Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Unknown Trojan


  • This topic is locked This topic is locked
34 replies to this topic

#1 wmvs

wmvs

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 30 July 2009 - 08:37 AM

Referred from: http://www.bleepingcomputer.com/forums/t/243529/pc-is-drawing-a-ton-of-bandwidth-trojan/ ~ OB

We have a PC at our office running XP that is pulling more bandwidth from our network than any other PC. Every time we run Malware or Ad-Aware or Spybot it comes up that a Trojan is in the computer. When this computer is plugged in the the network, none of our other computers run well; we can't access the internet quickly at all. When we unplug it, every other computer runs fine. We remove it the trojan, but it comes back. I don't know how to get it out. Can someone help us? Thanks.

Here is our DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 9:28:18.07 on Thu 07/30/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.140 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: : {d8e324af-1ce6-41c2-95f5-a906d9d3cb3f} - c:\windows\system32\apmndxl.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartc~1.lnk - c:\program files\seiko instruments usa inc\smart label printer 6.9\slpcap.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147437388031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} - hxxp://67.18.204.35/activex/vogweb29.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: novoheqm - apmndxl.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7crv2w8y.default\

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-28 64160]
R0 plvblkfq;plvblkfq;c:\windows\system32\drivers\plvblkfq.sys [2004-8-4 23424]
R1 MultiCam;MultiCam for Picolo;c:\windows\system32\drivers\multicam.sys [2007-3-2 196186]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 DLPortIO;DLPortIO;c:\windows\system32\drivers\DLPORTIO.sys [2005-3-10 3584]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-27 09:50 2,324 a------- c:\windows\system32\tmp.reg
2009-07-27 09:45 --d----- c:\windows\system32\appmgmt
2009-07-24 07:46 0 a------- c:\documents and settings\administrator\settings.dat
2009-07-23 11:13 --d----- c:\documents and settings\administrator\DoctorWeb
2009-07-22 16:17 --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-07-22 12:12 --d----- c:\program files\Trend Micro
2009-07-22 09:24 --d----- C:\VundoFix Backups
2009-07-20 16:25 217 a------- c:\windows\system32\MRT.INI

==================== Find3M ====================

2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-24 09:25 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 9:28:54.39 ===============

Attached Files


Edited by Orange Blossom, 30 July 2009 - 04:51 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:45 AM

Posted 07 August 2009 - 07:07 PM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 wmvs

wmvs
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 10 August 2009 - 08:28 AM

MBAM LOG:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/10/2009 9:16:35 AM
mbam-log-2009-08-10 (09-16-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 159695
Time elapsed: 27 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d8e324af-1ce6-41c2-95f5-a906d9d3cb3f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\novoheqm (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d8e324af-1ce6-41c2-95f5-a906d9d3cb3f} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\apmndxl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\sarin\Local Settings\Temp\wJQs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


log.txt:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-10 09:22:00
Microsoft Windows XP Professional Service Pack 3
System drive C: has 30 GB (79%) free of 38 GB
Total RAM: 447 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22:03, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: (no name) - {D8E324AF-1CE6-41C2-95F5-A906D9D3CB3F} - c:\windows\system32\apmndxl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartCapture.lnk = C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147437388031
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://67.18.204.35/activex/vogweb29.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Schmidt.com
O17 - HKLM\Software\..\Telephony: DomainName = Schmidt.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Schmidt.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Schmidt.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: novoheqm - C:\WINDOWS\SYSTEM32\apmndxl.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6543 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
UberButton Class - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 181352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}]
YahooTaggedBM Class - C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 115832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-16 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-06-26 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-30 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8E324AF-1CE6-41C2-95F5-A906D9D3CB3F}]
c:\windows\system32\apmndxl.dll [2004-08-04 103936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-16 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-01-08 65536]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-06-01 257088]
"zBrowser Launcher"=C:\Program Files\Logitech\iTouch\iTouch.exe [2001-12-20 204800]
"EM_EXEC"=C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE [2001-12-20 35328]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-06-29 520024]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-21 50472]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-09-27 68856]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
SmartCapture.lnk - C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\novoheqm]
C:\WINDOWS\system32\apmndxl.dll [2004-08-04 103936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Disabled:mIRC"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-08-10 09:22:00 ----D---- C:\rsit
2009-07-30 03:00:40 ----HDC---- C:\WINDOWS\$NtUninstallKB972260$
2009-07-29 11:29:00 ----A---- C:\rapport1.txt
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\VACFix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\swxcacls.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\swsc.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\swreg.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\Process.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\o4Patch.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\IEDFix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\dumphive.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\404Fix.exe
2009-07-27 09:50:31 ----A---- C:\WINDOWS\system32\tmp.txt
2009-07-27 09:49:56 ----A---- C:\rapport.txt
2009-07-27 09:45:18 ----D---- C:\WINDOWS\system32\appmgmt
2009-07-24 07:59:08 ----A---- C:\RootRepeal.txt
2009-07-24 07:53:28 ----A---- C:\RootRepeal report 07-24-09 (07-53-28).txt
2009-07-23 09:02:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-22 16:17:55 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-22 12:12:30 ----D---- C:\Program Files\Trend Micro
2009-07-22 09:24:24 ----A---- C:\VundoFix.txt
2009-07-22 09:24:23 ----D---- C:\VundoFix Backups
2009-07-20 16:25:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-20 16:25:27 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-20 16:25:05 ----A---- C:\WINDOWS\system32\MRT.INI
2009-07-20 16:23:38 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$

