Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Downloader / Trojan.Agent / Bagle


  • This topic is locked This topic is locked
15 replies to this topic

#1 KarolF

KarolF

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 25 May 2009 - 10:02 PM

Hi,

My partner's laptop is infected with a pretty nasty virus (and she gave me the job of fixing it!).

The virus killed the internet connection (but I managed to figure out how to get the internet back), disabled Norton anti-virus and generally slows down the whole machine. The virus seems to prevent me from restarting into Windows safe mode. Various tools don't run - for instance, I could not run DrCureIt or even Kaspersky online scan.

I've been moved to this forum from the 'Am I infected? What do I do?' forum. For a full report of the problem, and the steps taken so far, please see:
http://www.bleepingcomputer.com/forums/t/228965/infected-with-trojandownloader-trojanagent-bagle/

I'm posting a DDS log as in the instructions.

Thanks in advance for all your help!

Cheers,
Karol.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Eczka at 12:48:08.06 on Tue 26/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.82 [GMT 10:00]

AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eczka\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.agn.gob.mx/
uSearch Page = hxxp://www.telstra.com/
uWindow Title = Telstra BigPond Home Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: []
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [TPSMain] TPSMain.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TFncKy] TFncKy.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [CorelDRAW Graphics Suite 11b] c:\program files\corel\corel graphics 12\languages\en\programs\Registration.exe /title="CorelDRAW Graphics Suite 12"

/date=060709 serial=DR12WNP-9936859-UJJ lang=EN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eczka\applic~1\mozilla\firefox\profiles\4l751doz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.abc.net.au/news/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-24 18:47 --d-h--- c:\docume~1\eczka\applic~1\m
2009-05-24 10:16 --d----- c:\program files\Trend Micro
2009-05-24 08:54 --d----- c:\docume~1\eczka\applic~1\Malwarebytes
2009-05-24 08:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-24 08:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-24 08:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-24 08:53 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-24 02:18 --d----- c:\program files\ClamWin
2009-05-24 02:18 --d----- c:\documents and settings\all users\.clamwin
2009-05-23 19:21 --d----- c:\windows\pss
2009-05-23 00:40 696,320 a---h--- c:\windows\system32\drivers\mdelk.exe
2009-05-07 14:47 --d----- c:\program files\MSECache

==================== Find3M ====================

2009-05-23 19:12 194,918 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-07 00:44 283,648 a------- c:\windows\system32\pdh.dll
2006-09-14 01:28 63,192 a------- c:\docume~1\eczka\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:50:29.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 26 May 2009 - 06:13 AM

Hello KarolF, and :) to Bleeping Computer Forums, My Nick is Net_Surfer I'll be glad to help you with your computer problems.

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

1. Please reply using the AddReply button in the lower right hand corner of your screen. Do not start a new topic.
2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

Kind regards
Net_Surfer

:thumbup2:

#3 KarolF

KarolF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 26 May 2009 - 10:40 AM

Hi Net_Surfer,

Thanks for the info, I really appreciate the help. I'll be patient and wait.

Cheers,
KarolF

#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 26 May 2009 - 06:13 PM

Hi KarolF, :cool:

Here are some steps for you to follow and I will ask to please do them fast as your infection can get worse if you took the time to do them later.
:)

Ok.. KarolF, please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
  • Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.
If you can do these things, everything should go smoothly. :thumbup2:


Step #1.

Your Microsoft Windows installation is out of date and you are using an unpatched version of Windows XP. Before we can proceed any further, please update to Service Pack 1a and install All CRITICAL Updates and security patches except SP2 which will help to prevent crippling malware attacks. Without doing this first, you are wide open to re-infection and other high security risks which are prone to an unpatched system and we are just wasting our time. If you are not sure how to do this, see How to use Microsoft Update. By applying all critical updates, you will close many of these security holes which make your computer vulnerable and not keep getting reinfected while cleaning your machine.

Further, using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure or infected computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, spammers have more platforms from which to send e-mail and more machines become compromised. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer.

Please download Windows XP Service Pack 1a Express Install (32-Bit) for End Users. Apply the patch and reboot.
Then return to Microsoft's Update Page and install any remaining critical updates for your computer except SP2.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please ensure you follow the above instructions BEFORE running RSIT and posting back with a new logs.

Again, DO NOT update to Service pack 2. Doing so before your computer is clean from malware can cause Windows to become unstable. According to Microsoft, malware seems to be the number one cause of problems when upgrading to XP SP2. You may apply that update when your system has been disinfected and is clean.

Step #2.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton or ClamWin Free Antivirus 0.95.1.

If your Norton antivirus is not an active paid subscription and you need to get rid of it please do the following:

To remove these, please visit >this site < and select your Norton program, then follow the instruction for removal.

If you uninstalled both of your old antivirus then..

For a free anti-virus please follow these instructions:
Click on this link: AVG
  • Underneath AVG Anti-Virus Free click on Download
  • Click on AVG 8.5 Free for Windows
  • Click on Download
  • A window will open. Click on Save File-A window will open. Click on Next
  • Click on Accept
  • Make sure standard install is checked and click Next
  • You can enter your name and click Next
  • click Finish After install is complete click OK
  • Follow prompters to update and check for viruses
Some more links to free anti-virus programs(Note. Choose only one)

Avira

Avast(Mouse over Free Software in the upper right corner)

Here are some free firewalls: *PC Tool Firewall Plus or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

*If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so.

Step #3.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Step #4.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
Please post back the logfile from Malwarebytes, as well as the 2 logs created by RSIT: log.txt and info.txt

Summary of the logs and the answer to my question I will need in your next reply:
  • The two logs of RSIT.
  • Please include the log of MBAM
  • Question: Is your Norton anti-virus up to date???
    If not let me know what action you took for having an up to date antivirus.
Upon completing the above steps I will review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)

#5 KarolF

KarolF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 26 May 2009 - 10:59 PM

Hi Net_Surfer,

Step 1 :

Failed. When I downloaded and attempted to install Service Pack 1a, I received the following error:
'Extraction Failed: update\update.exe is not a valid Win32 application'

This error has come up before while trying to run other programs - including when trying to open Nortons, run DrCureIt, etc. I believe the virus disables all security software.

When I tried to open the updates link in Internet Explorer, I get a screen telling me that I need a version of Exporer 5.0 or later, even though I am running 6.0.


Step 2:

This computer does not have a current subscription for Norton Antivirus. The ClamWin program is a free scanner only, with no real-time protection.

I would like to follow your recommendation to remove both and instal AVG Anti-Virus Free, but since Step 1 failed, I expect there to be problems with uninstalling and installing while the virus is still active. I'm downloading AVG anyway, but will wait for your instructions on whether I should attempt to complete Step 2.


Steps 3 and 4:

I will wait for your advice before proceeding with the diagnostic tests, since you told me to run the updates before posting the logs.


Thanks,
KarolF

#6 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 27 May 2009 - 01:55 PM

Hi KarolF, :)

That message that you are getting is a typical display of the bagle infection, and they are usually display when you try to use protection programs.

We will use ComboFix tool first, but you have to rename it before saving it to your desktop and it should be able to get rid of the infection so, you can install SP1a.

Do not install AVG anti-virus just yet wait until after you run the ComboFix tool. :)

Ok...... Karol let's do the following:


Step #1.

Please Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

WARNING: This tool is not a toy and not for everyday use!!!.

Link 1
Link 2
Link 3

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Posted Image


    Posted Image
  • Close any open browsers.
  • *Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Please insert all usb-drives before running Combofix
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • *Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

  • Double click on ComboFix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.
  • Leave your computer alone while ComboFix is running. Do not mouseclick combofix's window while it's running. That may cause it to stall**
    ComboFix will restart your computer if malware is found; allow it to do so.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
Notes:
ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


A word of warning if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use
.

Combofix is a very complex and dangerous tool. It is not a one fit all tool and it is not automaticly removing what needs to be removed by itself. It is like a scalpell in the hands of a surgeon. A surgeon can remove exactly what is need and no more while an untrained person would either cut too much or not enough.

Combofix is powerful enough to be able to render your computer unbootable if used wrongly or to leave your computer infected if you do not know what you are doing
.

ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Step #2.

Try to download and install SP1a. {Follow the step #1 from my last post.

Then...

If everything went fine, please download the free anti-virus of your choice get rid of norton and install the new anti-virus program do step #3 With MBAM, at the end run the RSIT tool and post the logs.

Summary of the logs I will need in your next reply:
  • The log of ComboFix located in "C:\ComboFix.txt" .
  • The log of MBAM
  • The two logs of RSIT.
How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:thumbup2:

#7 KarolF

KarolF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 28 May 2009 - 01:46 PM

Hi Net_Surfer,

1. Combofix appears to have run successfully. The system is back to normal, and as far as I can tell, all the applications are running fine. Log posted below.
Received a rootkit message: C:\Windows\system32\drivers\srosa.sys


2. When trying to install SP1a, I received the following error:
'Setup has detected that the Service Pack version of the system installed is newer than the update you are aplying it to. You can only install this update on Service Pack 1'. I assume its not letting me do this because I have SP2 installed?"
I went to windows updates and installed critical security updates, newest version of forinternet explorer, etc.

