Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This log - Getting IE redirects, blocked sites


  • This topic is locked This topic is locked
8 replies to this topic

#1 ibcolder

ibcolder

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 02 August 2009 - 04:47 AM

Hi, please help...The machine is running XP Home, SP3.

As it says in the topic, I'm getting IE redirects, and it's blocking Ad-Aware updates, thus I installed aniversary edition, but it only ran once. Couldn't even download it on said machine.
It was worse before I ran spybot S&D from Ultimate Boot CD v3.50/XP-SP3. After installing Ad-Aware, and rebooting, I ran LSPFIX, which got rid of CLSP.dll (Layered Service Provider). At that point, I had gotten AVG on, and it was able to update. But it keeps coming up with trojan dropper messages, and browsing is being redirected. AVG can't seem to kill it, whatever it is.

Here's the hijack this log on it to see what's left to clean up -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:54 AM, on 8/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Kaiser\VPN Client\cvpnd.exe
C:\Program Files\1208_Fiberlink\Fgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://10.228.84.192/iSite3_3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E4894E3-F918-4387-973C-6F945664DE02}: NameServer = 85.255.112.166,206.13.28.12,85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Kaiser\VPN Client\cvpnd.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1208_Fiberlink\Fgrd.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Windows OLE (WinOLE) - Unknown owner - C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\service.exe (file missing)

--
End of file - 6900 bytes

Please let me know what to do next... I await your response... thanks for your being here to advise.

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:52 AM

Posted 02 August 2009 - 02:38 PM

Hello ibcolder and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :)

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please give me some time to analyse your logs, I will be back shortly.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:52 AM

Posted 03 August 2009 - 10:56 AM

Hello, ibcolder and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.



Step 1
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<



Step 2

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.






Please post back with:
  • Both RSIT-Logfiles
  • Gmer-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 ibcolder

ibcolder
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 04 August 2009 - 02:11 AM

Hello Tom, and thanks for the help! Here's the logfiles in the order requested -

Both RSIT-Logfiles

RSIT Info;
info.txt logfile of random's system information tool 1.06 2009-08-03 20:14:04