======List of files/folders modified in the last 1 months======

2009-08-10 09:19:53 ----RD---- C:\Program Files
2009-08-10 09:19:53 ----D---- C:\WINDOWS\system32\drivers
2009-08-10 09:19:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-10 09:16:35 ----D---- C:\WINDOWS\system32
2009-08-10 08:45:48 ----D---- C:\WINDOWS\Prefetch
2009-08-10 08:45:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-30 09:30:33 ----D---- C:\WINDOWS\Temp
2009-07-30 09:27:09 ----D---- C:\WINDOWS
2009-07-30 03:00:50 ----HD---- C:\WINDOWS\inf
2009-07-30 03:00:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-30 03:00:21 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-30 03:00:18 ----SHD---- C:\WINDOWS\Installer
2009-07-30 03:00:17 ----D---- C:\WINDOWS\WinSxS
2009-07-29 11:13:58 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-29 10:15:50 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-28 09:18:20 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-28 09:18:10 ----D---- C:\Program Files\Mozilla Firefox
2009-07-27 09:45:54 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-07-27 09:42:27 ----SD---- C:\WINDOWS\Tasks
2009-07-23 08:57:18 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-22 16:17:21 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-22 12:03:18 ----A---- C:\WINDOWS\WININIT.INI
2009-07-22 09:42:46 ----SHD---- C:\WINDOWS\CSC
2009-07-21 12:52:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-21 11:10:53 ----D---- C:\WINDOWS\system32\Restore
2009-07-20 16:26:06 ----A---- C:\WINDOWS\imsins.BAK
2009-07-18 12:05:06 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-18 12:05:06 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 MultiCam;MultiCam for Picolo; C:\WINDOWS\System32\Drivers\multicam.sys [2004-05-12 196186]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2004-08-05 12416]
R2 DLPortIO;DLPortIO; \??\C:\WINDOWS\system32\drivers\DLPortIO.sys []
R2 hardlock;hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R2 Haspnt;Haspnt; \??\C:\WINDOWS\system32\drivers\Haspnt.sys []
R3 akshasp;Aladdin HASP Key; C:\WINDOWS\system32\DRIVERS\akshasp.sys [2005-07-20 327808]
R3 aksusb;Aladdin USB Key; C:\WINDOWS\system32\DRIVERS\aksusb.sys [2005-07-20 100096]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-11 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-01-09 601100]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2001-12-17 10496]
R3 l8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042Pr2.sys [2001-12-19 50990]
R3 LKbdFlt2;Logitech Keyboard Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LKbdFlt2.sys [2001-12-19 5838]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys [2001-12-19 67694]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2004-08-05 220672]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-20 1029456]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-06-01 501312]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-30 182768]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]

-----------------EOF-----------------

info.txt:
info.txt logfile of random's system information tool 1.06 2009-08-10 09:22:06

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6-->C:\Program Files\AIM6\uninst.exe
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
DiaVision-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E06D61B-8730-4E1A-8F5E-30BF76F8FA6D}\setup.exe"
Euresys MultiCam for Picolo 3.8.2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FDAA0C93-1247-40C1-8950-08BED9D6290C}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes-->MsiExec.exe /I{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}
Logitech iTouch Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\setup.exe" -l0x9 UNINSTALL
Logitech MouseWare 9.42 .1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech User's Guide-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBE0FCA1-4E95-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SiS 651_661FX_741_760_760GX_M661FX_M661MX_M741_M760_M760GX-->Rundll32 SiSInst.dll,Uninstall VGA,R
Smart Label Printer 6.9-->MsiExec.exe /I{EE798051-986A-474A-AD4F-466504373187}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Web Viewer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{536BF792-7C08-4633-8ED4-28889630FC8C}\setup.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! extras-->C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Hosts File======

127.0.0.1 localhost
::1 localhost
91.212.65.122 antiwareprotect.com
91.212.65.122 www.antiwareprotect.com

======System event log======

Computer Name: SARIN
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Record Number: 86034
Source Name: W32Time
Time Written: 20090615083518.000000-240
Event Type: error
User:

Computer Name: SARIN
Event Code: 14
Message: The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.

Record Number: 86033
Source Name: W32Time
Time Written: 20090615083518.000000-240
Event Type: warning
User:

Computer Name: SARIN
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/dns1.tcmsp.net. No authentication protocol was available.

Record Number: 86014
Source Name: LSASRV
Time Written: 20090615082028.000000-240
Event Type: warning
User:

Computer Name: SARIN
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 86011
Source Name: W32Time
Time Written: 20090615082007.000000-240
Event Type: error
User:

Computer Name: SARIN
Event Code: 14
Message: The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Record Number: 86010
Source Name: W32Time
Time Written: 20090615082007.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: SARIN
Event Code: 1053
Message: Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Record Number: 8242
Source Name: Userenv
Time Written: 20080619090828.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SARIN
Event Code: 15
Message: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Record Number: 8241
Source Name: AutoEnrollment
Time Written: 20080619082330.000000-240
Event Type: error
User:

Computer Name: SARIN
Event Code: 15
Message: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Record Number: 8240
Source Name: AutoEnrollment
Time Written: 20080619002330.000000-240
Event Type: error
User:

Computer Name: SARIN
Event Code: 15
Message: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Record Number: 8239
Source Name: AutoEnrollment
Time Written: 20080618162330.000000-240
Event Type: error
User:

Computer Name: SARIN
Event Code: 1053
Message: Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Record Number: 8238
Source Name: Userenv
Time Written: 20080618082904.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0401
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:45 AM

Posted 10 August 2009 - 06:10 PM

Hi wmvs,

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Next

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8E324AF-1CE6-41C2-95F5-A906D9D3CB3F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\novoheqm]
    :Files
    c:\windows\system32\apmndxl.dll
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Next

Download the HostsXpert
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then please post back here with the following:
  • OTM results
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#5 wmvs

wmvs
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 11 August 2009 - 08:46 AM

Here are the results. I'd like to try to fix it if possible.