3. Removed Norton, appeared to successfully uninstal. Downloaded and installed AVG Anti-Virus. Seems to work fine.

4. Ran MBAM and RSIT


Here are the logs (Combofix, MBAM, RSIT log and info):



ComboFix 09-05-26.05 - Eczka 29/05/2009 2:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.227 [GMT 10:00]
Running from: c:\documents and settings\Eczka\Desktop\Combo-Fix.exe
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eczka\Application Data\m
c:\documents and settings\Eczka\Application Data\m\data.oct
c:\documents and settings\Eczka\Application Data\m\flec006.exe
c:\documents and settings\Eczka\Application Data\m\list.oct
c:\documents and settings\Eczka\Application Data\m\srvlist.oct
c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\ban_list.txt
c:\windows\system32\drivers\downld
c:\windows\system32\drivers\downld\1021953.exe
c:\windows\system32\drivers\downld\1025125.exe
c:\windows\system32\drivers\downld\1043140.exe
c:\windows\system32\drivers\downld\1055906.exe
c:\windows\system32\drivers\downld\1072406.exe
c:\windows\system32\drivers\downld\1127953.exe
c:\windows\system32\drivers\downld\113421.exe
c:\windows\system32\drivers\downld\1176968.exe
c:\windows\system32\drivers\downld\1212687.exe
c:\windows\system32\drivers\downld\125578.exe
c:\windows\system32\drivers\downld\130170046.exe
c:\windows\system32\drivers\downld\130244734.exe
c:\windows\system32\drivers\downld\130351078.exe
c:\windows\system32\drivers\downld\130369406.exe
c:\windows\system32\drivers\downld\131546.exe
c:\windows\system32\drivers\downld\150109.exe
c:\windows\system32\drivers\downld\158486984.exe
c:\windows\system32\drivers\downld\158491765.exe
c:\windows\system32\drivers\downld\158540937.exe
c:\windows\system32\drivers\downld\158559828.exe
c:\windows\system32\drivers\downld\158620031.exe
c:\windows\system32\drivers\downld\158671093.exe
c:\windows\system32\drivers\downld\158680546.exe
c:\windows\system32\drivers\downld\158703531.exe
c:\windows\system32\drivers\downld\167984.exe
c:\windows\system32\drivers\downld\180015.exe
c:\windows\system32\drivers\downld\180213968.exe
c:\windows\system32\drivers\downld\180283953.exe
c:\windows\system32\drivers\downld\180315375.exe
c:\windows\system32\drivers\downld\180350046.exe
c:\windows\system32\drivers\downld\180412671.exe
c:\windows\system32\drivers\downld\180442156.exe
c:\windows\system32\drivers\downld\180529281.exe
c:\windows\system32\drivers\downld\180529812.exe
c:\windows\system32\drivers\downld\180556421.exe
c:\windows\system32\drivers\downld\180578671.exe
c:\windows\system32\drivers\downld\180653250.exe
c:\windows\system32\drivers\downld\180693359.exe
c:\windows\system32\drivers\downld\180704031.exe
c:\windows\system32\drivers\downld\180725062.exe
c:\windows\system32\drivers\downld\18927234.exe
c:\windows\system32\drivers\downld\18951968.exe
c:\windows\system32\drivers\downld\18995531.exe
c:\windows\system32\drivers\downld\19008453.exe
c:\windows\system32\drivers\downld\19032937.exe
c:\windows\system32\drivers\downld\19083875.exe
c:\windows\system32\drivers\downld\19084531.exe
c:\windows\system32\drivers\downld\19114984.exe
c:\windows\system32\drivers\downld\19126875.exe
c:\windows\system32\drivers\downld\19135187.exe
c:\windows\system32\drivers\downld\19179031.exe
c:\windows\system32\drivers\downld\19217234.exe
c:\windows\system32\drivers\downld\19242750.exe
c:\windows\system32\drivers\downld\199406.exe
c:\windows\system32\drivers\downld\199734.exe
c:\windows\system32\drivers\downld\21038125.exe
c:\windows\system32\drivers\downld\21079781.exe
c:\windows\system32\drivers\downld\21119812.exe
c:\windows\system32\drivers\downld\21137203.exe
c:\windows\system32\drivers\downld\21171609.exe
c:\windows\system32\drivers\downld\21183953.exe
c:\windows\system32\drivers\downld\21250500.exe
c:\windows\system32\drivers\downld\21250968.exe
c:\windows\system32\drivers\downld\21267984.exe
c:\windows\system32\drivers\downld\21277656.exe
c:\windows\system32\drivers\downld\21323406.exe
c:\windows\system32\drivers\downld\21373468.exe
c:\windows\system32\drivers\downld\21397906.exe
c:\windows\system32\drivers\downld\22434234.exe
c:\windows\system32\drivers\downld\22462171.exe
c:\windows\system32\drivers\downld\22510765.exe
c:\windows\system32\drivers\downld\22527625.exe
c:\windows\system32\drivers\downld\22583968.exe
c:\windows\system32\drivers\downld\22584734.exe
c:\windows\system32\drivers\downld\22606421.exe
c:\windows\system32\drivers\downld\22620062.exe
c:\windows\system32\drivers\downld\22628578.exe
c:\windows\system32\drivers\downld\22666203.exe
c:\windows\system32\drivers\downld\22700109.exe
c:\windows\system32\drivers\downld\22725406.exe
c:\windows\system32\drivers\downld\236453.exe
c:\windows\system32\drivers\downld\237000.exe
c:\windows\system32\drivers\downld\250656.exe
c:\windows\system32\drivers\downld\251921.exe
c:\windows\system32\drivers\downld\272015.exe
c:\windows\system32\drivers\downld\312890.exe
c:\windows\system32\drivers\downld\318390.exe
c:\windows\system32\drivers\downld\319609.exe
c:\windows\system32\drivers\downld\322500.exe
c:\windows\system32\drivers\downld\33726640.exe
c:\windows\system32\drivers\downld\33808484.exe
c:\windows\system32\drivers\downld\33821593.exe
c:\windows\system32\drivers\downld\33847500.exe
c:\windows\system32\drivers\downld\33911312.exe
c:\windows\system32\drivers\downld\33911843.exe
c:\windows\system32\drivers\downld\33934421.exe
c:\windows\system32\drivers\downld\33951890.exe
c:\windows\system32\drivers\downld\33962406.exe
c:\windows\system32\drivers\downld\34008453.exe
c:\windows\system32\drivers\downld\34058640.exe
c:\windows\system32\drivers\downld\34088421.exe
c:\windows\system32\drivers\downld\346828.exe
c:\windows\system32\drivers\downld\358593.exe
c:\windows\system32\drivers\downld\362000.exe
c:\windows\system32\drivers\downld\365156.exe
c:\windows\system32\drivers\downld\375187.exe
c:\windows\system32\drivers\downld\38396484.exe
c:\windows\system32\drivers\downld\38430093.exe
c:\windows\system32\drivers\downld\38482968.exe
c:\windows\system32\drivers\downld\38499453.exe
c:\windows\system32\drivers\downld\38571328.exe
c:\windows\system32\drivers\downld\38571953.exe
c:\windows\system32\drivers\downld\38595203.exe
c:\windows\system32\drivers\downld\38608421.exe
c:\windows\system32\drivers\downld\38659218.exe
c:\windows\system32\drivers\downld\38706093.exe
c:\windows\system32\drivers\downld\38739500.exe
c:\windows\system32\drivers\downld\394234.exe
c:\windows\system32\drivers\downld\399953.exe
c:\windows\system32\drivers\downld\413031.exe
c:\windows\system32\drivers\downld\421312.exe
c:\windows\system32\drivers\downld\434687.exe
c:\windows\system32\drivers\downld\454671.exe
c:\windows\system32\drivers\downld\476906.exe
c:\windows\system32\drivers\downld\480500.exe
c:\windows\system32\drivers\downld\517875.exe
c:\windows\system32\drivers\downld\51836390.exe
c:\windows\system32\drivers\downld\51920234.exe
c:\windows\system32\drivers\downld\52008218.exe
c:\windows\system32\drivers\downld\52022718.exe
c:\windows\system32\drivers\downld\52104937.exe
c:\windows\system32\drivers\downld\52108031.exe
c:\windows\system32\drivers\downld\52134343.exe
c:\windows\system32\drivers\downld\52152593.exe
c:\windows\system32\drivers\downld\52214687.exe
c:\windows\system32\drivers\downld\52262343.exe
c:\windows\system32\drivers\downld\52272328.exe
c:\windows\system32\drivers\downld\52292406.exe
c:\windows\system32\drivers\downld\526500.exe
c:\windows\system32\drivers\downld\552015.exe
c:\windows\system32\drivers\downld\599703.exe
c:\windows\system32\drivers\downld\638265.exe
c:\windows\system32\drivers\downld\78182796.exe
c:\windows\system32\drivers\downld\78249781.exe
c:\windows\system32\drivers\downld\78383546.exe
c:\windows\system32\drivers\downld\78402390.exe
c:\windows\system32\drivers\downld\78494796.exe
c:\windows\system32\drivers\downld\78497765.exe
c:\windows\system32\drivers\downld\78527640.exe
c:\windows\system32\drivers\downld\78541406.exe
c:\windows\system32\drivers\downld\78599171.exe
c:\windows\system32\drivers\downld\78681625.exe
c:\windows\system32\drivers\downld\78719671.exe
c:\windows\system32\drivers\downld\826203.exe
c:\windows\system32\drivers\downld\852343.exe
c:\windows\system32\drivers\downld\916875.exe
c:\windows\system32\drivers\downld\923984.exe
c:\windows\system32\drivers\downld\934593.exe
c:\windows\system32\drivers\downld\96328.exe
c:\windows\system32\drivers\downld\97109.exe
c:\windows\system32\drivers\hldrrr.exe
c:\windows\system32\drivers\mdelk.exe
c:\windows\system32\drivers\srosa.sys
c:\windows\system32\mdelk.exe
c:\windows\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-24 00:16 . 2009-05-24 00:16 -------- d-----w c:\program files\Trend Micro
2009-05-23 22:54 . 2009-05-23 22:54 -------- d-----w c:\documents and settings\Eczka\Application Data\Malwarebytes
2009-05-23 22:53 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-23 22:53 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 22:53 . 2009-05-24 02:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-23 22:53 . 2009-05-23 22:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-23 16:18 . 2009-05-23 16:18 -------- d-----w c:\program files\ClamWin
2009-05-23 16:18 . 2009-05-23 16:18 -------- d-----w c:\documents and settings\All Users\.clamwin
2009-05-07 04:47 . 2009-05-07 05:00 -------- d-----w c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 23:30 . 2006-06-10 08:29 -------- d-----w c:\program files\Norton AntiVirus
2009-05-23 11:13 . 2009-01-08 06:25 -------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2009-05-23 11:13 . 2009-01-08 06:25 -------- d-----w c:\program files\Common Files\ArcSoft
2009-05-23 11:13 . 2009-01-08 09:08 -------- d-----w c:\documents and settings\Eczka\Application Data\ArcSoft
2009-05-23 11:13 . 2005-08-12 22:03 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-23 11:06 . 2008-08-24 09:04 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-05-23 09:38 . 2007-07-04 02:34 -------- d-----w c:\documents and settings\Eczka\Application Data\U3
2009-05-23 09:12 . 2009-05-23 09:21 194918 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-05-23 09:08 . 2006-07-29 04:34 -------- d-----w c:\program files\Unwired
2009-05-23 09:08 . 2007-08-05 13:38 -------- d-----w c:\program files\Google
2009-05-23 09:00 . 2008-08-24 09:47 -------- d-----w c:\documents and settings\Eczka\Application Data\skypePM
2009-05-20 00:56 . 2006-06-10 08:29 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-11 15:04 . 2006-06-05 10:22 67080 ----a-w c:\documents and settings\Eczka\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 02:36 . 2006-09-25 12:24 -------- d-----w c:\program files\eMule
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 344064]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-06-30 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-06-08 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-27 59040]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-06-12 100056]
"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-10 282624]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-05-26 86016]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2005-06-06 24576]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-12-21 88358]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-08-05 28672]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [22/06/2007 8:54 AM 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [13/12/2006 5:31 PM 87040]
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Eczka.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-17 10:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.agn.gob.mx/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Eczka\Application Data\Mozilla\Firefox\Profiles\4l751doz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.abc.net.au/news/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 02:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-05-28 2:14
ComboFix-quarantined-files.txt 2009-05-28 16:14

