
    C:\WINDOWS\1z3cspy9ar5135.exe
    C:\WINDOWS\system32\setup2.exe
    C:\WINDOWS\system32\295z9spa5bot2ab.exe
    C:\WINDOWS\system32\Dvbpws.dll
    C:\WINDOWS\z9584v9ru5276.dll
    C:\WINDOWS\system32\25456hacktzo9119.dll
    C:\WINDOWS\system32\10732h9cktzo5768.exe
    C:\WINDOWS\997baddw5re13z8.dll
    C:\WINDOWS\798bthr5zt299239.exe
    C:\WINDOWS\11705sz93a2.exe
    C:\WINDOWS\9099s5ycz.exe
    C:\WINDOWS\6175addwar91z55.exe
    C:\WINDOWS\system32\89zth9ef5636.exe
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinBlueSoft"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "setup2.exe"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]
    :commands
    [EmptyTemp]
    [Reboot]

  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Please also post a fresh RSIT log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 GLE3

GLE3
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 09 June 2009 - 06:16 PM

Hi, I'm getting 404 errors trying to click on OTMoveIt3. Can you help me?

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 PM

Posted 09 June 2009 - 06:25 PM

I just got the updated link...it changed a few hours after I posted. Talk about bad timing! Please download from here:

http://oldtimer.geekstogo.com/OTM.exe


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 GLE3

GLE3
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 09 June 2009 - 07:19 PM

Thanks! Now when I paste the script and click move it I get this popup:

OTM: OTM.exe - Bad Image

The application or DLL c:\windows\system32\Dvbpws.dll is not a valid windows image. Please check this against your installation diskette.


It gives me an option of clicking ok.

#15 GLE3

GLE3
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 09 June 2009 - 08:08 PM

Ok, I ended up click ok on several of those OTM.exe warnings on several files. Here is the log.