OTM log:
All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8E324AF-1CE6-41C2-95F5-A906D9D3CB3F}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8E324AF-1CE6-41C2-95F5-A906D9D3CB3F}\ .
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\novoheqm\ scheduled to be deleted on reboot.
========== FILES ==========
LoadLibrary failed for c:\windows\system32\apmndxl.dll
c:\windows\system32\apmndxl.dll NOT unregistered.
File move failed. c:\windows\system32\apmndxl.dll scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 807696 bytes
->Temporary Internet Files folder emptied: 6528124 bytes
->FireFox cache emptied: 30966178 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: sarin
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\YCH49411\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31934187;rid=31952063;rv=1;&timestamp=1245690157609;eid1=2;ecn1=1;etm1=9;eid2=12;ecn2=1;etm2=5;eid3=11;ec[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\YCH49411\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31934187;rid=31952063;rv=1;&timestamp=1245690260031;eid1=2;ecn1=1;etm1=1;eid2=12;ecn2=1;etm2=0;eid3=11;ec[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\YCH49411\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31934140;rid=31952016;rv=1;&timestamp=1245690170734;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=10;[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\XU311YCM\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31934187;rid=31952063;rv=1;&timestamp=1245690167609;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=10;eid4=18;[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\XU311YCM\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31934187;rid=31952063;rv=1;&timestamp=1245690299906;eid1=2;ecn1=0;etm1=30;eid2=12;ecn2=0;etm2=2;eid5=13;e[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\XU311YCM\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31934140;rid=31952016;rv=1;&timestamp=1245690269937;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=10;eid4=18;[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\XU311YCM\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31934140;rid=31952016;rv=1;&timestamp=1245690299937;eid1=2;ecn1=0;etm1=30;eid2=12;ecn2=0;etm2=2;eid5=13;e[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\WTMZKPMZ\click,VaUDAE21BADPlAwAVWUEAAIACUAAAP8AAAAFCwIACgKMrgEAoY0GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHbCPkgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vav4b38%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\OL83AL89\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31895745;rid=31913621;rv=1;&timestamp=1245690749453;eid1=2;ecn1=0;etm1=6;eid2=12;ecn2=0;etm2=6;eid4=18;ec[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\OL83AL89\CASUBDDW._loaded%26p%3Dnews%26f%3D8903239%26l%3DLREC%26en%3Dutf-8%26rn%3D1245702313515%26inlinePos%3DLREC%26em%3D%257B%2522site-attribute%2522%253A%2522content%253D%2527no_&r=0 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\OL83AL89\click,5jBaAL3PBwCx-iAAoj0KAAIAIAAAAP8AAAACDwIAAgKTrgEAkJwOAAAAA[2].com%2Fa%3Ff%3D85075413%26p%3Dnews%26l%3Dlrec2%26c%3Dh%26at%3Dcontent%253d%2522no_expandable%2522,;ord=1245694542 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\JXHOVDJJ\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31934140;rid=31952016;rv=1;&timestamp=1245690260000;eid1=2;ecn1=1;etm1=1;eid2=12;ecn2=1;etm2=0;eid3=11;ec[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\JXHOVDJJ\CASZQ9UD._loaded%26p%3Dnews%26f%3D84441876%26l%3DLREC%26en%3Dutf-8%26rn%3D1245689265359%26inlinePos%3DLREC%26em%3D%257B%2522site-attribute%2522%253A%2522content%253D%2527no&r=0 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\JXHOVDJJ\Type=click&FlightID=217413&AdID=298266&TargetID=24357&Segments=775,2743,3030,3285,4008,7842,8806,9496,9779,9781,9784,9853,10374,11532,13079,16113,18517,18871,18982,25511,25[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7QZ2JEF\;_ylc=X1MDOTc1NDYxNjgEX3IDMgRjYXRlZ29yeQNJREVOVElGSUVSBGV4dGZyb20DBGZiAzAEZnJjb2RlA2NzY195bWFpbGNsBGlzZXh0AzAEaXQDc2hvcnRjdXRzOi91cy9pbnN0YW5jZS9pZGVudGlm[2].adNoOp&fr=csc_ymailcl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7QZ2JEF\click,VaUDAHazBAANwQwAgdsDAAAAfmQAAAMAAgAFEAIABgKMrgEA580FAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGVVI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tpv5cnj%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7QZ2JEF\click,VaUDAIOzBAAsjgwARjQEAAIAHmQAAP8AAAAFDwIABgKMrgEAN0oGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPs.I0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tcgjkjf%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7QZ2JEF\click,VaUDAOWzBAANwQwAgdsDAAAAZmQAAAMAAQAFEAIABgKMrgEA580FAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtVI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tkahvkh%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7QZ2JEF\click,WaUDAKm5BABhYgoA3tYDAAIATAAAAP8AAAAFDAIAAgKTrgEALMcFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALcWI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14uojfnsm%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\C7QZ2JEF\click,WaUDAKq5BACy.wwAllEEAAIB6AAAAP8AAAAFDwIAAgKTrgEAOnIGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKNAI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t40viht%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\9U0RD68S\click,WaUDAKq5BAAEAQ0AECgEAAIALAAAAP8AAAAFDAIAAgOTrgEAT1EEALg4BgAAAAAAAAAAAAAAAAAAAAAAAAAAAEEWI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ufj9f1g%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ES583U9\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31934187;rid=31952063;rv=1;&timestamp=1245690197609;eid1=2;ecn1=0;etm1=30;eid2=12;ecn2=0;etm2=19;eid5=13;[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ES583U9\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31934187;rid=31952063;rv=1;&timestamp=1245690269906;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=10;eid4=18;[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ES583U9\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31934140;rid=31952016