Pre-Run: 478,978,048 bytes free
Post-Run: 1,160,278,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

316 --- E O F --- 2009-04-17 02:06





Malwarebytes' Anti-Malware 1.36
Database version: 2171
Windows 5.1.2600 Service Pack 2

29/05/2009 4:30:14 AM
mbam-log-2009-05-29 (04-30-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152250
Time elapsed: 1 hour(s), 1 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of random's system information tool 1.06 (written by random/random)
Run by Eczka at 2009-05-29 04:36:23
Microsoft Windows XP Professional Service Pack 2
System drive C: has 958 MB (2%) free of 57 GB
Total RAM: 446 MB (11% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:57 AM, on 24/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Adobe\Rea
der 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\cscript.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agn.gob.mx/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra BigPond Home Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=060709 serial=DR12WNP-9936859-UJJ lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

--
End of file - 6418 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-29 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-29 2223872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-29 2223872]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-07-06 344064]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-03-24 196608]
"CeEKEY"=C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe [2005-07-01 671744]
"TPNF"=C:\Program Files\TOSHIBA\TouchPad\TPTray.exe [2005-06-09 53248]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"PadTouch"=C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe [2004-09-08 1077301]
"ZoomingHook"=C:\WINDOWS\system32\ZoomingHook.exe [2005-06-07 24576]
"SmoothView"=C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [2005-04-27 122880]
"SVPWUTIL"=C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe [2004-05-02 65536]
"TPSMain"=C:\WINDOWS\system32\TPSMain.exe [2005-06-01 282624]
"HWSetup"=C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe [2004-05-02 28672]
"Tvs"=C:\Program Files\Toshiba\Tvs\TvsTray.exe [2005-04-06 73728]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-12-22 88358]
"TCtryIOHook"=C:\WINDOWS\system32\TCtrlIOHook.exe [2005-08-05 28672]
"TFncKy"=TFncKy.exe []
"CorelDRAW Graphics Suite 11b"=C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe [2003-11-25 729088]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-10 282624]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-15 644696]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-04 1603152]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-29 1947928]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-07-06 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-29 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-05-23 402736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-05-29 04:36:23 ----D---- C:\rsit
2009-05-29 04:30:54 ----HD---- C:\$AVG8.VAULT$
2009-05-29 03:12:51 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-29 03:12:31 ----D---- C:\Documents and Settings\Eczka\Application Data\AVGTOOLBAR
2009-05-29 03:12:06 ----D---- C:\Program Files\AVG
2009-05-29 03:12:05 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-29 02:51:10 ----D---- C:\WINDOWS\ie8updates
2009-05-29 02:50:30 ----D---- C:\WINDOWS\WBEM
2009-05-29 02:49:17 ----HDC---- C:\WINDOWS\ie8
2009-05-29 02:46:20 ----D---- C:\Program Files\MSXML 6.0
2009-05-29 02:46:04 ----D---- C:\WINDOWS\system32\en-us
2009-05-29 02:45:51 ----HDC---- C:\WINDOWS\$NtUninstallKB925876$
2009-05-29 02:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB896344$
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-05-29 02:15:00 ----D---- C:\WINDOWS\temp
2009-05-29 02:14:58 ----A---- C:\ComboFix.txt
2009-05-29 01:49:39 ----A---- C:\Boot.bak
2009-05-29 01:49:13 ----RASHD---- C:\cmdcons
2009-05-29 01:37:42 ----A---- C:\WINDOWS\zip.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\SWREG.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\PEV.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\grep.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\SWSC.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\sed.exe
2009-05-24 10:25:46 ----D---- C:\WINDOWS\ERDNT
2009-05-24 10:16:21 ----D---- C:\Program Files\Trend Micro
2009-05-24 08:54:12 ----D---- C:\Documents and Settings\Eczka\Application Data\Malwarebytes
2009-05-24 08:53:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-24 08:53:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-24 02:27:12 ----D---- C:\Qoobox
2009-05-23 19:41:01 ----A---- C:\WINDOWS\system32\resetlog.txt
2009-05-23 19:21:52 ----D---- C:\WINDOWS\pss
2009-05-23 19:04:08 ----D---- C:\Config.Msi
2009-05-07 14:47:16 ----D---- C:\Program Files\MSECache

======List of files/folders modified in the last 1 months======

2009-05-29 04:34:30 ----D---- C:\Program Files\Mozilla Firefox
2009-05-29 04:31:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-29 03:12:51 ----D---- C:\WINDOWS\system32
2009-05-29 03:12:50 ----HD---- C:\WINDOWS\system32\drivers
2009-05-29 03:12:06 ----RD---- C:\Program Files
2009-05-29 03:11:54 ----SHD---- C:\WINDOWS\Installer
2009-05-29 03:11:53 ----D---- C:\WINDOWS\WinSxS
2009-05-29 03:11:53 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-29 03:10:35 ----D---- C:\WINDOWS
2009-05-29 03:10:07 ----D---- C:\Program Files\Common Files
2009-05-29 03:09:22 ----D---- C:\Program Files\Symantec
2009-05-29 03:04:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-29 03:04:13 ----D---- C:\Program Files\Norton AntiVirus
2009-05-29 03:03:46 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-05-29 02:58:46 ----SD---- C:\WINDOWS\Tasks
2009-05-29 02:54:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-29 02:54:45 ----HD---- C:\WINDOWS\inf
2009-05-29 02:54:45 ----D---- C:\WINDOWS\Help
2009-05-29 02:54:45 ----D---- C:\Program Files\Internet Explorer
2009-05-29 02:54:44 ----D---- C:\WINDOWS\system32\usmt
2009-05-29 02:51:04 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-29 02:50:51 ----A---- C:\WINDOWS\imsins.BAK
2009-05-29 02:50:33 ----D---- C:\WINDOWS\system32\config
2009-05-29 02:50:22 ----D---- C:\WINDOWS\Media
2009-05-29 02:47:26 ----D---- C:\WINDOWS\Prefetch
2009-05-29 02:46:12 ----D---- C:\WINDOWS\security
2009-05-29 02:21:28 ----D---- C:\WINDOWS\SoftwareDistribution
2009-05-29 02:09:56 ----A---- C:\WINDOWS\system.ini
2009-05-29 02:06:24 ----D---- C:\WINDOWS\AppPatch
2009-05-29 02:04:28 ----D---- C:\WINDOWS\system
2009-05-29 01:49:40 ----RASH---- C:\boot.ini
2009-05-26 02:01:27 ----D---- C:\WINDOWS\Minidump
2009-05-23 21:13:28 ----D---- C:\Program Files\Common Files\ArcSoft
2009-05-23 21:13:28 ----D---- C:\Documents and Settings\All Users\Application Data\ArcSoft
2009-05-23 21:13:07 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-23 21:13:07 ----D---- C:\Documents and Settings\Eczka\Application Data\ArcSoft
2009-05-23 21:06:26 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-05-23 21:00:07 ----A---- C:\WINDOWS\win.ini
2009-05-23 19:38:32 ----D---- C:\Documents and Settings\Eczka\Application Data\U3
2009-05-23 19:08:58 ----D---- C:\Program Files\Unwired
2009-05-23 19:08:58 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-05-23 19:08:40 ----D---- C:\Program Files\Google
2009-05-23 19:03:50 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 19:00:53 ----D---- C:\Documents and Settings\Eczka\Application Data\skypePM
2009-05-20 11:36:24 ----A---- C:\WINDOWS\forevermopt.INI
2009-05-20 11:28:38 ----A---- C:\WINDOWS\mafosav.INI
2009-05-07 15:00:28 ----RSD---- C:\WINDOWS\Fonts
2009-05-07 15:00:19 ----D---- C:\Program Files\Microsoft Office
2009-05-07 00:16:30 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-29 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2005-06-02 102384]
R1 SrvcSSIOMngr;SrvcSSIOMngr; C:\WINDOWS\System32\Drivers\SSIoMngr.sys [2004-07-31 6400]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-14 23545]
R1 TPwSav;Common Driver; C:\WINDOWS\System32\Drivers\TPwSav.sys [2005-06-04 9600]
R2 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2002-07-17 16877]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.10; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2006-06-02 15890]
R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\netdevio.sys [2003-01-29 12032]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-03-05 1066278]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-19 2317504]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2004-11-15 101874]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2004-12-22 393600]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-07-06 1245696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 Tvs;Toshiba Virtual Sound with SRS technologies; C:\WINDOWS\system32\DRIVERS\Tvs.sys [2005-04-16 29056]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 cmusbnet;WAN Driver @ 3GPP (6280); C:\WINDOWS\system32\DRIVERS\cmusbnet.sys [2007-06-22 87424]
S3 cmusbser;%CMUSBSER%; C:\WINDOWS\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2007-07-13 27072]
S3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-06-28 69760]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\WINDOWS\system32\ACS.exe [2004-12-22 36864]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-29 298776]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2005-01-17 40960]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [2004-08-28 110592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-05 138168]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-29 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-07-06 376832]
S4 navapsvc;Norton AntiVirus Auto-Protect Service; C:\Program Files\Norton AntiVirus\navapsvc.exe []