======Uninstall list======

-->"C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\WinOLE.EXE" -uninstall
-->"C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
-->"C:\Program Files\SBC Yahoo!\umuninst.exe" /S
-->C:\PROGRA~1\Yahoo!\common\unybase.exe
-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
-->C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\yhexbmes.dll
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.0.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
APA PERRLA-->C:\WINDOWS\unvise32.exe C:\PERRLA\uninstal.log
Apple Mobile Device Support-->MsiExec.exe /I{AFA20D47-69C3-4030-8DF8-D37466E70F13}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
BookSmart™ 1.9.9 1.9.9-->C:\Program Files\BookSmart\uninstall.exe
Canon Camera Window for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2D6BDF3A-6BDB-4169-909F-E882F23AB795}
Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B8CD1189-53D6-4C51-8082-14B812EABBA8}
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MX310 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon PhotoRecord-->C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\Canon\PhotoRecord\Uninst.isu -c"C:\PROGRA~1\Canon\PhotoRecord\Program\uninstdll.dll"
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities FileViewerUtility 1.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0627E8E9-6822-4A5E-9225-286741CDC3E4}
Canon Utilities PhotoStitch 3.1-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A3E0FF15-90D5-40CD-8565-B80A433B0D4C}
Canon Utilities RemoteCapture 2.6-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DING!-->MsiExec.exe /X{84031A18-BA9A-4156-A74F-E05B52DDFCE2}
DivX Player-->C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Player\uninstal.log
DivX Pro Codec Adware-->C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Pro Codec Adware\UninstalDivXProCodecAdware.log
Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Fiberlink Global Remote-->MsiExec.exe /X{309172B9-7B5C-4A1C-A0AB-C145D46CB781}
Flash Track Uninstall-->"c:\Program Files\Ftk\uninst.exe"
FotoAlbum 3.4.1-->"C:\Program Files\FotoTime\unins000.exe"
FotoTime FotoAlbum Pro-->MsiExec.exe /I{7FF37D98-A8A1-4C24-860B-C0D20E601A6E}
FTP Commander-->C:\Program Files\FTP Commander\uninstall.exe
GenoPro-->C:\Program Files\GenoPro\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
InstallMgr-->MsiExec.exe /I{98177940-C048-4831-A279-F3888B1E2C7F}
Intel® PRO Ethernet Adapter and Software-->Prounstl.exe
iPod for Windows 2005-03-23-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iTunes-->MsiExec.exe /I{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}
Java™ 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Lotus Notes-->C:\WINDOWS\IsUninst.exe -fc:\lotus\notes\Uninst.isu
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Default Manager-->MsiExec.exe /I{B7148D71-0A8F-4501-96B4-4E1CC67F874E}
Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Photo 7.0-->MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Search Enhancement Pack-->MsiExec.exe /I{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 2003 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe E:\
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}
Mocha W32 TN3270-->C:\WINDOWS\mtn3270uninstall.exe
MSN Toolbar-->"C:\Program Files\Microsoft\Search Enhancement Pack\InstallMgr\InstallMgr.exe"
MSN Toolbar-->MsiExec.exe /X{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Personal Ancestral File 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D94A8E22-DF2B-4107-9E51-608A60A7671D}\Setup.exe"
PhotoRescue WIZARD Demo 2.0.557-->"C:\Program Files\PhotoRescue WIZARD\unins000.exe"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Quick 3270-->C:\PROGRA~1\Menu\Programs\QUICK3~1\UNINSTAL.EXE C:\PROGRA~1\Menu\Programs\QUICK3~1\INSTALL.LOG
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
SBC Yahoo! Applications-->C:\Program Files\SBC Yahoo!\UninstallManager.exe
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sierra Utilities-->C:\Program Files\Sierra On-Line\sutil32.exe uninstall
Sound Blaster Live!-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\SETUP.EXE" -l0x9
Spybot - Search & Destroy 1.3-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.3-->"C:\Program Files\SpywareBlaster\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
ViewSonic Monitor Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VPN Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\setup.exe" -l0x9 VpnUninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XoftSpySE-->C:\Program Files\XoftSpySE\uninstall.exe
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Search Protection-->C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZiO SmartMedia Adapter Ver 2.00 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0C4BCAD9-DFD8-11D3-A9EA-00C0F6410581}\setup.exe" -L0x9

======Hosts File======

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: RONALD-RM8BDCAA
Event Code: 10000
Message: Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.
The error:
"%2"
Happened while starting this command:
C:\PROGRA~1\Yahoo!\browser\ycommon.exe -Embedding

Record Number: 104357
Source Name: DCOM
Time Written: 20090523174859.000000-420
Event Type: error
User: RONALD-RM8BDCAA\Janelle

Computer Name: RONALD-RM8BDCAA
Event Code: 10000
Message: Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.
The error:
"%2"
Happened while starting this command:
C:\PROGRA~1\Yahoo!\browser\ycommon.exe -Embedding

Record Number: 104356
Source Name: DCOM
Time Written: 20090523174805.000000-420
Event Type: error
User: RONALD-RM8BDCAA\Janelle

Computer Name: RONALD-RM8BDCAA
Event Code: 10000
Message: Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.
The error:
"%2"
Happened while starting this command:
C:\PROGRA~1\Yahoo!\browser\ycommon.exe -Embedding

Record Number: 104355
Source Name: DCOM
Time Written: 20090523174650.000000-420
Event Type: error
User: RONALD-RM8BDCAA\Janelle

Computer Name: RONALD-RM8BDCAA
Event Code: 10000
Message: Unable to start a DCOM Server: {601AC3DC-786A-4EB0-BF40-EE3521E70BFB}.
The error:
"%2"
Happened while starting this command:
rundll32.exe shell32.dll,SHCreateLocalServerRunDll {601ac3dc-786a-4eb0-bf40-ee3521e70bfb} -Embedding

Record Number: 104354
Source Name: DCOM
Time Written: 20090523174452.000000-420
Event Type: error
User: RONALD-RM8BDCAA\Janelle