========== FILES ==========
Folder C:\Program Files\WinBlueSoft Software not found.
c:\windows\system32\commonpriv.log.lock moved successfully.
File/Folder c:\windows\system32\drivers\gxvxcykmovmpxeuhyigiifubxvmofahowxrer.sys not found.
File/Folder c:\windows\system32\gxvxctdkbweyabwwxidveemqpqsagqsnvpnxe.dll not found.
File/Folder c:\windows\system32\gxvxccounter not found.
c:\windows\32z30s5y15c9.cpl moved successfully.
LoadLibrary failed for c:\windows\system32\Dvbpws.dll
c:\windows\system32\Dvbpws.dll NOT unregistered.
c:\windows\system32\Dvbpws.dll moved successfully.
c:\windows\system32\194fsp9rs53z70.bin moved successfully.
c:\windows\system32\4a755ownl9adez917.cpl moved successfully.
LoadLibrary failed for c:\windows\2559zte5l2541.ocx
c:\windows\2559zte5l2541.ocx NOT unregistered.
c:\windows\2559zte5l2541.ocx moved successfully.
c:\windows\45cd9dd5arz709.cpl moved successfully.
LoadLibrary failed for c:\windows\669zdownloader2565.ocx
c:\windows\669zdownloader2565.ocx NOT unregistered.
c:\windows\669zdownloader2565.ocx moved successfully.
c:\windows\system32\11198wozm50a.cpl moved successfully.
c:\windows\system32\369b5hiez2605.cpl moved successfully.
LoadLibrary failed for c:\windows\a525ack9oorz285.ocx
c:\windows\a525ack9oorz285.ocx NOT unregistered.
c:\windows\a525ack9oorz285.ocx moved successfully.
c:\windows\system32\9132addwaze541.bin moved successfully.
c:\windows\system32\14577ha9kzool5c7.cpl moved successfully.
c:\windows\52z21hacktool629.bin moved successfully.
c:\windows\1929spamzo9725.exe moved successfully.
c:\windows\system32\2z52s5ar9e1557.bin moved successfully.
c:\windows\system32\5c78do5nzoa9er3265.cpl moved successfully.
c:\windows\system32\z125sp9ware2058.bin moved successfully.
c:\windows\25495hacktool2ze9.exe moved successfully.
c:\windows\3995downloaderz905.exe moved successfully.
C:\WINDOWS\709bsteal954z.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\9576vizu5337.dll
C:\WINDOWS\9576vizu5337.dll NOT unregistered.
C:\WINDOWS\9576vizu5337.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\10599w9rm50dz.dll
C:\WINDOWS\system32\10599w9rm50dz.dll NOT unregistered.
C:\WINDOWS\system32\10599w9rm50dz.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\275375pzm9ot51c.dll
C:\WINDOWS\275375pzm9ot51c.dll NOT unregistered.
C:\WINDOWS\275375pzm9ot51c.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\9821do5nloadez1450.dll
C:\WINDOWS\system32\9821do5nloadez1450.dll NOT unregistered.
C:\WINDOWS\system32\9821do5nloadez1450.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\297z5hac9tool405.dll
C:\WINDOWS\297z5hac9tool405.dll NOT unregistered.
C:\WINDOWS\297z5hac9tool405.dll moved successfully.
C:\WINDOWS\system32\zbec9ddw5re37.exe moved successfully.
C:\WINDOWS\system32\930915py5z3.exe moved successfully.
C:\WINDOWS\10772sp9mbotz445.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\1z27spa9b5t4d0.dll
C:\WINDOWS\1z27spa9b5t4d0.dll NOT unregistered.
C:\WINDOWS\1z27spa9b5t4d0.dll moved successfully.
C:\WINDOWS\system32\1dc79teal5092z.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\469not-a-9iruz559.dll
C:\WINDOWS\system32\469not-a-9iruz559.dll NOT unregistered.
C:\WINDOWS\system32\469not-a-9iruz559.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\15260hazkt9ol215.dll
C:\WINDOWS\15260hazkt9ol215.dll NOT unregistered.
C:\WINDOWS\15260hazkt9ol215.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\3z9875py7cd.dll
C:\WINDOWS\3z9875py7cd.dll NOT unregistered.
C:\WINDOWS\3z9875py7cd.dll moved successfully.
C:\WINDOWS\98580spambzt737.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\z8479pambot5e3.dll
C:\WINDOWS\system32\z8479pambot5e3.dll NOT unregistered.
C:\WINDOWS\system32\z8479pambot5e3.dll moved successfully.
C:\WINDOWS\z66a9hief30735.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\1548zhief5659.dll
C:\WINDOWS\system32\1548zhief5659.dll NOT unregistered.
C:\WINDOWS\system32\1548zhief5659.dll moved successfully.
C:\WINDOWS\system32\3394not9a-virzs5a2.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\6e69hief5z67.dll
C:\WINDOWS\system32\6e69hief5z67.dll NOT unregistered.
C:\WINDOWS\system32\6e69hief5z67.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\9f78z5r1591.dll
C:\WINDOWS\9f78z5r1591.dll NOT unregistered.
C:\WINDOWS\9f78z5r1591.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\18816s95zbot2d5.dll
C:\WINDOWS\18816s95zbot2d5.dll NOT unregistered.
C:\WINDOWS\18816s95zbot2d5.dll moved successfully.
C:\WINDOWS\system32\1779steal935z.exe moved successfully.