-----------------EOF-----------------



info.txt logfile of random's system information tool 1.06 2009-05-29 04:37:01

======Uninstall list======

-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 8.0 Professional Edition-->MsiExec.exe /I{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
ALPS Touch Pad Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Atheros Client Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}\setup.exe" -l0x9
Atheros Wireless LAN MiniPCI card Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}\Setup.exe" -l0x9
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MP610 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP610_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP610_series /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
Caplio Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{204331F5-3F73-4CC6-8813-1BB9A4EA1530}\setup.exe" -l0x9 anything
CD/DVD Drive Acoustic Silencer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe" -l0x9
CD-LabelPrint-->"C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CorelDRAW Graphics Suite 12-->MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
Data Access Objects (DAO) 3.0-->C:\WINDOWS\system32\Unwise32.exe C:\PROGRA~1\COMMON~1\MICROS~1\DAO\Dao30.log
DivX Converter-->C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD-RAM Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe" -l0x9 DVD-RAM Driver
eMule-->"C:\Program Files\eMule\Uninstall.exe"
e-tax 2006-->C:\etax2006\e-tax 2006_uninstall.exe
e-tax 2007-->C:\etax2007\e-tax 2007_uninstall.exe
e-tax 2008-->C:\etax2008\e-tax 2008_uninstall.exe
Google Earth-->MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Helherron-->C:\WINDOWS\IsUninst.exe -f"c:\program files\new folder\hel\Uninst.isu"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB896344)-->"C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ImageMixer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B07D847-8077-4242-91C7-DFA3CE5113E0}\setup.exe" -l0x9 UNINSTALL
InterVideo WinDVD Creator 2-->"C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD for TOSHIBA-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Macromedia Flash Player 8-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Magic ISO Maker v5.5 (build 0273)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mario Forever-->C:\Program Files\Mario\Odinstaluj.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Office OneNote 2003-->MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003-->MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Media Content-->MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002-->MsiExec.exe /I{91190409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MicroStaff WINASPI-->C:\MWASPI\uninst.exe
Monkey's Audio-->"C:\Program Files\Monkey's Audio\unins000.exe"
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Converter Simple-->C:\PROGRA~1\MP3CON~1\UNWISE.EXE C:\PROGRA~1\MP3CON~1\INSTALL.LOG
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
QuickTime-->MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
SA32xx Device Manager-->C:\Program Files\InstallShield Installation Information\{7CDC26F7-D6BF-442A-B599-0075A48310F7}\setup.exe -runfromtemp -l0x0009 -removeonly
ScanSoft OmniPage SE 4-->MsiExec.exe /I{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
TOSHIBA Accessibility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3A57482F-BEBC-47E4-ADA1-6302403C7E50} /l1033
TOSHIBA Assist-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe" -l0x9
TOSHIBA ConfigFree-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Controls-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5BCA8D15-BCB6-421E-9654-238B43456A4F} /l1033
TOSHIBA Fn-esse-->C:\WINDOWS\UnInst32.exe Fn-esse.UNI
TOSHIBA Hardware Setup-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Hotkey Utility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7900D3A6-A9E8-4954-ACCB-AB15867978BF} /l1033
TOSHIBA PC Diagnostic Tool-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE} /l1033
TOSHIBA Software Modem-->Tosmreg -U
TOSHIBA Speech System Applications-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
TOSHIBA Virtual Sound-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\Setup.exe" /uninstall
TOSHIBA Zooming Utility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{02EED746-8C5A-43C8-BB3D-D29C8B363A4D} /l1033
Touch and Launch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe"
TouchPad On/Off Utility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{80977342-27E8-4FF7-8B6A-D8D89461DA7F} /l1033
Unwired-->MsiExec.exe /X{1D0CCE38-40A6-46E7-9C85-D058A1598EFF}
Unwired-->MsiExec.exe /X{F0C26485-8FA9-4D68-89F9-54FE95A0A352}
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925876)-->"C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
WinAce Archiver-->"C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: STEPH
Event Code: 7011
Message: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Record Number: 44327
Source Name: Service Control Manager
Time Written: 20090426114340.000000+600
Event Type: error
User:

Computer Name: STEPH
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016E30DB848. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 44325
Source Name: Dhcp
Time Written: 20090426114339.000000+600
Event Type: warning
User:

Computer Name: STEPH
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016E30DB848. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 44324
Source Name: Dhcp
Time Written: 20090426114339.000000+600
Event Type: warning
User:

Computer Name: STEPH
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016E30DB848. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 44323
Source Name: Dhcp
Time Written: 20090426114334.000000+600
Event Type: warning
User:

Computer Name: STEPH
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016E30DB848. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 44322
Source Name: Dhcp
Time Written: 20090426114333.000000+600
Event Type: warning
User:

=====Application event log=====

Computer Name: STEPH
Event Code: 1517
Message: Windows saved user STEPH\Eczka registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 25158
Source Name: Userenv
Time Written: 20090417123236.000000+600
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: STEPH
Event Code: 1517
Message: Windows saved user STEPH\Eczka registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 25116
Source Name: Userenv
Time Written: 20090414010013.000000+600
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: STEPH
Event Code: 1517
Message: Windows saved user STEPH\Eczka registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 25022
Source Name: Userenv
Time Written: 20090409151250.000000+600
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: STEPH
Event Code: 1517
Message: Windows saved user STEPH\Eczka registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 25001
Source Name: Userenv
Time Written: 20090409142555.000000+600
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: STEPH
Event Code: 1517
Message: Windows saved user STEPH\Eczka registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 24922
Source Name: Userenv
Time Written: 20090404013405.000000+660
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\ArcSoft\Bin;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip

-----------------EOF-----------------

#8 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 29 May 2009 - 07:17 PM

Hi KarolF,

Good Job!!! :thumbup2:

Combofix has took out a fair bit but there is still quite a bit to clean up.


3. Removed Norton, appeared to successfully uninstal. Downloaded and installed AVG Anti-Virus. Seems to work fine.

Yes I noticed that you installed AVG8.5, but there are some files leftover from Symantec-Norton anti-virus program.

Go to Add/Remove programs and delete anything you see there that belongs to Symantec {or Norton.


Then...

Use the Norton Removal Tool to completly remove Symantec-Norton products.

please visit > this site < and select your Norton program, then follow the instruction for removal
.


:) P2P Warning :cool:

Going over your logs I noticed that you have: emule installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall: emule, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned
.


Please follow these instructions carefully.

Step #1.

Enable the viewing of hidden files in Windows XP:

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK
Your computer is now configured to show all hidden system files and folders.

Step #2.

*Open HijackThis. Click on Do a system scan only. Close your browser and all open windows including this one, the only program or window you should have open is HijackThis, and please check the following entry:

O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe

Ensure you have closed all windows except HijackThis and click Fix Checked.
Exit Hijackthis program.

Use Windows to find and Delete the following File: (IF PRESENT)

C:\WINDOWS\system32\drivers\hldrrr.exe

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete

Reboot when done.

Step #3.

Your Java is out of date!!!.
Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Step #4.

Please download Posted Image ATF Cleaner-3 by Atribune.
(Good temp file cleaner that could do the job safely and without removing files that are crucial to windows).
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTES: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

NOTE:*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_...refetch-XP.html

Step #5.

Please do a scan with Kaspersky Online Scanner

Note: Kaspersky doesn't fix anything it just reports what it founds.
If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Posted Image

Please re-scan with RSIT and post the log.

Summary of the logs I will need in your next reply:
  • The Kaspersky log.
  • The RSIT log.
And any description of remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)
Reason for EDIT: Java was Updated today to: 6u14. Please update java to 14 if you have not done accordingly.

Edited by Net_Surfer, 30 May 2009 - 05:39 PM.


#9 KarolF

KarolF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 01 June 2009 - 10:37 AM

Apologies for the delay in executing the latest instructions, I've been very busy with work. I will do the next steps within the next day or two.

#10 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 04 June 2009 - 05:03 PM

:) Bump :)
Hello KarolF. :cool:

Are you still there???
:thumbup2:

If you are please follow the instructions in my previous post.

Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Unfortunately, if I do not hear back from you within 2 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread.


Kind regards
Net_Surfer

:)

Edited by Net_Surfer, 04 June 2009 - 09:58 PM.


#11 KarolF

KarolF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 05 June 2009 - 10:43 PM

Hi Net_Surfer,

Again, apologies for the delay.

I followed all the instructions:

- Removed Norton with the Removal Tool
- Enabled viewing hidden files
- Ran HijackThis but it did not find O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe , and the file does not exist anymore, so I did not delete anything.
- Uninstalled Java and updated to JRE 6 Update 14
- Ran ATF Cleaner-3 and made the deletions
- Ran Kaspersky - no viruses found (see log)
- Ran RSIT (see log)


Thanks,
KarolF.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, June 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, June 05, 2009 18:30:38
Records in database: 2313586
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 73629
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 06:26:02

No malware has been detected. The scan area is clean.

The selected area was scanned.