;rv=1;&timestamp=1245690200890;eid1=2;ecn1=0;etm1=30;eid2=12;ecn2=0;etm2=16;eid4=18;[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ES583U9\click2,5jBaAOD3BwAwWBkAAAAAAHbRCQAAAAAAAgAIAA8AAAAAAP8AAAACDZOuAQAAAAAA3gQOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQOsBDAAAAAAIAAgAAAAAA01jcC[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ES583U9\Type=click&FlightID=223487&AdID=308362&TargetID=913&Segments=730,2259,2725,2743,3030,3285,3800,4635,5388,5880,6301,7603,8260,8788,9496,9779,9781,9853,10381,11255,11418,1239[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\856TONKJ\click,VaUDAJa9BAAAowkA7WIDAAIAOmQAAP8AAAAFDwIAAQKSrgEAeCQFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZGI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14u6p59rl%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\856TONKJ\click,WaUDAKq5BAAEAQ0AECgEAAAAuAAAAAsAAQAFDgIAAgOTrgEAT1EEALg4BgAAAAAAAAAAAAAAAAAAAAAAAAAAALAxI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ug5h0t8%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\6VC5QP6P\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31914171;rid=31932047;rv=1;&timestamp=1245690749281;eid1=2;ecn1=0;etm1=4;eid2=12;ecn2=0;etm2=4;eid4=18;ec[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\6VC5QP6P\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31914171;rid=31932047;rv=1;&timestamp=1245690759312;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=3;eid5=13;e[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\6VC5QP6P\click,5jBaAL3PBwBgzyUAuj0LAAIAXAAAAP8AAAACEQIAAgOTrgEA0M4GAPkAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAPviP0oAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15r9kdkur%2FM%3D715481[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\6VC5QP6P\pentagon;comp=;s1=politics;s2=pentagon;pos=console;url=politics_2009_06_22_navy-destroyer-tracks-north-korean-ship-coast-china_;kw=;sz=300x100;tile=3;ord=892579759[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\6VC5QP6P\pentagon;comp=;s1=politics;s2=pentagon;pos=frame1;url=politics_2009_06_22_navy-destroyer-tracks-north-korean-ship-coast-china_;kw=;sz=300x250;tile=2;ord=892579759[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\69M7K18P\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31895745;rid=31913621;rv=1;&timestamp=1245690759453;eid1=2;ecn1=0;etm1=10;eid2=12;ecn2=0;etm2=3;eid5=13;e[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\69M7K18P\click,5jBaAL3PBwB9.SIAGqwKAAIAMAAAAP8AAAACDwIAAgOTrgEA0M4GAB85DwAAAAAAAAAAAAAAAAAAAAAAAAAAAK3KP0oAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15puet5aa%2FM%3D715481[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\69M7K18P\click,WaUDAPD3BwA4GBkAmEsIAAIAAAAAAP8AAAACDwIAAgKTrgEAz9wLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIfJP0oAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D15ntiqdk6%2FM%3D715481[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\69M7K18P\pentagon;dcopt=ist;comp=;s1=politics;s2=pentagon;pos=top;url=politics_2009_06_22_navy-destroyer-tracks-north-korean-ship-coast-china_;kw=;sz=728x90;tile=1;ord=892579759[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\69M7K18P\us_craigslist_killing;_ylt=AgciHZZE_IyefTMW6lt527pvzwcF;_ylu=X3oDMTJtdXBnNTBiBGFzc2V0A2FwLzIwMDkwNjIyL3VzX2NyYWlnc2xpc3Rfa2lsbGluZwRjcG9zAzEEcG9zAzMEc2VjA3luX3RvcF9zdG9yeQR[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\4ZC1M7WB\%7Bmod_drag,mod_ctrapp,mod_scrwh,mod_zoom,mod_exdom,mod_kbrd,mod_tfcapp,mod_lyrsctrl,mod_lyrs,mod_qdt,mod_trtlr,mod_cbl,mod_ms_save_to,mod_appiw,mod_trends,mod_adf%7D[2].js scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\4ZC1M7WB\activity;src=1361547;met=1;v=1;pid=37605609;aid=215634440;ko=0;cid=31914171;rid=31932047;rv=1;&timestamp=1245690745281;eid1=2;ecn1=1;etm1=6;eid2=12;ecn2=1;etm2=0;eid3=11;ec[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\4ZC1M7WB\activity;src=1361547;met=1;v=1;pid=37605611;aid=215634449;ko=0;cid=31895745;rid=31913621;rv=1;&timestamp=1245690743250;eid1=2;ecn1=1;etm1=4;eid2=12;ecn2=1;etm2=0;eid3=11;ec[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\4ZC1M7WB\CA6S2ZYL._loaded%26p%3Dnews%26f%3D2023729941%26l%3DLREC%26en%3Dutf-8%26rn%3D1245700964140%26inlinePos%3DLREC%26em%3D%257B%2522site-attribute%2522%253A%2522content%253D%2527&r=0 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\4ZC1M7WB\CAU50PE7._loaded%26p%3Dnews%26f%3D2023881111%26l%3DLREC%26en%3Dutf-8%26rn%3D1245694856515%26inlinePos%3DLREC%26em%3D%257B%2522site-attribute%2522%253A%2522content%253D%2527&r=0 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\4ZC1M7WB\click,5jBaAL3PBwDu0CUAdz0LAAIAKAAAAP8AAAACDwIAAgKTrgEApgAQAAA[2].com%2Fa%3Ff%3D2023882115%26p%3Dnews%26l%3Dlrec2%26c%3Dh%26at%3Dcontent%253d%2522no_expandable%2522,;ord=1245694591 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\49EN878R\click,VaUDAL6zBADuSQsAqOcDAAIAFmQAAP8AAAAFDwIABgOMrgEAr0sFAMHdBQAAAAAAAAAAAAAAAAAAAAAAAAAAALE.I0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t7b9gvq%2FM%3D619213[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\49EN878R\click,VaUDAOWzBAANwQwAgdsDAAIAVmQAAP8AAAAFEAIABgKMrgEA580FAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALtUI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t8j3ge1%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\49EN878R\click,WaUDAKq5BABQBgoA5msDAAIA3AAAAP8AAAAFDgIAAgKTrgEAaDAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABozI0gAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14ur9fr1j%2FM%3D619213[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\sarin\Local Settings\Temp\Temporary Internet Files\Content.IE5\496R0HMF\click,VaUDADq4BABgVgoA-AgDAAIAJmQAAP8AAAAFDgIAAgKMrgEAs6kEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJvoPkgAAAAA,http%3A%2F%2Fus.ard.yahoo[2].rand%3D6b3biea4bkn39,;ord=1212082331 scheduled to be deleted on reboot.
->Temp folder emptied: 221652529 bytes
->Temporary Internet Files folder emptied: 166041095 bytes
->FireFox cache emptied: 62258516 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2172065 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 815091 bytes
RecycleBin emptied: 469715 bytes