C:\WINDOWS\system32\6336sz95bf.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\42dzspyw59e1851.dll
C:\WINDOWS\system32\42dzspyw59e1851.dll NOT unregistered.
C:\WINDOWS\system32\42dzspyw59e1851.dll moved successfully.
C:\WINDOWS\system32\5253zspy6a9.exe moved successfully.
C:\WINDOWS\system32\9288szarse5844.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\1aaspywaz55249.dll
C:\WINDOWS\system32\1aaspywaz55249.dll NOT unregistered.
C:\WINDOWS\system32\1aaspywaz55249.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\5590szy3b4.dll
C:\WINDOWS\system32\5590szy3b4.dll NOT unregistered.
C:\WINDOWS\system32\5590szy3b4.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\265dspy9zre2958.dll
C:\WINDOWS\265dspy9zre2958.dll NOT unregistered.
C:\WINDOWS\265dspy9zre2958.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\51d4steal995z5.dll
C:\WINDOWS\51d4steal995z5.dll NOT unregistered.
C:\WINDOWS\51d4steal995z5.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\508zaddware4925.dll
C:\WINDOWS\system32\508zaddware4925.dll NOT unregistered.
C:\WINDOWS\system32\508zaddware4925.dll moved successfully.
C:\WINDOWS\system32\7056zpar9e3057.exe moved successfully.
C:\WINDOWS\21153no9-a-virusz05.exe moved successfully.
C:\WINDOWS\566thizf569.exe moved successfully.
C:\WINDOWS\system32\791hacktool5z.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\4z80threa925625.dll
C:\WINDOWS\4z80threa925625.dll NOT unregistered.
C:\WINDOWS\4z80threa925625.dll moved successfully.
C:\WINDOWS\452z9hief2597.exe moved successfully.
C:\WINDOWS\system32\35bespzware495.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\586ztroj4e9.dll
C:\WINDOWS\586ztroj4e9.dll NOT unregistered.
C:\WINDOWS\586ztroj4e9.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\598zhacktool657.dll
C:\WINDOWS\system32\598zhacktool657.dll NOT unregistered.
C:\WINDOWS\system32\598zhacktool657.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\25dbthi5914z6.dll
C:\WINDOWS\25dbthi5914z6.dll NOT unregistered.
C:\WINDOWS\25dbthi5914z6.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\53c7spyz9re537.dll
C:\WINDOWS\system32\53c7spyz9re537.dll NOT unregistered.
C:\WINDOWS\system32\53c7spyz9re537.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\244899oz-a5virus188.dll
C:\WINDOWS\system32\244899oz-a5virus188.dll NOT unregistered.
C:\WINDOWS\system32\244899oz-a5virus188.dll moved successfully.
C:\WINDOWS\6606zi5us9de.exe moved successfully.
C:\WINDOWS\4a15downlzader1978.exe moved successfully.
C:\WINDOWS\system32\7089dowzloader6845.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\49b5th9ezt3120.dll
C:\WINDOWS\system32\49b5th9ezt3120.dll NOT unregistered.
C:\WINDOWS\system32\49b5th9ezt3120.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\5ab9thiefz654.dll
C:\WINDOWS\system32\5ab9thiefz654.dll NOT unregistered.
C:\WINDOWS\system32\5ab9thiefz654.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\4505backdzo91444.dll
C:\WINDOWS\4505backdzo91444.dll NOT unregistered.
C:\WINDOWS\4505backdzo91444.dll moved successfully.
C:\WINDOWS\system32\78efvi9z9925.exe moved successfully.
C:\WINDOWS\system32\6fa1addzare8995.exe moved successfully.
C:\WINDOWS\system32\29670zot-a-vi5us2eb.exe moved successfully.
C:\WINDOWS\46f4tzief9859.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\7925spamzot1569.dll
C:\WINDOWS\7925spamzot1569.dll NOT unregistered.
C:\WINDOWS\7925spamzot1569.dll moved successfully.
C:\WINDOWS\31795szy339.exe moved successfully.
C:\WINDOWS\system32\4542steaz32559.exe moved successfully.
C:\WINDOWS\system32\7394addwar52691z.exe moved successfully.
C:\WINDOWS\system32\3bf9addwaze7925.exe moved successfully.
C:\WINDOWS\system32\14299hazkt5ol7b9.exe moved successfully.
C:\WINDOWS\489cspars51z99.exe moved successfully.
C:\WINDOWS\3912steal9z825.exe moved successfully.
C:\WINDOWS\123z55a9ktool2e7.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\956z4virus71a.dll
C:\WINDOWS\system32\956z4virus71a.dll NOT unregistered.
C:\WINDOWS\system32\956z4virus71a.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\5e3fthreat58919z.dll
C:\WINDOWS\system32\5e3fthreat58919z.dll NOT unregistered.
C:\WINDOWS\system32\5e3fthreat58919z.dll moved successfully.
C:\WINDOWS\system32\23760spa9bozdc5.exe moved successfully.
C:\WINDOWS\system32\22845hzef9529.exe moved successfully.
C:\WINDOWS\833zviru9695.exe moved successfully.
C:\WINDOWS\15486zp9mbot20c.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\1459zvirus36.dll
C:\WINDOWS\1459zvirus36.dll NOT unregistered.
C:\WINDOWS\1459zvirus36.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\z0554trojc9.dll