Computer Name: RONALD-RM8BDCAA
Event Code: 10000
Message: Unable to start a DCOM Server: {9FC8AD10-2E1B-45BE-B57A-478803561E1F}.
The error:
"%2"
Happened while starting this command:
C:\PROGRA~1\Yahoo!\browser\ycommon.exe -Embedding

Record Number: 104353
Source Name: DCOM
Time Written: 20090523174450.000000-420
Event Type: error
User: RONALD-RM8BDCAA\Janelle

=====Application event log=====

Computer Name: RONALD-RM8BDCAA
Event Code: 0
Message:
Record Number: 21916
Source Name: Service
Time Written: 20071130103549.000000-480
Event Type: error
User:

Computer Name: RONALD-RM8BDCAA
Event Code: 4618
Message: The COM+ Event System raised an unexpected access violation at address 0x774FDF0B, attempting to access address 0x00000038. Please contact Microsoft Product Support Services to report this error.
ole32!StringFromGUID2+0x109
ole32!StringFromGUID2+0x98
ole32!StringFromCLSID+0x215
ole32!StringFromCLSID+0x38f
RPCRT4!IUnknown_Release_Proxy+0x11
es!DllGetClassObject+0x33ca
es!DllGetClassObject+0x3b06
YahooMessenger!+0x152954
MSVCR71!_cexit+0xb
ntdll!LdrInitializeThunk+0x29
ntdll!LdrShutdownProcess+0x142
kernel32!IsValidLocale+0x8eb
kernel32!ExitProcess+0x14
kernel32!ValidateLocale+0x1346

Record Number: 21911
Source Name: EventSystem
Time Written: 20071127113635.000000-480
Event Type: error
User:

Computer Name: RONALD-RM8BDCAA
Event Code: 1000
Message: Faulting application yahoomessenger.exe, version 8.1.0.249, faulting module yvoicesm.dll, version 1.0.201.1, fault address 0x0007555f.

Record Number: 21910
Source Name: Application Error
Time Written: 20071127113631.000000-480
Event Type: error
User:

Computer Name: RONALD-RM8BDCAA
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


Record Number: 21907
Source Name: crypt32
Time Written: 20071125213600.000000-480
Event Type: error
User:

Computer Name: RONALD-RM8BDCAA
Event Code: 0
Message:
Record Number: 21901
Source Name: Service
Time Written: 20071125212745.000000-480
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

RSIT Log;
Logfile of random's system information tool 1.06 (written by random/random)
Run by Ronald at 2009-08-03 20:13:43
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 9 GB (16%) free of 57 GB
Total RAM: 767 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:59 PM, on 8/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Kaiser\VPN Client\cvpnd.exe
C:\Program Files\1208_Fiberlink\Fgrd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ronald\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ronald.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://10.228.84.192/iSite3_3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E4894E3-F918-4387-973C-6F945664DE02}: NameServer = 85.255.112.166,206.13.28.12,85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Kaiser\VPN Client\cvpnd.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1208_Fiberlink\Fgrd.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft Windows OLE (WinOLE) - Unknown owner - C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\service.exe (file missing)