Total Files Cleaned = 469.00 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08112009_075949

GMER log:
GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-11 09:44:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF773887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7738BFE]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F71EE16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F71EDFC2

Code 84F1A500 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 84FD75F0

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[3376] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[3384] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 4CE90043
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D0
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D03EE8
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D3BDE856
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01D8B9E8
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 021F05E8
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] 0DE8F075
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] B7E8C68B
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C200021F
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] CB9006C7
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] BAE80043
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] A0E95ECE
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] D309E856
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 9C01C700
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E90043CB
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 43CB9C06
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] DCE85607
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590001D2
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 436A8DB8
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 1E5CE800
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0001CED7
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 43CB9006
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 021F09E8
IAT C:\WINDOWS\System32\svchost.exe[3376] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 4CE90043
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D0
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D03EE8
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D3BDE856
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01D8B9E8
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 021F05E8
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] 0DE8F075
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] B7E8C68B
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C200021F
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] CB9006C7
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] BAE80043
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] A0E95ECE
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] D309E856
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 9C01C700
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E90043CB
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 43CB9C06
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] DCE85607
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590001D2
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 436A8DB8
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 1E5CE800
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0001CED7
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 43CB9006
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 021F09E8
IAT C:\WINDOWS\System32\svchost.exe[3384] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [84EF4984] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\aksusb \Device\00000063 AKSCLASS.SYS (Aladdin Class Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- EOF - GMER 1.0.15 ----

RSIT log:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-11 09:44:35
Microsoft Windows XP Professional Service Pack 3
System drive C: has 31 GB (80%) free of 38 GB
Total RAM: 447 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:44:37, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: (no name) - {D8E324AF-1CE6-41C2-95F5-A906D9D3CB3F} - c:\windows\system32\apmndxl.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [OTM] "C:\Documents and Settings\Administrator\Desktop\OTM.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartCapture.lnk = C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147437388031
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://67.18.204.35/activex/vogweb29.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Schmidt.com
O17 - HKLM\Software\..\Telephony: DomainName = Schmidt.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Schmidt.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Schmidt.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: novoheqm - C:\WINDOWS\SYSTEM32\apmndxl.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6116 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
UberButton Class - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 181352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}]
YahooTaggedBM Class - C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 115832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-16 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-06-26 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-30 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8E324AF-1CE6-41C2-95F5-A906D9D3CB3F}]
c:\windows\system32\apmndxl.dll [2004-08-04 103936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-16 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-01-08 65536]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-06-01 257088]
"zBrowser Launcher"=C:\Program Files\Logitech\iTouch\iTouch.exe [2001-12-20 204800]
"EM_EXEC"=C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE [2001-12-20 35328]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-06-29 520024]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"OTM"=C:\Documents and Settings\Administrator\Desktop\OTM.exe [2009-08-11 408064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-21 50472]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-09-27 68856]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
SmartCapture.lnk - C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\novoheqm]
C:\WINDOWS\system32\apmndxl.dll [2004-08-04 103936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Disabled:mIRC"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-08-11 07:59:49 ----D---- C:\_OTM
2009-08-11 07:58:58 ----D---- C:\WINDOWS\ERDNT
2009-08-11 07:58:22 ----D---- C:\Program Files\ERUNT
2009-08-10 09:22:00 ----D---- C:\rsit
2009-07-30 03:00:40 ----HDC---- C:\WINDOWS\$NtUninstallKB972260$
2009-07-29 11:29:00 ----A---- C:\rapport1.txt
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\VACFix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\swxcacls.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\swsc.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\swreg.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\Process.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\o4Patch.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\IEDFix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\dumphive.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-07-29 11:12:49 ----A---- C:\WINDOWS\system32\404Fix.exe
2009-07-27 09:50:31 ----A---- C:\WINDOWS\system32\tmp.txt
2009-07-27 09:49:56 ----A---- C:\rapport.txt
2009-07-27 09:45:18 ----D---- C:\WINDOWS\system32\appmgmt
2009-07-24 07:59:08 ----A---- C:\RootRepeal.txt
2009-07-24 07:53:28 ----A---- C:\RootRepeal report 07-24-09 (07-53-28).txt
2009-07-23 09:02:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-22 16:17:55 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-22 12:12:30 ----D---- C:\Program Files\Trend Micro
2009-07-22 09:24:24 ----A---- C:\VundoFix.txt
2009-07-22 09:24:23 ----D---- C:\VundoFix Backups
2009-07-20 16:25:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-20 16:25:27 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-20 16:25:05 ----A---- C:\WINDOWS\system32\MRT.INI
2009-07-20 16:23:38 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$