Logfile of random's system information tool 1.06 (written by random/random)
Run by Eczka at 2009-06-06 11:19:59
Microsoft Windows XP Professional Service Pack 2
System drive C: has 393 MB (1%) free of 57 GB
Total RAM: 446 MB (9% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:04 AM, on 6/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Eczka\Local Settings\temp\jkos-Eczka\binaries\ScanningProcess.exe
C:\Documents and Settings\Eczka\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Eczka.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agn.gob.mx/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=060709 serial=DR12WNP-9936859-UJJ lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7149 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-29 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-29 2223872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-06-05 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-06-05 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-29 2223872]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-07-06 344064]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-03-24 196608]
"CeEKEY"=C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe [2005-07-01 671744]
"TPNF"=C:\Program Files\TOSHIBA\TouchPad\TPTray.exe [2005-06-09 53248]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"PadTouch"=C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe [2004-09-08 1077301]
"ZoomingHook"=C:\WINDOWS\system32\ZoomingHook.exe [2005-06-07 24576]
"SmoothView"=C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [2005-04-27 122880]
"SVPWUTIL"=C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe [2004-05-02 65536]
"TPSMain"=C:\WINDOWS\system32\TPSMain.exe [2005-06-01 282624]
"HWSetup"=C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe [2004-05-02 28672]
"Tvs"=C:\Program Files\Toshiba\Tvs\TvsTray.exe [2005-04-06 73728]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-12-22 88358]
"TCtryIOHook"=C:\WINDOWS\system32\TCtrlIOHook.exe [2005-08-05 28672]
"TFncKy"=TFncKy.exe []
"CorelDRAW Graphics Suite 11b"=C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe [2003-11-25 729088]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-10 282624]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-15 644696]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-04 1603152]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-29 1947928]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-06-05 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-07-06 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-29 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-05-23 402736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Documents and Settings\Eczka\Local Settings\temp\7zS21C.tmp\SymNRT.exe"="C:\Documents and Settings\Eczka\Local Settings\temp\7zS21C.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67a16279-2d28-11dc-a22f-0016e30db848}]
shell\AutoRun\command - E:\nideiect.com
shell\explore\command - E:\nideiect.com
shell\open\command - E:\nideiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a76566e4-53c1-11dd-a262-0016e30db848}]
shell\AutoRun\command - E:\nideiect.com
shell\explore\command - E:\nideiect.com
shell\open\command - E:\nideiect.com


======List of files/folders created in the last 1 months======

2009-06-05 14:41:32 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-06-05 14:29:24 ----SHD---- C:\RECYCLER
2009-06-05 14:19:43 ----D---- C:\Program Files\Sun
2009-06-05 14:19:16 ----A---- C:\WINDOWS\system32\javaws.exe
2009-06-05 14:19:16 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-06-05 14:19:15 ----A---- C:\WINDOWS\system32\javaw.exe
2009-06-05 14:19:15 ----A---- C:\WINDOWS\system32\java.exe
2009-05-29 11:12:12 ----A---- C:\WINDOWS\TPTray.INI
2009-05-29 04:36:23 ----D---- C:\rsit
2009-05-29 04:30:54 ----HD---- C:\$AVG8.VAULT$
2009-05-29 03:12:51 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-29 03:12:31 ----D---- C:\Documents and Settings\Eczka\Application Data\AVGTOOLBAR
2009-05-29 03:12:06 ----D---- C:\Program Files\AVG
2009-05-29 03:12:05 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-29 02:51:10 ----D---- C:\WINDOWS\ie8updates
2009-05-29 02:50:30 ----D---- C:\WINDOWS\WBEM
2009-05-29 02:49:17 ----HDC---- C:\WINDOWS\ie8
2009-05-29 02:46:20 ----D---- C:\Program Files\MSXML 6.0
2009-05-29 02:46:04 ----D---- C:\WINDOWS\system32\en-us
2009-05-29 02:45:51 ----HDC---- C:\WINDOWS\$NtUninstallKB925876$
2009-05-29 02:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB896344$
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-05-29 02:15:00 ----D---- C:\WINDOWS\temp
2009-05-29 02:14:58 ----A---- C:\ComboFix.txt
2009-05-29 01:49:39 ----A---- C:\Boot.bak
2009-05-29 01:49:13 ----RASHD---- C:\cmdcons
2009-05-29 01:37:42 ----A---- C:\WINDOWS\zip.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\SWREG.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\PEV.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\grep.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\SWSC.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\sed.exe
2009-05-24 10:25:46 ----D---- C:\WINDOWS\ERDNT
2009-05-24 10:16:21 ----D---- C:\Program Files\Trend Micro
2009-05-24 08:54:12 ----D---- C:\Documents and Settings\Eczka\Application Data\Malwarebytes
2009-05-24 08:53:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-24 08:53:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-24 02:27:12 ----D---- C:\Qoobox
2009-05-23 19:41:01 ----A---- C:\WINDOWS\system32\resetlog.txt
2009-05-23 19:21:52 ----D---- C:\WINDOWS\pss
2009-05-23 19:04:08 ----D---- C:\Config.Msi
2009-05-07 14:47:16 ----D---- C:\Program Files\MSECache

======List of files/folders modified in the last 1 months======

2009-06-06 11:19:36 ----D---- C:\WINDOWS\Prefetch
2009-06-05 21:44:29 ----D---- C:\WINDOWS
2009-06-05 15:19:00 ----D---- C:\Program Files\Mozilla Firefox
2009-06-05 14:46:21 ----D---- C:\WINDOWS\system32
2009-06-05 14:43:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-05 14:42:06 ----RD---- C:\Program Files
2009-06-05 14:20:17 ----SHD---- C:\WINDOWS\Installer
2009-06-05 14:18:42 ----D---- C:\Program Files\Java
2009-06-05 14:14:06 ----D---- C:\Program Files\Common Files
2009-05-29 04:31:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-29 03:12:50 ----HD---- C:\WINDOWS\system32\drivers
2009-05-29 03:11:53 ----D---- C:\WINDOWS\WinSxS
2009-05-29 03:11:53 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-29 02:58:46 ----SD---- C:\WINDOWS\Tasks
2009-05-29 02:54:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-29 02:54:45 ----HD---- C:\WINDOWS\inf
2009-05-29 02:54:45 ----D---- C:\WINDOWS\Help
2009-05-29 02:54:45 ----D---- C:\Program Files\Internet Explorer
2009-05-29 02:54:44 ----D---- C:\WINDOWS\system32\usmt
2009-05-29 02:51:04 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-29 02:50:51 ----A---- C:\WINDOWS\imsins.BAK
2009-05-29 02:50:33 ----D---- C:\WINDOWS\system32\config
2009-05-29 02:50:22 ----D---- C:\WINDOWS\Media
2009-05-29 02:46:12 ----D---- C:\WINDOWS\security
2009-05-29 02:21:28 ----D---- C:\WINDOWS\SoftwareDistribution
2009-05-29 02:09:56 ----A---- C:\WINDOWS\system.ini
2009-05-29 02:06:24 ----D---- C:\WINDOWS\AppPatch
2009-05-29 02:04:28 ----D---- C:\WINDOWS\system
2009-05-29 01:49:40 ----RASH---- C:\boot.ini
2009-05-26 02:01:27 ----D---- C:\WINDOWS\Minidump
2009-05-23 21:13:28 ----D---- C:\Program Files\Common Files\ArcSoft
2009-05-23 21:13:28 ----D---- C:\Documents and Settings\All Users\Application Data\ArcSoft
2009-05-23 21:13:07 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-23 21:13:07 ----D---- C:\Documents and Settings\Eczka\Application Data\ArcSoft
2009-05-23 21:06:26 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-05-23 21:00:07 ----A---- C:\WINDOWS\win.ini
2009-05-23 19:38:32 ----D---- C:\Documents and Settings\Eczka\Application Data\U3
2009-05-23 19:08:58 ----D---- C:\Program Files\Unwired
2009-05-23 19:08:58 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-05-23 19:08:40 ----D---- C:\Program Files\Google
2009-05-23 19:03:50 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 19:00:53 ----D---- C:\Documents and Settings\Eczka\Application Data\skypePM
2009-05-20 11:36:24 ----A---- C:\WINDOWS\forevermopt.INI
2009-05-20 11:28:38 ----A---- C:\WINDOWS\mafosav.INI
2009-05-07 15:00:28 ----RSD---- C:\WINDOWS\Fonts
2009-05-07 15:00:19 ----D---- C:\Program Files\Microsoft Office
2009-05-07 00:16:30 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-29 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2005-06-02 102384]
R1 SrvcSSIOMngr;SrvcSSIOMngr; C:\WINDOWS\System32\Drivers\SSIoMngr.sys [2004-07-31 6400]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-14 23545]
R1 TPwSav;Common Driver; C:\WINDOWS\System32\Drivers\TPwSav.sys [2005-06-04 9600]
R2 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2002-07-17 16877]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.10; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2006-06-02 15890]
R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\netdevio.sys [2003-01-29 12032]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-03-05 1066278]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-19 2317504]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2004-11-15 101874]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2004-12-22 393600]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-07-06 1245696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 Tvs;Toshiba Virtual Sound with SRS technologies; C:\WINDOWS\system32\DRIVERS\Tvs.sys [2005-04-16 29056]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 cmusbnet;WAN Driver @ 3GPP (6280); C:\WINDOWS\system32\DRIVERS\cmusbnet.sys [2007-06-22 87424]
S3 cmusbser;%CMUSBSER%; C:\WINDOWS\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2007-07-13 27072]
S3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-06-28 69760]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\WINDOWS\system32\ACS.exe [2004-12-22 36864]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-29 298776]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2005-01-17 40960]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [2004-08-28 110592]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-06-05 152984]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-05 138168]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-29 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-07-06 376832]

-----------------EOF-----------------

#12 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 06 June 2009 - 02:34 PM

These steps are for member: KarolF ONLY. If you are a lurker, do NOT try this on your system! If you are not the topic starter and have a similar problem, do NOT post here; DO NOT follow these directions as they could damage the workings of your system. Please start your own topic.

Hello KarolF,

We need to do the following:


Step #1.

We need to run an CFScript by using ComboFix again

Please disable any running anti-virus or anti-malware programs.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
  • Close any open browsers.
  • Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it (Do not include the word: "CODE"):

    KILLALL::
    
    File::
    E:\nideiect.com
    C:\Documents and Settings\Eczka\Local Settings\temp\jkos-Eczka\binaries\ScanningProcess.exe
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67a16279-2d28-11dc-a22f-0016e30db848}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a76566e4-53c1-11dd-a262-0016e30db848}]
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    Posted Image

  • Now refering to the picture above, use your mouse to drag CFScript.text on top of ComboFix.exe
  • This will start ComboFix again. Please follow the prompts.
  • When finished, after reboot (in case it asks to reboot), it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

* CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Step #2.