--
End of file - 7999 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Windows Critical Update Notification.job
C:\WINDOWS\tasks\XoftSpy.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2007-10-19 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-08-01 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 744960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5EDB03AF-0341-4e96-9E9B-3171522E4BAF}]
FlashEnhancer Ext - c:\Program Files\Fla\fla.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll [2009-02-09 82768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-02 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-02 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2007-10-19 817936]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll [2009-02-09 82768]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2007-06-08 224248]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-04-14 644696]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-03-04 1603152]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-01 2000152]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-02 148888]
"Microsoft Default Manager"=C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [2009-02-03 233304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe [2002-04-10 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\Documents and Settings\Ronald\Application Data\eetu.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aykJVM]
C:\documents and settings\ronald\local settings\temp\aykJVM.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe [2002-04-03 135264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EJ4kf]
C:\documents and settings\janelle\local settings\temp\EJ4kf.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FtkCPY]
C:\Program Files\Common Files\Java\ftkcpy.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoldenFTPserver]
C:\Program Files\Golden FTP Server\GoldenFTPServer.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2002-07-16 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p]
C:\documents and settings\janelle\local settings\temp\p.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picsvr]
C:\WINDOWS\system32\picsvr\picsvr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvs_b]
C:\program files\tvs\tvs_b.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
C:\PROGRA~1\VBouncer\VirtualBouncer.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
\mcvsshld.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-03-27 4670968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaiser VPN Client.lnk]
C:\PROGRA~1\Kaiser\VPNCLI~1\IPSECD~1.EXE [2002-09-03 1269836]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP1116]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP1116 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ronald^Start Menu^Programs^Startup^Internet Explorer.lnk]
C:\PROGRA~1\INTERN~1\iexplore.exe [2008-04-14 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-01 11952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE"="C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe"="C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\browser\ybrowser.exe"="C:\Program Files\Yahoo!\browser\ybrowser.exe:*:Enabled:Yahoo! Browser"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2bf35e-e85d-11da-b75f-0007e9d6255a}]
shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2bf35f-e85d-11da-b75f-0007e9d6255a}]
shell\AutoRun\command - K:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe
shell\open\command - K:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a974464-0b64-11de-b8b3-0007e9d6255a}]
shell\AutoRun\command - F:\LaunchU3.exe


======List of files/folders created in the last 1 months======

2009-08-03 20:13:43 ----D---- C:\rsit
2009-08-03 03:04:38 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-08-03 03:03:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-08-02 09:33:23 ----D---- C:\Program Files\Microsoft
2009-08-02 09:33:00 ----D---- C:\WINDOWS\Sun
2009-08-02 09:31:52 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-02 09:31:52 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-02 09:31:52 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-08-02 09:31:51 ----A---- C:\WINDOWS\system32\java.exe
2009-08-02 09:31:31 ----D---- C:\Program Files\Java
2009-08-02 09:29:22 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-08-02 09:28:51 ----D---- C:\Documents and Settings\Ronald\Application Data\Sun
2009-08-01 08:52:45 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-08-01 02:08:16 ----D---- C:\Program Files\Trend Micro
2009-08-01 01:29:50 ----HDC---- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-01 01:29:32 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-08-01 00:52:01 ----HD---- C:\$AVG8.VAULT$
2009-08-01 00:50:30 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-08-01 00:49:55 ----D---- C:\Program Files\AVG
2009-08-01 00:49:54 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-08-01 00:00:21 ----D---- C:\WINDOWS\Prefetch
2009-07-31 23:56:54 ----HDC---- C:\WINDOWS\$NtUninstallKB972260$
2009-07-31 23:56:45 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-31 23:56:36 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-31 23:56:19 ----HDC---- C:\WINDOWS\$NtUninstallKB969897$
2009-07-31 23:56:11 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-31 23:56:02 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-07-31 23:55:49 ----HDC---- C:\WINDOWS\$NtUninstallKB963027$