======List of files/folders modified in the last 1 months======

2009-08-11 08:25:18 ----D---- C:\WINDOWS\Prefetch
2009-08-11 08:07:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-11 08:06:49 ----D---- C:\WINDOWS\Temp
2009-08-11 08:06:49 ----D---- C:\WINDOWS\system32
2009-08-11 08:06:49 ----D---- C:\WINDOWS
2009-08-11 07:58:22 ----RD---- C:\Program Files
2009-08-11 07:57:31 ----D---- C:\Program Files\Mozilla Firefox
2009-08-10 09:19:53 ----D---- C:\WINDOWS\system32\drivers
2009-08-10 08:45:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-30 03:00:50 ----HD---- C:\WINDOWS\inf
2009-07-30 03:00:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-30 03:00:21 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-30 03:00:18 ----SHD---- C:\WINDOWS\Installer
2009-07-30 03:00:17 ----D---- C:\WINDOWS\WinSxS
2009-07-29 11:13:58 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-29 10:15:50 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-28 09:18:20 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-27 09:45:54 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-07-27 09:42:27 ----SD---- C:\WINDOWS\Tasks
2009-07-23 08:57:18 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-22 16:17:21 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-22 12:03:18 ----A---- C:\WINDOWS\WININIT.INI
2009-07-22 09:42:46 ----SHD---- C:\WINDOWS\CSC
2009-07-21 12:52:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-21 11:10:53 ----D---- C:\WINDOWS\system32\Restore
2009-07-20 16:26:06 ----A---- C:\WINDOWS\imsins.BAK
2009-07-18 12:05:06 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-18 12:05:06 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 MultiCam;MultiCam for Picolo; C:\WINDOWS\System32\Drivers\multicam.sys [2004-05-12 196186]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2004-08-05 12416]
R2 DLPortIO;DLPortIO; \??\C:\WINDOWS\system32\drivers\DLPortIO.sys []
R2 hardlock;hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R2 Haspnt;Haspnt; \??\C:\WINDOWS\system32\drivers\Haspnt.sys []
R3 akshasp;Aladdin HASP Key; C:\WINDOWS\system32\DRIVERS\akshasp.sys [2005-07-20 327808]
R3 aksusb;Aladdin USB Key; C:\WINDOWS\system32\DRIVERS\aksusb.sys [2005-07-20 100096]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-11 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-01-09 601100]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2001-12-17 10496]
R3 l8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042Pr2.sys [2001-12-19 50990]
R3 LKbdFlt2;Logitech Keyboard Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LKbdFlt2.sys [2001-12-19 5838]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys [2001-12-19 67694]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2004-08-05 220672]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 aujasnkj;aujasnkj; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-20 1029456]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-30 182768]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-06-01 501312]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]

-----------------EOF-----------------

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:45 AM

Posted 11 August 2009 - 08:58 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 wmvs

wmvs
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 11 August 2009 - 12:22 PM

ComboFix log:
ComboFix 09-08-10.06 - Administrator 08/11/2009 13:10.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.140 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\combofix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1659004503-963894560-725345543-1003
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\apmndxl.dll
c:\windows\system32\drivers\plvblkfq.sys
c:\windows\system32\drivers\wrdzxwlc.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\hhwrmmhv.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\mnuosyl.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PLVBLKFQ
-------\Service_plvblkfq


((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-08-11 11:59 . 2009-08-11 11:59 -------- d-----w- C:\_OTM
2009-08-11 11:58 . 2009-08-11 11:58 -------- d-----w- c:\program files\ERUNT
2009-08-10 13:22 . 2009-08-10 13:22 -------- d-----w- C:\rsit
2009-08-10 12:45 . 2009-08-10 12:45 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-24 11:46 . 2009-07-24 11:46 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-07-23 15:13 . 2009-07-23 15:13 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-22 20:21 . 2009-07-27 14:04 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-22 20:17 . 2009-07-22 20:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-22 16:12 . 2009-07-22 16:12 -------- d-----w- c:\program files\Trend Micro
2009-07-22 13:24 . 2009-07-23 14:50 -------- d-----w- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 12:45 . 2009-04-28 14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 17:36 . 2009-04-28 14:51 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-04-28 14:51 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 15:13 . 2009-04-28 13:55 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-28 13:18 . 2009-04-28 13:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-27 13:45 . 2007-02-26 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-23 12:57 . 2007-09-19 13:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-22 20:17 . 2007-09-19 13:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-20 13:25 . 2009-06-22 13:20 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-20 13:25 . 2009-06-22 13:20 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-20 13:25 . 2009-06-22 13:20 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-20 13:25 . 2009-06-22 13:20 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-07-02 17:06 . 2009-04-27 12:42 -------- d-sh--w- c:\documents and settings\sarin\Application Data\lowsec
2009-06-29 13:36 . 2009-06-22 13:20 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-29 13:36 . 2009-06-22 13:20 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-29 13:36 . 2009-06-22 13:20 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-29 13:35 . 2009-06-22 13:20 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-29 13:35 . 2009-06-02 13:17 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-29 13:29 . 2009-06-02 13:17 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-29 13:28 . 2009-06-02 13:17 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-29 13:28 . 2009-06-22 13:20 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-29 13:28 . 2009-06-22 13:20 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-29 13:27 . 2009-06-22 13:20 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-29 13:27 . 2009-06-22 13:20 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-29 13:26 . 2009-06-22 13:20 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-29 13:25 . 2009-06-22 13:20 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-26 16:50 . 2004-08-04 07:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-24 13:25 . 2004-08-04 07:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-16 14:36 . 2004-08-04 07:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 07:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 07:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 13:17 . 2009-06-02 13:17 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
.