C:\WINDOWS\z0554trojc9.dll NOT unregistered.
C:\WINDOWS\z0554trojc9.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\7dbcspywa9z2952.dll
C:\WINDOWS\system32\7dbcspywa9z2952.dll NOT unregistered.
C:\WINDOWS\system32\7dbcspywa9z2952.dll moved successfully.
C:\WINDOWS\system32\68469ot-a-viru54ez.exe moved successfully.
C:\WINDOWS\system32\326265r9z589.exe moved successfully.
C:\WINDOWS\7c8zadd5are359.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\z5210sp9mbot15c.dll
C:\WINDOWS\z5210sp9mbot15c.dll NOT unregistered.
C:\WINDOWS\z5210sp9mbot15c.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\800zparse15839.dll
C:\WINDOWS\system32\800zparse15839.dll NOT unregistered.
C:\WINDOWS\system32\800zparse15839.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\638fvi9135z.dll
C:\WINDOWS\system32\638fvi9135z.dll NOT unregistered.
C:\WINDOWS\system32\638fvi9135z.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\1525995zmbot320.dll
C:\WINDOWS\system32\1525995zmbot320.dll NOT unregistered.
C:\WINDOWS\system32\1525995zmbot320.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\1241z9ir5s5d.dll
C:\WINDOWS\system32\1241z9ir5s5d.dll NOT unregistered.
C:\WINDOWS\system32\1241z9ir5s5d.dll moved successfully.
C:\WINDOWS\305daddwaz91576.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\2ad5thiez15009.dll
C:\WINDOWS\2ad5thiez15009.dll NOT unregistered.
C:\WINDOWS\2ad5thiez15009.dll moved successfully.
C:\WINDOWS\208z9h5cktoo95d7.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\18017vizu54129.dll
C:\WINDOWS\18017vizu54129.dll NOT unregistered.
C:\WINDOWS\18017vizu54129.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\zspambot59c.dll
C:\WINDOWS\system32\zspambot59c.dll NOT unregistered.
C:\WINDOWS\system32\zspambot59c.dll moved successfully.
C:\WINDOWS\system32\59699zck5oor1104.exe moved successfully.
C:\WINDOWS\system32\23022not-5-vzr9s5c9.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\1z296sp5mbot54b.dll
C:\WINDOWS\system32\1z296sp5mbot54b.dll NOT unregistered.
C:\WINDOWS\system32\1z296sp5mbot54b.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\5955sparsz2385.dll
C:\WINDOWS\5955sparsz2385.dll NOT unregistered.
C:\WINDOWS\5955sparsz2385.dll moved successfully.
C:\WINDOWS\52z86hacktoo91a7.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\4c77s5eal9z03.dll
C:\WINDOWS\4c77s5eal9z03.dll NOT unregistered.
C:\WINDOWS\4c77s5eal9z03.dll moved successfully.
C:\WINDOWS\27c0zir28519.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\99zcb5ckdoor1475.dll
C:\WINDOWS\system32\99zcb5ckdoor1475.dll NOT unregistered.
C:\WINDOWS\system32\99zcb5ckdoor1475.dll moved successfully.
C:\WINDOWS\system32\9557thzef836.exe moved successfully.
C:\WINDOWS\system32\43z2hac5to9l4c7.exe moved successfully.
C:\WINDOWS\system32\2z986wo5m969.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\24955hac9tzol70.dll
C:\WINDOWS\system32\24955hac9tzol70.dll NOT unregistered.
C:\WINDOWS\system32\24955hac9tzol70.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\7z529teal1490.dll
C:\WINDOWS\7z529teal1490.dll NOT unregistered.
C:\WINDOWS\7z529teal1490.dll moved successfully.
C:\WINDOWS\1z3cspy9ar5135.exe moved successfully.
C:\WINDOWS\system32\setup2.exe moved successfully.
C:\WINDOWS\system32\295z9spa5bot2ab.exe moved successfully.
File/Folder C:\WINDOWS\system32\Dvbpws.dll not found.
LoadLibrary failed for C:\WINDOWS\z9584v9ru5276.dll
C:\WINDOWS\z9584v9ru5276.dll NOT unregistered.
C:\WINDOWS\z9584v9ru5276.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\25456hacktzo9119.dll
C:\WINDOWS\system32\25456hacktzo9119.dll NOT unregistered.
C:\WINDOWS\system32\25456hacktzo9119.dll moved successfully.
C:\WINDOWS\system32\10732h9cktzo5768.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\997baddw5re13z8.dll
C:\WINDOWS\997baddw5re13z8.dll NOT unregistered.
C:\WINDOWS\997baddw5re13z8.dll moved successfully.
C:\WINDOWS\798bthr5zt299239.exe moved successfully.
C:\WINDOWS\11705sz93a2.exe moved successfully.
C:\WINDOWS\9099s5ycz.exe moved successfully.
C:\WINDOWS\6175addwar91z55.exe moved successfully.
C:\WINDOWS\system32\89zth9ef5636.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinBlueSoft deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\setup2.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\\ deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\OUFCZO5U\index[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\GH97BM8R\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1a4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.1 log created on 06092009_201449