Re-scan with RSIT and post the log.

Summary of the logs I will need in your next reply:
  • The ComboFix log located in "C:\ComboFix.txt" .
  • The RSIT log.
How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:thumbup2:

#13 KarolF

KarolF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 09 June 2009 - 10:50 AM

Hi Net_Surfer,

I ran Combofix and scanned with RSIT as you instructed. Logs below.

Cheers,
KarolF.




ComboFix 09-06-08.05 - Eczka 10/06/2009 1:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.206 [GMT 10:00]
Running from: c:\documents and settings\Eczka\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Eczka\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\documents and settings\Eczka\Local Settings\temp\jkos-Eczka\binaries\ScanningProcess.exe"
"E:\nideiect.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eczka\Local Settings\temp\jkos-Eczka\binaries\ScanningProcess.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-05 04:41 . 2009-06-05 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-05 04:19 . 2009-06-05 04:19 -------- d-----w- c:\program files\Sun
2009-06-05 04:19 . 2009-06-05 04:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-28 18:36 . 2009-05-28 18:37 -------- d-----w- C:\rsit
2009-05-28 18:32 . 2009-05-28 18:32 -------- d-sh--w- c:\documents and settings\Eczka\PrivacIE
2009-05-28 18:30 . 2009-06-08 17:34 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-28 17:12 . 2009-05-28 17:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-28 17:12 . 2009-05-28 17:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-28 17:12 . 2009-05-28 17:12 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-28 17:12 . 2009-05-28 17:12 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-28 17:12 . 2009-06-09 02:30 -------- d-----w- c:\windows\system32\drivers\Avg
2009-05-28 17:12 . 2009-05-28 18:32 -------- d-----w- c:\documents and settings\Eczka\Application Data\AVGTOOLBAR
2009-05-28 17:12 . 2009-05-28 17:12 -------- d-----w- c:\program files\AVG
2009-05-28 17:12 . 2009-05-28 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-28 16:54 . 2009-05-28 16:54 -------- d-sh--w- c:\documents and settings\Eczka\IETldCache
2009-05-28 16:51 . 2009-05-28 16:51 -------- d-----w- c:\windows\ie8updates
2009-05-28 16:50 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-28 16:49 . 2009-05-28 16:50 -------- dc-h--w- c:\windows\ie8
2009-05-28 16:46 . 2009-05-28 16:46 -------- d-----w- c:\program files\MSXML 6.0
2009-05-28 16:39 . 2006-11-13 06:02 36352 ------w- c:\windows\system32\tsgqec.dll
2009-05-28 16:39 . 2006-11-13 06:02 288768 ------w- c:\windows\system32\rhttpaa.dll
2009-05-28 16:39 . 2006-11-13 06:02 116736 ------w- c:\windows\system32\aaclient.dll
2009-05-24 00:16 . 2009-05-24 00:16 -------- d-----w- c:\program files\Trend Micro
2009-05-23 22:54 . 2009-05-23 22:54 -------- d-----w- c:\documents and settings\Eczka\Application Data\Malwarebytes
2009-05-23 22:53 . 2009-04-06 05:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 22:53 . 2009-04-06 05:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 22:53 . 2009-05-24 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-23 22:53 . 2009-05-23 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 04:18 . 2005-08-12 22:18 -------- d-----w- c:\program files\Java
2009-05-23 11:13 . 2009-01-08 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-05-23 11:13 . 2009-01-08 06:25 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-05-23 11:13 . 2009-01-08 09:08 -------- d-----w- c:\documents and settings\Eczka\Application Data\ArcSoft
2009-05-23 11:13 . 2005-08-12 22:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-23 11:06 . 2008-08-24 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-23 09:38 . 2007-07-04 02:34 -------- d-----w- c:\documents and settings\Eczka\Application Data\U3
2009-05-23 09:12 . 2009-05-23 09:21 194918 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-05-23 09:08 . 2006-07-29 04:34 -------- d-----w- c:\program files\Unwired
2009-05-23 09:08 . 2007-08-05 13:38 -------- d-----w- c:\program files\Google
2009-05-23 09:00 . 2008-08-24 09:47 -------- d-----w- c:\documents and settings\Eczka\Application Data\skypePM
2009-05-11 15:04 . 2006-06-05 10:22 67080 ----a-w- c:\documents and settings\Eczka\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 05:00 . 2009-05-07 04:47 -------- d-----w- c:\program files\MSECache
2009-04-28 02:36 . 2006-09-25 12:24 -------- d-----w- c:\program files\eMule
.