------- Sigcheck -------

[-] 2004-08-04 07:00 182656 1DF7F42665C94B825322FAE71721130D c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-06-24 13:25 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\ndis.sys
[-] 2009-06-24 13:25 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-27 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2001-12-20 204800]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-20 35328]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-01-08 65536]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SmartCapture.lnk - c:\program files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe [2008-10-29 58720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/28/2009 9:17 AM 64160]
R1 MultiCam;MultiCam for Picolo;c:\windows\system32\drivers\multicam.sys [3/2/2007 12:55 PM 196186]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 DLPortIO;DLPortIO;c:\windows\system32\drivers\DLPORTIO.sys [3/10/2005 1:21 PM 3584]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PLVBLKFQ
*Deregistered* - plvblkfq

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
aucjcohu
.
Contents of the 'Scheduled Tasks' folder

2009-08-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:27]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} - hxxp://67.18.204.35/activex/vogweb29.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7crv2w8y.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 13:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\iTouch\KbdTray.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-08-11 13:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-11 17:18

Pre-Run: 31,978,102,784 bytes free
Post-Run: 31,895,519,232 bytes free

188 --- E O F --- 2009-07-30 07:00

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:45 AM

Posted 11 August 2009 - 01:58 PM

Hi wmvs,

Can you run Gmer again please, and post back with the results and a new Rsit log.

Thanks

Edited by syler, 11 August 2009 - 02:00 PM.

unite.jpg


#9 wmvs

wmvs
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 07:58 AM

GMER:
GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-12 08:42:55
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? plvblkfq.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\combofix\catchme.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- System - GMER 1.0.15 ----

Code 84F63500 pIofCallDriver

Device \Driver\NDIS \Device\Ndis [84F1D984] NDIS.sys[.reloc]
Device \Driver\aksusb \Device\00000064 AKSCLASS.SYS (Aladdin Class Driver/Aladdin Knowledge Systems Ltd.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1928] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2644] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F19F616D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F19F5FC2

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF776887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7768BFE]

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 212224/182656 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- EOF - GMER 1.0.15 ----


RSIT:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-12 08:43:06
Microsoft Windows XP Professional Service Pack 3
System drive C: has 30 GB (80%) free of 38 GB
Total RAM: 447 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:43:08, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartCapture.lnk = C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147437388031
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://67.18.204.35/activex/vogweb29.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Schmidt.com
O17 - HKLM\Software\..\Telephony: DomainName = Schmidt.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Schmidt.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Schmidt.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6546 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
UberButton Class - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 181352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}]
YahooTaggedBM Class - C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 115832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-16 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-06-26 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-30 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-16 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-01-08 65536]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-06-01 257088]
"zBrowser Launcher"=C:\Program Files\Logitech\iTouch\iTouch.exe [2001-12-20 204800]
"EM_EXEC"=C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE [2001-12-20 35328]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-06-29 520024]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-10-21 50472]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-09-27 68856]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
SmartCapture.lnk - C:\Program Files\Seiko Instruments USA Inc\Smart Label Printer 6.9\slpcap.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-08-12 07:52:20 ----SHD---- C:\RECYCLER
2009-08-11 13:19:00 ----D---- C:\WINDOWS\temp
2009-08-11 13:18:58 ----A---- C:\ComboFix.txt
2009-08-11 13:05:27 ----A---- C:\Boot.bak
2009-08-11 13:05:23 ----RASHD---- C:\cmdcons
2009-08-11 13:03:06 ----A---- C:\WINDOWS\zip.exe
2009-08-11 13:03:06 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-11 13:03:06 ----A---- C:\WINDOWS\SWSC.exe
2009-08-11 13:03:06 ----A---- C:\WINDOWS\SWREG.exe
2009-08-11 13:03:06 ----A---- C:\WINDOWS\sed.exe
2009-08-11 13:03:06 ----A---- C:\WINDOWS\PEV.exe
2009-08-11 13:03:06 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-11 13:03:06 ----A---- C:\WINDOWS\grep.exe
2009-08-11 13:02:52 ----D---- C:\Qoobox
2009-08-11 07:59:49 ----D---- C:\_OTM
2009-08-11 07:58:58 ----D---- C:\WINDOWS\ERDNT
2009-08-11 07:58:22 ----D---- C:\Program Files\ERUNT
2009-08-10 09:22:00 ----D---- C:\rsit
2009-07-30 03:00:40 ----HDC---- C:\WINDOWS\$NtUninstallKB972260$
2009-07-29 11:29:00 ----A---- C:\rapport1.txt
2009-07-27 09:50:31 ----A---- C:\WINDOWS\system32\tmp.txt
2009-07-27 09:49:56 ----A---- C:\rapport.txt
2009-07-27 09:45:18 ----D---- C:\WINDOWS\system32\appmgmt
2009-07-24 07:59:08 ----A---- C:\RootRepeal.txt
2009-07-24 07:53:28 ----A---- C:\RootRepeal report 07-24-09 (07-53-28).txt
2009-07-23 09:02:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-22 16:17:55 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-22 12:12:30 ----D---- C:\Program Files\Trend Micro
2009-07-22 09:24:24 ----A---- C:\VundoFix.txt
2009-07-22 09:24:23 ----D---- C:\VundoFix Backups
2009-07-20 16:25:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-20 16:25:27 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-20 16:25:05 ----A---- C:\WINDOWS\system32\MRT.INI
2009-07-20 16:23:38 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$