Files moved on Reboot...
C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\OUFCZO5U\index[1].htm moved successfully.
File C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\GH97BM8R\iframe[1].htm not found!
C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_1a4.dat not found!

Registry entries deleted on Reboot...





Fresh RSIT

Logfile of random's system information tool 1.06 (written by random/random)
Run by Jerry at 2009-06-09 21:07:47
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 83 GB (54%) free of 153 GB
Total RAM: 502 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:49 PM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Jerry\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Jerry.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} (CPlayFirstNightshiftControl Object) - http://www.gamehouse.com/games/NightshiftJaguarsEye.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://zone.msn.com/bingame/burg/default/G...esPlayer_v6.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://gamefilez.mofunzone.com/gamefilez/d...tg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.gamehouse.com/games/zylom/zylomplayer.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6078 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-04-05 94208]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-04-05 77824]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2005-04-05 114688]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"WinFastDTV"=C:\Program Files\WinFast\WFDTV\DTVSchdl.exe [2009-01-16 90112]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2009-04-29 188728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-03-23 321344]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"WinFast Schedule"=C:\Program Files\WinFast\WFDTV\WFWIZ.exe [2009-01-12 2908160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

C:\Documents and Settings\Jerry\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-04-05 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47f786b4-50b1-11de-961a-001320d53aff}]
shell\AutoRun\command - E:\StormF1.exe