2009-07-31 23:55:42 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-31 23:55:35 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-31 23:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-31 23:55:20 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-31 23:55:10 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-07-31 23:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-07-31 23:54:54 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-31 23:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-07-31 23:54:28 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-07-31 23:54:16 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-07-31 23:54:14 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-07-31 23:54:14 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2009-07-31 23:54:14 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-31 23:54:13 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-07-31 23:53:59 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-07-31 23:53:51 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-07-31 23:53:44 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-07-31 23:53:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-07-31 23:53:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-07-31 23:53:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-07-31 23:53:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-31 23:52:50 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2009-07-31 23:52:37 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-07-31 23:52:30 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-07-31 23:52:22 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-07-31 23:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2009-07-31 23:52:02 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-07-31 23:51:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-07-31 23:51:42 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-31 23:51:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-07-31 23:51:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-07-31 23:51:12 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-07-31 23:50:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-07-31 23:50:49 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-07-31 23:50:41 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-07-31 23:50:32 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-07-31 23:50:20 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2009-07-31 23:50:13 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-07-31 23:50:07 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-07-31 23:49:59 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-31 23:44:32 ----N---- C:\WINDOWS\system32\msxml6r.dll
2009-07-31 23:44:31 ----A---- C:\WINDOWS\system32\msxml6.dll
2009-07-31 23:44:03 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2009-07-31 23:44:03 ----N---- C:\WINDOWS\system32\azroles.dll
2009-07-31 23:44:03 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3ui.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3svc.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3msm.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3api.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dimsroam.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\credssp.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapsvc.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapqec.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eappprxy.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapphost.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eappgnui.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eappcfg.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapolqec.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kmsvc.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdpash.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\napstat.exe
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\napmontr.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\napipsec.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mssha.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mmcperf.exe
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mmcex.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qutil.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qcliprov.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qagentrt.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qagent.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\onex.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\tspkg.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\setupn.exe
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\rasqec.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\wmphoto.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\wlanapi.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2009-07-31 23:43:55 ----N---- C:\WINDOWS\system32\xmllite.dll
2009-07-31 23:43:54 ----D---- C:\WINDOWS\system32\scripting
2009-07-31 23:43:54 ----D---- C:\WINDOWS\system32\en-us
2009-07-31 23:43:51 ----D---- C:\WINDOWS\l2schemas
2009-07-31 23:43:50 ----D---- C:\WINDOWS\system32\en
2009-07-31 23:38:41 ----D---- C:\WINDOWS\network diagnostic
2009-07-31 23:36:16 ----A---- C:\WINDOWS\003376_.tmp
2009-07-31 19:52:07 ----D---- C:\WINDOWS\SxsCaPendDel
2009-07-29 03:00:25 ----HDC---- C:\WINDOWS\$NtUninstallKB972260_0$
2009-07-28 08:01:09 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-07-25 21:52:20 ----D---- C:\Documents and Settings\Ronald\Application Data\AVG8
2009-07-25 20:56:10 ----D---- C:\Program Files\NoAdware
2009-07-15 06:18:43 ----A---- C:\WINDOWS\system32\ESQULacbqkbfrwimnalfrqewlctwfvdavpaiv.dll
2009-07-15 03:02:18 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 03:02:06 ----HDC---- C:\WINDOWS\$NtUninstallKB971633_0$
2009-07-15 03:01:50 ----HDC---- C:\WINDOWS\$NtUninstallKB961371_0$