======List of files/folders modified in the last 1 months======

2009-08-12 07:51:49 ----D---- C:\WINDOWS\Prefetch
2009-08-11 13:20:49 ----D---- C:\Program Files\Mozilla Firefox
2009-08-11 13:19:01 ----D---- C:\WINDOWS\system32\drivers
2009-08-11 13:19:01 ----D---- C:\WINDOWS\system32
2009-08-11 13:19:00 ----D---- C:\WINDOWS
2009-08-11 13:18:05 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-11 13:15:45 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-11 13:15:40 ----A---- C:\WINDOWS\system.ini
2009-08-11 13:13:54 ----D---- C:\WINDOWS\system32\config
2009-08-11 13:12:32 ----D---- C:\WINDOWS\AppPatch
2009-08-11 13:12:30 ----D---- C:\Program Files\Common Files
2009-08-11 13:05:27 ----RASH---- C:\boot.ini
2009-08-11 13:03:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-11 13:03:05 ----SHD---- C:\System Volume Information
2009-08-11 13:03:05 ----D---- C:\WINDOWS\system32\Restore
2009-08-11 07:58:22 ----RD---- C:\Program Files
2009-08-10 08:45:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-30 03:00:50 ----HD---- C:\WINDOWS\inf
2009-07-30 03:00:18 ----SHD---- C:\WINDOWS\Installer
2009-07-30 03:00:17 ----D---- C:\WINDOWS\WinSxS
2009-07-29 11:13:58 ----D---- C:\Program Files\Common Files\PC Tools
2009-07-29 10:15:50 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-28 09:18:20 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-27 09:45:54 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-07-27 09:42:27 ----SD---- C:\WINDOWS\Tasks
2009-07-23 08:57:18 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-22 16:17:21 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-22 12:03:18 ----A---- C:\WINDOWS\WININIT.INI
2009-07-22 09:42:46 ----SHD---- C:\WINDOWS\CSC
2009-07-21 12:52:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-20 16:26:06 ----A---- C:\WINDOWS\imsins.BAK
2009-07-18 12:05:06 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-18 12:05:06 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 MultiCam;MultiCam for Picolo; C:\WINDOWS\System32\Drivers\multicam.sys [2004-05-12 196186]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2004-08-05 12416]
R2 DLPortIO;DLPortIO; \??\C:\WINDOWS\system32\drivers\DLPortIO.sys []
R2 hardlock;hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R2 Haspnt;Haspnt; \??\C:\WINDOWS\system32\drivers\Haspnt.sys []
R3 akshasp;Aladdin HASP Key; C:\WINDOWS\system32\DRIVERS\akshasp.sys [2005-07-20 327808]
R3 aksusb;Aladdin USB Key; C:\WINDOWS\system32\DRIVERS\aksusb.sys [2005-07-20 100096]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-11 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-01-09 601100]
R3 catchme;catchme; \??\C:\combofix\catchme.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2001-12-17 10496]
R3 l8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042Pr2.sys [2001-12-19 50990]
R3 LKbdFlt2;Logitech Keyboard Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LKbdFlt2.sys [2001-12-19 5838]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys [2001-12-19 67694]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2004-08-05 220672]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 aujasnkj;aujasnkj; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-20 1029456]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-06-01 501312]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-30 182768]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]

-----------------EOF-----------------

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:45 AM

Posted 12 August 2009 - 11:25 AM

wmvs,

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Then

Please click this link-->Jotti
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\drivers\ndis.sys

Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

unite.jpg


#11 wmvs

wmvs
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 01:46 PM

I've tried uploading the file with IE and Firefox and with both programs, and both sites, about 75% of the way through they freeze. I've tried it multiple times to no avail. Is there another program I can use to scan this specific file? I'll keep trying and post if I somehow get it uploaded.

At the same time, when I try this, this computer pulls all the bandwidth and I can barely log onto those sites.

I've tried uploading other files and they work fine. Could it be that this file is in use??

Edited by wmvs, 12 August 2009 - 01:54 PM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:45 AM

Posted 12 August 2009 - 06:14 PM

Please go to the Malware Upload Channel and upload the following file.
  • Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
  • Then click "Browse" on the line below and navigate to the following file:

    C:\WINDOWS\system32\drivers\ndis.sys

  • In the comment section, please make a note that I asked you to upload the file here: Syler
  • Click Send File
Please let me know when the submission has finished. Thanks.

unite.jpg


#13 wmvs

wmvs
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 13 August 2009 - 07:26 AM

I've tried multiple times now to upload the file to the Malware Upload Channel. It just won't do it. The file is under 200k, but just won't upload anywhere. I've tried Jotti and Virustotal a number of times as well and it still freezes when it reaches about 80% on Jotti and 65% on Virustotal. When trying to upload it to the Malware Channel it starts and then after about 4 minutes the page stops.

Is there a possibility that this file has some code in it that won't allow it to be copied elsewhere? Can i replace it with another ndis file? This is so frustrating.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:45 AM

Posted 13 August 2009 - 07:59 AM

It is possible that it is being blocked from uploading, Can you try booting into safe mode with networking and then uploading it.

unite.jpg


#15 wmvs

wmvs
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 13 August 2009 - 09:03 AM

I tried using safe mode; that wouldn't work. As a matter of fact, I tried uploading the ndis.sys file from one of our good PCs to virustotal/jotti and it didn't work either. Maybe there's something on our network blocking it. I also tried sending it in an email file from myself, to myself; also didn't work. Is there a program (or programs) I can download to analyze this specific file?

EDIT: Now I tried it again from another PC and it did work. Interestingly enough, the ndis file on the bad PC is 178K. When trying to upload it to virustotal, it shows that it is trying to upload 204K. The ndis on the good PC that I was able to upload states that it is 178K, and when uploading also shows that it is 178K. Weird.

Edited by wmvs, 13 August 2009 - 09:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users