((((((((((((((((((((((((((((( SnapShot@2009-05-28_16.09.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-01 14:46 . 2006-12-01 14:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 14:08 . 2006-12-01 14:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 14:26 . 2006-12-01 14:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 14:25 . 2006-12-01 14:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 12:56 . 2006-12-01 12:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2009-06-09 15:36 . 2009-06-09 15:36 16384 c:\windows\temp\Perflib_Perfdata_708.dat
- 2004-08-04 12:00 . 2004-08-04 12:00 19968 c:\windows\system32\usmt\log.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 19968 c:\windows\system32\usmt\log.dll
+ 2009-05-28 16:38 . 2005-04-27 23:15 17920 c:\windows\system32\usmt\cobramsg.dll
+ 2006-06-02 02:27 . 2009-01-07 08:21 26144 c:\windows\system32\spupdsvc.exe
+ 2005-08-12 21:46 . 2009-01-07 08:20 16928 c:\windows\system32\spmsg.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 46592 c:\windows\system32\pngfilt.dll
+ 2009-01-07 08:20 . 2009-01-07 08:20 23552 c:\windows\system32\normaliz.dll
+ 2009-01-07 08:20 . 2009-01-07 08:20 24576 c:\windows\system32\nlsdl.dll
+ 2006-10-04 18:31 . 2006-10-04 18:31 79872 c:\windows\system32\msxml6r.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 48128 c:\windows\system32\mshtmler.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-07 18:31 . 2009-03-07 18:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-07 18:31 . 2009-03-07 18:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-06-07 16:07 . 2009-06-07 16:07 89102 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-04 12:00 . 2009-03-07 18:34 43008 c:\windows\system32\licmgr10.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 94720 c:\windows\system32\inseng.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 34816 c:\windows\system32\imgutil.dll
+ 2009-03-07 18:32 . 2009-03-07 18:32 36864 c:\windows\system32\ieudinit.exe
+ 2004-08-04 12:00 . 2009-03-07 18:32 71680 c:\windows\system32\iesetup.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 55808 c:\windows\system32\iernonce.dll
+ 2009-01-07 08:20 . 2009-01-07 08:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-07 18:31 . 2009-03-07 18:31 59904 c:\windows\system32\icardie.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 45568 c:\windows\system32\dllcache\mshta.exe
- 2004-08-04 12:00 . 2004-08-04 12:00 19968 c:\windows\system32\dllcache\log.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 19968 c:\windows\system32\dllcache\log.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2005-08-12 21:25 . 2009-03-07 18:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 18944 c:\windows\system32\corpol.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 72704 c:\windows\system32\admparse.dll
+ 2009-05-28 16:39 . 2006-11-07 08:06 12451 c:\windows\Installer\tsclientmsitrans\tscuinst.vbs
+ 2009-05-28 16:39 . 2006-11-07 08:06 16832 c:\windows\Installer\tsclientmsitrans\tscinst.vbs
+ 2009-05-28 16:49 . 2004-08-04 12:00 37888 c:\windows\ie8\url.dll
+ 2009-05-28 16:50 . 2009-03-08 04:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 39424 c:\windows\ie8\pngfilt.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 96256 c:\windows\ie8\occache.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 56832 c:\windows\ie8\mshtmler.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 29184 c:\windows\ie8\mshta.exe
+ 2009-05-28 16:49 . 2004-08-04 12:00 22016 c:\windows\ie8\licmgr10.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 16384 c:\windows\ie8\jsproxy.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 96256 c:\windows\ie8\inseng.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 35840 c:\windows\ie8\imgutil.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 93184 c:\windows\ie8\iexplore.exe
+ 2009-05-28 16:49 . 2004-08-04 12:00 62976 c:\windows\ie8\iesetup.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 48640 c:\windows\ie8\iernonce.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 81920 c:\windows\ie8\ieencode.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 34304 c:\windows\ie8\ie4uinit.exe
+ 2009-05-28 16:49 . 2004-08-04 12:00 38912 c:\windows\ie8\hmmapi.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 35328 c:\windows\ie8\corpol.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 99840 c:\windows\ie8\advpack.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 61440 c:\windows\ie8\admparse.dll
+ 2004-08-04 12:00 . 2005-04-27 23:15 2560 c:\windows\system32\usmt\iconlib.dll
+ 2009-05-28 16:51 . 2009-03-07 18:35 2048 c:\windows\ie8updates\KB971180-IE8\iecompat.dll
+ 2006-12-01 12:54 . 2006-12-01 12:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 12:54 . 2006-12-01 12:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 12:54 . 2006-12-01 12:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2009-01-07 08:21 . 2009-01-07 08:21 121856 c:\windows\system32\xmllite.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 914944 c:\windows\system32\wininet.dll
+ 2009-03-07 18:34 . 2009-03-07 18:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2004-08-04 12:00 . 2009-03-07 18:34 236544 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 420352 c:\windows\system32\vbscript.dll
+ 2009-05-28 16:38 . 2005-04-28 19:16 173568 c:\windows\system32\usmt\sysmoda.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 193024 c:\windows\system32\usmt\sysmod.dll
+ 2009-05-28 16:38 . 2005-04-28 19:16 199680 c:\windows\system32\usmt\scripta.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 215552 c:\windows\system32\usmt\script.dll
+ 2009-05-28 16:38 . 2005-04-28 00:12 241152 c:\windows\system32\usmt\migwiza.exe
+ 2004-08-04 12:00 . 2005-04-28 00:12 245248 c:\windows\system32\usmt\migwiz.exe
+ 2004-08-04 12:00 . 2005-04-28 00:12 103424 c:\windows\system32\usmt\migload.exe
- 2004-08-04 12:00 . 2004-08-04 12:00 103424 c:\windows\system32\usmt\migload.exe
+ 2005-04-28 02:16 . 2005-04-28 02:16 261120 c:\windows\system32\usmt\migisma.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 274432 c:\windows\system32\usmt\migism.dll
+ 2009-05-28 16:38 . 2005-04-28 19:16 115200 c:\windows\system32\usmt\guitrna.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 133120 c:\windows\system32\usmt\guitrn.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 105984 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 109568 c:\windows\system32\occache.dll
+ 2005-08-12 21:24 . 2006-11-07 08:06 600576 c:\windows\system32\mstsc.exe
+ 2004-08-04 12:00 . 2009-03-07 18:32 611840 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 193536 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2009-03-07 18:22 156160 c:\windows\system32\msls31.dll
+ 2009-03-07 18:32 . 2009-03-07 18:32 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-07 08:20 . 2009-01-07 08:20 265720 c:\windows\system32\msdbg2.dll
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2004-08-04 12:00 . 2009-03-07 18:33 726528 c:\windows\system32\jscript.dll
+ 2009-06-05 04:19 . 2009-06-05 04:18 148888 c:\windows\system32\javaws.exe
+ 2009-06-05 04:19 . 2009-06-05 04:18 144792 c:\windows\system32\javaw.exe
+ 2009-06-05 04:19 . 2009-06-05 04:18 144792 c:\windows\system32\java.exe
+ 2009-03-07 18:22 . 2009-03-07 18:22 164352 c:\windows\system32\ieui.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 183808 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2009-03-08 04:09 391536 c:\windows\system32\iedkcs32.dll
+ 2009-03-07 18:11 . 2009-03-07 18:11 445952 c:\windows\system32\ieapfltr.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 163840 c:\windows\system32\ieakui.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 229376 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 125952 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00 . 2009-03-07 18:31 216064 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 348160 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 914944 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2005-08-12 21:25 . 2009-03-07 18:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 193024 c:\windows\system32\dllcache\sysmod.dll
+ 2009-01-07 08:20 . 2009-01-07 08:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2004-08-04 12:00 . 2005-04-28 19:16 215552 c:\windows\system32\dllcache\script.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 109568 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 12:00 . 2009-03-07 18:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2004-08-04 12:00 . 2005-04-28 00:12 245248 c:\windows\system32\dllcache\migwiz.exe
+ 2004-08-04 12:00 . 2005-04-28 00:12 103424 c:\windows\system32\dllcache\migload.exe
- 2004-08-04 12:00 . 2004-08-04 12:00 103424 c:\windows\system32\dllcache\migload.exe
+ 2004-08-04 12:00 . 2005-04-28 19:16 274432 c:\windows\system32\dllcache\migism.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2005-08-12 21:25 . 2009-03-08 04:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2004-08-04 12:00 . 2009-03-07 18:31 183808 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00 . 2009-03-08 04:09 391536 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 12:00 . 2009-03-07 18:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-04 12:00 . 2005-04-28 19:16 133120 c:\windows\system32\dllcache\guitrn.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2009-03-07 18:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 12:00 . 2009-03-07 18:32 128512 c:\windows\system32\advpack.dll
+ 2009-05-28 16:51 . 2007-11-30 12:39 382840 c:\windows\ie8updates\KB971180-IE8\spuninst\updspapi.dll
+ 2009-05-28 16:51 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB971180-IE8\spuninst\spuninst.exe
+ 2009-05-28 16:49 . 2009-02-20 08:30 659456 c:\windows\ie8\wininet.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 276480 c:\windows\ie8\webcheck.dll
+ 2009-05-28 16:49 . 2007-06-26 15:13 851968 c:\windows\ie8\vgx.dll
+ 2009-05-28 16:49 . 2007-12-18 14:40 417792 c:\windows\ie8\vbscript.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 616448 c:\windows\ie8\urlmon.dll
+ 2009-05-28 16:50 . 2009-01-07 08:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2009-05-28 16:50 . 2009-01-07 08:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2009-05-28 16:49 . 2009-02-20 08:30 532480 c:\windows\ie8\mstime.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 146432 c:\windows\ie8\msrating.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 146432 c:\windows\ie8\msls31.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 449024 c:\windows\ie8\mshtmled.dll
+ 2009-05-28 16:49 . 2007-12-18 14:40 450560 c:\windows\ie8\jscript.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 251392 c:\windows\ie8\iepeers.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 323584 c:\windows\ie8\iedkcs32.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 221184 c:\windows\ie8\ieakui.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 216576 c:\windows\ie8\ieaksie.dll
+ 2009-05-28 16:49 . 2004-08-04 12:00 139264 c:\windows\ie8\ieakeng.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 205312 c:\windows\ie8\dxtrans.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 357888 c:\windows\ie8\dxtmsft.dll
+ 2006-12-01 14:25 . 2006-12-01 14:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 14:25 . 2006-12-01 14:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2004-08-04 12:00 . 2009-03-07 18:34 1206784 c:\windows\system32\urlmon.dll
+ 2008-08-29 10:06 . 2008-08-29 10:06 1350664 c:\windows\system32\msxml6.dll
+ 2005-08-12 21:24 . 2006-11-13 06:02 1866240 c:\windows\system32\mstscax.dll
+ 2004-08-04 12:00 . 2009-03-07 18:41 5937152 c:\windows\system32\mshtml.dll
+ 2006-05-23 07:26 . 2008-03-20 08:06 1480232 c:\windows\system32\LegitCheckControl.dll
+ 2009-03-07 18:32 . 2009-03-07 18:32 1985024 c:\windows\system32\iertutil.dll
+ 2009-02-06 11:07 . 2009-02-06 11:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2004-08-04 12:00 . 2009-03-07 18:34 1206784 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2009-03-07 18:41 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2009-05-28 16:49 . 2009-02-20 08:30 3059712 c:\windows\ie8\mshtml.dll
+ 2006-06-03 02:58 . 2009-05-06 14:16 24699336 c:\windows\system32\MRT.exe
+ 2009-03-07 18:39 . 2009-03-07 18:39 11063808 c:\windows\system32\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-06 344064]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-06-30 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-06-08 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-10 282624]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-28 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-05 148888]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2005-06-06 24576]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-12-21 88358]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-08-05 28672]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-28 17:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/05/2009 3:12 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/05/2009 3:12 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/05/2009 3:12 AM 298776]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [22/06/2007 8:54 AM 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [13/12/2006 5:31 PM 87040]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.agn.gob.mx/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Eczka\Application Data\Mozilla\Firefox\Profiles\4l751doz.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.abc.net.au/news/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 01:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2796)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-09 1:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-09 15:41
ComboFix2.txt 2009-05-28 16:14

Pre-Run: 4,233,216,000 bytes free
Post-Run: 4,322,889,728 bytes free

357 --- E O F --- 2009-05-30 04:20








Logfile of random's system information tool 1.06 (written by random/random)
Run by Eczka at 2009-06-10 01:45:02
Microsoft Windows XP Professional Service Pack 2
System drive C: has 4 GB (7%) free of 57 GB
Total RAM: 446 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:48 AM, on 10/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Eczka\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Eczka.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.agn.gob.mx/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=062309 serial=DR12WNP-9936859-UJJ lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6909 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-29 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-29 2223872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-06-05 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-06-05 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-05-29 2223872]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-07-06 344064]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-03-24 196608]
"CeEKEY"=C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe [2005-07-01 671744]
"TPNF"=C:\Program Files\TOSHIBA\TouchPad\TPTray.exe [2005-06-09 53248]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"PadTouch"=C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe [2004-09-08 1077301]
"ZoomingHook"=C:\WINDOWS\system32\ZoomingHook.exe [2005-06-07 24576]
"SmoothView"=C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [2005-04-27 122880]
"SVPWUTIL"=C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe [2004-05-02 65536]
"TPSMain"=C:\WINDOWS\system32\TPSMain.exe [2005-06-01 282624]
"HWSetup"=C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe [2004-05-02 28672]
"Tvs"=C:\Program Files\Toshiba\Tvs\TvsTray.exe [2005-04-06 73728]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-12-22 88358]
"TCtryIOHook"=C:\WINDOWS\system32\TCtrlIOHook.exe [2005-08-05 28672]
"TFncKy"=TFncKy.exe []
"CorelDRAW Graphics Suite 11b"=C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe [2003-11-25 729088]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-10-10 282624]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-15 644696]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-04 1603152]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-29 1947928]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-06-05 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-07-06 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-29 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-05-23 402736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-06-10 01:41:37 ----A---- C:\ComboFix.txt
2009-06-10 01:33:51 ----D---- C:\WINDOWS\temp
2009-06-05 14:41:32 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-06-05 14:19:43 ----D---- C:\Program Files\Sun
2009-06-05 14:19:16 ----A---- C:\WINDOWS\system32\javaws.exe
2009-06-05 14:19:16 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-06-05 14:19:15 ----A---- C:\WINDOWS\system32\javaw.exe
2009-06-05 14:19:15 ----A---- C:\WINDOWS\system32\java.exe
2009-05-29 11:12:12 ----A---- C:\WINDOWS\TPTray.INI
2009-05-29 04:36:23 ----D---- C:\rsit
2009-05-29 04:30:54 ----HD---- C:\$AVG8.VAULT$
2009-05-29 03:12:51 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-29 03:12:31 ----D---- C:\Documents and Settings\Eczka\Application Data\AVGTOOLBAR
2009-05-29 03:12:06 ----D---- C:\Program Files\AVG
2009-05-29 03:12:05 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-29 02:51:10 ----D---- C:\WINDOWS\ie8updates
2009-05-29 02:50:30 ----D---- C:\WINDOWS\WBEM
2009-05-29 02:49:17 ----HDC---- C:\WINDOWS\ie8
2009-05-29 02:46:20 ----D---- C:\Program Files\MSXML 6.0
2009-05-29 02:46:04 ----D---- C:\WINDOWS\system32\en-us
2009-05-29 02:45:51 ----HDC---- C:\WINDOWS\$NtUninstallKB925876$
2009-05-29 02:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB896344$
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-05-29 02:39:11 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-05-29 01:49:39 ----A---- C:\Boot.bak
2009-05-29 01:49:13 ----RASHD---- C:\cmdcons
2009-05-29 01:37:42 ----A---- C:\WINDOWS\zip.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\SWREG.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\PEV.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-29 01:37:42 ----A---- C:\WINDOWS\grep.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\SWSC.exe
2009-05-29 01:37:41 ----A---- C:\WINDOWS\sed.exe
2009-05-24 10:25:46 ----D---- C:\WINDOWS\ERDNT
2009-05-24 10:16:21 ----D---- C:\Program Files\Trend Micro
2009-05-24 08:54:12 ----D---- C:\Documents and Settings\Eczka\Application Data\Malwarebytes
2009-05-24 08:53:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-24 08:53:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-24 02:27:12 ----D---- C:\Qoobox
2009-05-23 19:41:01 ----A---- C:\WINDOWS\system32\resetlog.txt
2009-05-23 19:21:52 ----D---- C:\WINDOWS\pss
2009-05-23 19:04:08 ----D---- C:\Config.Msi