======File associations======

.vbs - edit -
.vbs - open -

======List of files/folders created in the last 1 months======

2009-06-09 20:14:49 ----D---- C:\_OTM
2009-06-09 18:34:46 ----D---- C:\WINDOWS\ERDNT
2009-06-09 18:28:32 ----D---- C:\Program Files\ERUNT
2009-05-31 21:42:40 ----D---- C:\rsit
2009-05-25 23:13:39 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
2009-05-25 23:13:34 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-25 23:13:34 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-25 22:18:13 ----A---- C:\fsbl.exe
2009-05-23 11:26:13 ----D---- C:\Program Files\Virtual VCR
2009-05-21 20:30:15 ----D---- C:\Program Files\Windows Sidebar
2009-05-20 18:35:09 ----D---- C:\Program Files\Trend Micro
2009-05-20 18:10:16 ----D---- C:\Documents and Settings\Jerry\Application Data\AVGTOOLBAR
2009-05-20 18:10:08 ----D---- C:\Program Files\AVG
2009-05-20 18:10:08 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-18 18:59:49 ----D---- C:\Program Files\Leadtek Research Inc
2009-05-18 18:40:59 ----D---- C:\Documents and Settings\Jerry\Application Data\ArcSoft
2009-05-18 18:40:38 ----D---- C:\Documents and Settings\All Users\Application Data\ArcSoft
2009-05-18 18:40:37 ----D---- C:\Program Files\Common Files\ArcSoft
2009-05-18 18:40:27 ----D---- C:\Program Files\Common Files\Ulead Systems
2009-05-18 18:23:51 ----D---- C:\Documents and Settings\Jerry\Application Data\InstallShield
2009-05-15 17:17:59 ----D---- C:\Documents and Settings\Jerry\Application Data\Google
2009-05-15 17:13:09 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-05-15 17:13:03 ----D---- C:\Program Files\Google
2009-05-15 17:12:25 ----D---- C:\WINDOWS\system32\Adobe

======List of files/folders modified in the last 1 months======

2009-06-09 21:07:14 ----D---- C:\WINDOWS\Prefetch
2009-06-09 21:02:07 ----D---- C:\WINDOWS\Temp
2009-06-09 21:02:04 ----D---- C:\Program Files\DNA
2009-06-09 21:02:04 ----D---- C:\Documents and Settings\Jerry\Application Data\DNA
2009-06-09 21:00:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-09 20:55:23 ----D---- C:\WINDOWS\system32
2009-06-09 20:55:23 ----D---- C:\WINDOWS
2009-06-09 18:28:32 ----RD---- C:\Program Files
2009-06-06 00:38:43 ----SD---- C:\Documents and Settings\Jerry\Application Data\Microsoft
2009-06-04 22:16:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-29 01:46:01 ----D---- C:\Documents and Settings\Jerry\Application Data\BitTorrent
2009-05-25 23:32:10 ----D---- C:\WINDOWS\system32\drivers
2009-05-25 22:20:48 ----SHD---- C:\RECYCLER
2009-05-23 11:15:31 ----HD---- C:\WINDOWS\inf
2009-05-22 23:38:43 ----SHD---- C:\WINDOWS\Installer
2009-05-21 20:31:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-21 20:30:18 ----D---- C:\Program Files\WinFast
2009-05-21 18:48:09 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-20 14:27:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-20 01:10:52 ----D---- C:\Documents and Settings\Jerry\Application Data\Move Networks
2009-05-18 21:52:14 ----D---- C:\WinFast WorkArea
2009-05-18 18:59:50 ----D---- C:\WINDOWS\system32\WinFast
2009-05-18 18:40:37 ----D---- C:\Program Files\Common Files
2009-05-18 18:28:47 ----RSD---- C:\WINDOWS\Fonts
2009-05-15 17:13:11 ----D---- C:\Documents and Settings\Jerry\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 CX23880;WinFast CX2388x WDM Video Capture.; C:\WINDOWS\system32\drivers\cx88vid.sys [2006-10-18 162944]
R2 CXAVXBAR;WinFast CX2388x WDM Crossbar.; C:\WINDOWS\system32\drivers\cxavxbar.sys [2006-10-18 9728]
R2 CXTUNE;WinFast CX2388x WDM TVTuner.; C:\WINDOWS\system32\drivers\CX88TUNE.sys [2006-10-18 50816]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-04-05 830684]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-02-28 12160]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner; C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar; C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 9600]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 maxidemo;Maxi_Vista_Demo_Driver; C:\WINDOWS\system32\DRIVERS\maxidemo.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2009-02-06 109056]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-12-13 49152]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-15 182768]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users