======List of files/folders modified in the last 1 months======

2009-06-10 01:41:43 ----HD---- C:\WINDOWS\system32\drivers
2009-06-10 01:41:43 ----D---- C:\WINDOWS\system32
2009-06-10 01:40:11 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-10 01:37:55 ----D---- C:\WINDOWS
2009-06-10 01:37:55 ----A---- C:\WINDOWS\system.ini
2009-06-10 01:31:13 ----D---- C:\WINDOWS\AppPatch
2009-06-10 01:31:04 ----D---- C:\Program Files\Common Files
2009-06-10 01:28:09 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-10 01:27:29 ----D---- C:\WINDOWS\Prefetch
2009-06-10 01:19:33 ----D---- C:\Program Files\Mozilla Firefox
2009-06-08 11:49:48 ----D---- C:\WINDOWS\system32\Macromed
2009-06-08 02:06:18 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-06-08 02:06:09 ----HD---- C:\WINDOWS\inf
2009-06-07 11:57:11 ----RD---- C:\Program Files
2009-06-05 14:20:17 ----SHD---- C:\WINDOWS\Installer
2009-06-05 14:18:42 ----D---- C:\Program Files\Java
2009-05-29 03:11:53 ----D---- C:\WINDOWS\WinSxS
2009-05-29 03:11:53 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-29 02:58:46 ----SD---- C:\WINDOWS\Tasks
2009-05-29 02:54:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-29 02:54:45 ----D---- C:\WINDOWS\Help
2009-05-29 02:54:45 ----D---- C:\Program Files\Internet Explorer
2009-05-29 02:54:44 ----D---- C:\WINDOWS\system32\usmt
2009-05-29 02:51:04 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-29 02:50:51 ----A---- C:\WINDOWS\imsins.BAK
2009-05-29 02:50:33 ----D---- C:\WINDOWS\system32\config
2009-05-29 02:50:22 ----D---- C:\WINDOWS\Media
2009-05-29 02:46:12 ----D---- C:\WINDOWS\security
2009-05-29 02:21:28 ----D---- C:\WINDOWS\SoftwareDistribution
2009-05-29 02:04:28 ----D---- C:\WINDOWS\system
2009-05-29 01:49:40 ----RASH---- C:\boot.ini
2009-05-26 02:01:27 ----D---- C:\WINDOWS\Minidump
2009-05-23 21:13:28 ----D---- C:\Program Files\Common Files\ArcSoft
2009-05-23 21:13:28 ----D---- C:\Documents and Settings\All Users\Application Data\ArcSoft
2009-05-23 21:13:07 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-23 21:13:07 ----D---- C:\Documents and Settings\Eczka\Application Data\ArcSoft
2009-05-23 21:06:26 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-05-23 21:00:07 ----A---- C:\WINDOWS\win.ini
2009-05-23 19:38:32 ----D---- C:\Documents and Settings\Eczka\Application Data\U3
2009-05-23 19:08:58 ----D---- C:\Program Files\Unwired
2009-05-23 19:08:58 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-05-23 19:08:40 ----D---- C:\Program Files\Google
2009-05-23 19:03:50 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 19:00:53 ----D---- C:\Documents and Settings\Eczka\Application Data\skypePM

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-29 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2005-06-02 102384]
R1 SrvcSSIOMngr;SrvcSSIOMngr; C:\WINDOWS\System32\Drivers\SSIoMngr.sys [2004-07-31 6400]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-14 23545]
R1 TPwSav;Common Driver; C:\WINDOWS\System32\Drivers\TPwSav.sys [2005-06-04 9600]
R2 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2002-07-17 16877]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.10; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2006-06-02 15890]
R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\netdevio.sys [2003-01-29 12032]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-03-05 1066278]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-19 2317504]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2004-11-15 101874]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2004-12-22 393600]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-07-06 1245696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 Tvs;Toshiba Virtual Sound with SRS technologies; C:\WINDOWS\system32\DRIVERS\Tvs.sys [2005-04-16 29056]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R4 catchme;catchme; \??\C:\DOCUME~1\Eczka\LOCALS~1\Temp\catchme.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 cmusbnet;WAN Driver @ 3GPP (6280); C:\WINDOWS\system32\DRIVERS\cmusbnet.sys [2007-06-22 87424]
S3 cmusbser;%CMUSBSER%; C:\WINDOWS\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2007-07-13 27072]
S3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-06-28 69760]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\WINDOWS\system32\ACS.exe [2004-12-22 36864]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-29 298776]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2005-01-17 40960]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [2004-08-28 110592]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-06-05 152984]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-05 138168]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-29 89136]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-07-06 376832]

-----------------EOF-----------------

#14 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 09 June 2009 - 08:30 PM

Hi KarolF. Good Job, we got all the baddies. :thumbup2:

Your logs are clean!!! :)

We need to set a new restore point in your system so you can install xpsp3.
:cool:

Step #1.


To set a new restore point in system restore please do the following:

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Step #2.

Your Microsoft Windows installation XPSP2 is out of date!, You need now XPSP3.
Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Step #3.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they are not suitable for general malware removal use and could cause damage if launched accidentally they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware

Delete ComboFix and Clean Up

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of the next step.. Please visit HERE if you don't know how...Please re-enable them back after performing all steps given.


Click Start > Run and type combofix /u click OK (Note the "space" between combofix and /u) <--- It needs to be there.
Posted Image
Please advise if this step is missed for any reason as it performs some important actions:

"This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


If you don't plan to use Kaspersky again, then uninstall it through Add/Remove Programs.

You may delete RSIT and any logs that any of the tools produced. Please delete RSIT.exe and the RSIT folder (C:\RSIT).
I recommend keeping ATF, and use Malwarebyte's Anti-Malware to scan your computer regularly.



If you have done all of the above, Your Computer should be Clean of Malware.
CONGRATULATIONS.
:)


Ok...KarolF, I'm not skilled at mincing words but I believe that by now you already figure it out how you got infected. {using P2p (file sharing programs)Maybe ?} So, especially for you I will use my long version of my "All Clean Canned Speech".

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.:

Please take the time to read below to secure your machine and take the necessary steps to keep it Clean, some of the following you may already have, So. just disregard them.
  • Make sure that you keep your anti-virus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your anti-virus program to provide you with the best possible protection from malicious software.
    Note: You should only have one anti-virus installed at a time. Having more than one anti-virus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    You are using Internet Explorer, Therefore please read and follow the recommendations at this SITE
Recommended Programs

To help protect your computer in the future I would recommend the download and installation of some or all of the following free programs (if not already present), and the updating of them on a regular basis:.
  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • McAfee Site Advisor --free version.
    To give you an indication of which sites may contain bad links or suspect downloads. It loads an icon to the taskbar of your browser (versions for IE and Firefox), As you browse, a small button on your browser toolbar changes color based on SiteAdvisor's safety results indicating the trustworthiness of the site you are on. Green for safe and Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Safety ratings from McAfee SiteAdvisor appear next to search results. Works with Google, Yahoo!, Live Search, AOL or ASK.
    This is a utility that can be downloaded and installed it from: HERE
  • Posted Image ATF Cleaner
    Good temp file cleaner that could do the job safely and without removing files that are crucial to windows.
    Cleans temporary files from IE and Windows, empties the recycle bin and more.
    Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    This is a utility that can be downloaded and installed it from: HERE
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Malwarebytes' Anti-Malware or SuperAntiSpyware
    These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
    You can download SuperAntiSpyware from HERE.
  • Hosts File - Hosts file is one such file that can be used to replace the Hosts file on your computer and help you to avoid accidentally visiting known nasty web sites.
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:

    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK

    Prevention:
    The Hosts file can be made read only and monitored for changes, or attempted changes. Programs such as >WinPatrol< do this very well.

    Cure:
    If your Hosts file becomes infected, it can be reset by installing >HostsXpert<.
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Backup regularly.
    You never know when your PC will become unstable or get infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.
    Alternatively, you can use 3rd-party programs to back up your data. It can be found at Bleeping Computer.

  • To stay secure is to stay updated.
    Calendar of Updates.

  • Practice Safe Internet
    One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

To find out more information about how you got infected in the first place? and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

That's it, happy surfing!

Cheers,
Net_Surfer


***If ComboFix tool helped you***, please kindly consider a donation to it's author: Posted Image

Stay clean and be safe :)

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!


:)

I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.

#15 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 14 June 2009 - 01:09 AM

:) Bump :)
Hello KarolF. :)
:cool: :)
Are you still there
???
:thumbup2:

If you are please follow the instructions in my previous post, it is real important that you delete Combofix with the uninstall switch so you can have a clean restore point and get rid of the bad ones.

Please continue with the recommendations that I posted in my earlier post.


If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Unfortunately, if I do not hear back from you within 2 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread.


I'd be grateful if you could reply to this post so that I know you have read and executed my last recommendations and if you've no other questions, the thread can be closed.


Kind regards
Net_Surfer

:)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users