======List of files/folders modified in the last 1 months======

2009-08-03 20:09:52 ----HD---- C:\WINDOWS\inf
2009-08-03 20:09:34 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-03 18:18:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-03 17:59:02 ----AD---- C:\WINDOWS\Temp
2009-08-03 17:40:24 ----D---- C:\WINDOWS\system32
2009-08-03 17:40:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-03 17:38:35 ----AD---- C:\WINDOWS
2009-08-03 03:04:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-03 03:03:57 ----A---- C:\WINDOWS\imsins.BAK
2009-08-03 03:02:31 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-03 01:13:16 ----D---- C:\Program Files\1208_Fiberlink
2009-08-02 18:25:49 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-02 17:13:05 ----AC---- C:\WINDOWS\system32\fwlog.txt
2009-08-02 09:33:55 ----SHD---- C:\WINDOWS\Installer
2009-08-02 09:33:26 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-02 09:33:23 ----AD---- C:\Program Files
2009-08-02 09:32:12 ----D---- C:\Program Files\MSN
2009-08-01 10:22:45 ----AC---- C:\WINDOWS\OEWABLog.txt
2009-08-01 08:52:46 ----D---- C:\WINDOWS\WinSxS
2009-08-01 04:31:36 ----D---- C:\WINDOWS\system32\drivers
2009-08-01 03:16:55 ----D---- C:\Program Files\Ftk
2009-08-01 02:05:54 ----HD---- C:\Documents and Settings\All Users\Application Data\wsxs
2009-08-01 01:29:32 ----D---- C:\Program Files\Lavasoft
2009-08-01 00:49:44 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-01 00:46:47 ----D---- C:\Documents and Settings\Ronald\Application Data\U3
2009-08-01 00:00:28 ----AC---- C:\WINDOWS\setuplog.txt
2009-07-31 23:59:51 ----D---- C:\WINDOWS\system32\Setup
2009-07-31 23:59:51 ----D---- C:\WINDOWS\ime
2009-07-31 23:59:51 ----D---- C:\WINDOWS\AppPatch
2009-07-31 23:59:51 ----D---- C:\Program Files\Internet Explorer
2009-07-31 23:59:50 ----D---- C:\WINDOWS\system32\wbem
2009-07-31 23:59:48 ----RSD---- C:\WINDOWS\Fonts
2009-07-31 23:59:05 ----D---- C:\WINDOWS\security
2009-07-31 23:50:14 ----D---- C:\Program Files\Messenger
2009-07-31 23:44:33 ----D---- C:\WINDOWS\ServicePackFiles
2009-07-31 23:44:30 ----D---- C:\Program Files\Windows Media Player
2009-07-31 23:44:27 ----D---- C:\WINDOWS\Help
2009-07-31 23:43:54 ----D---- C:\WINDOWS\system32\usmt
2009-07-31 23:43:50 ----D---- C:\WINDOWS\system32\bits
2009-07-31 23:43:50 ----D---- C:\WINDOWS\PeerNet
2009-07-31 23:43:50 ----D---- C:\Program Files\Movie Maker
2009-07-31 23:41:22 ----D---- C:\WINDOWS\system32\Restore
2009-07-31 23:41:22 ----D---- C:\WINDOWS\system32\npp
2009-07-31 23:41:21 ----D---- C:\WINDOWS\msagent
2009-07-31 23:41:19 ----D---- C:\WINDOWS\srchasst
2009-07-31 23:41:18 ----D---- C:\Program Files\NetMeeting
2009-07-31 23:41:17 ----D---- C:\WINDOWS\system32\Com
2009-07-31 23:41:13 ----D---- C:\Program Files\Windows NT
2009-07-31 23:41:13 ----D---- C:\Program Files\Outlook Express
2009-07-31 23:41:09 ----D---- C:\Program Files\Common Files\System
2009-07-31 23:40:43 ----D---- C:\WINDOWS\system32\oobe
2009-07-31 23:40:41 ----D---- C:\WINDOWS\system
2009-07-31 23:38:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-31 23:35:53 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-07-31 23:35:07 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-31 23:30:29 ----D---- C:\WINDOWS\EHome
2009-07-31 19:51:52 ----AD---- C:\Program Files\Common Files
2009-07-31 16:18:33 ----SHD---- C:\RECYCLER
2009-07-31 15:15:46 ----SD---- C:\WINDOWS\Tasks
2009-07-31 14:34:13 ----RASH---- C:\boot.ini
2009-07-28 16:21:10 ----D---- C:\PERRLA
2009-07-25 20:20:09 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-07-25 20:15:22 ----D---- C:\Documents and Settings
2009-07-25 19:29:06 ----A---- C:\WINDOWS\win.ini
2009-07-25 19:29:06 ----A---- C:\WINDOWS\SYSTEM.INI
2009-07-25 19:18:58 ----D---- C:\Program Files\XoftSpySE
2009-07-18 09:05:06 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-18 09:05:06 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-15 08:36:48 ----AC---- C:\WINDOWS\ODBC.INI
2009-07-15 08:33:48 ----D---- C:\WINDOWS\Registration
2009-07-15 00:55:19 ----D---- C:\iSiteLogs
2009-07-07 22:41:15 ----SD---- C:\Documents and Settings\Ronald\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-01 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-01 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-08-01 108552]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2003-07-26 59440]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2003-07-26 23724]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2002-04-10 236032]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2002-04-10 117898]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2002-04-10 206336]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-09-03 12032]
R2 CVPNDRV;Kaiser IPsec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRV.sys []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R2 Stltrk2k;Stltrk2k; C:\WINDOWS\system32\drivers\Stltrk2k.sys [2000-06-02 13806]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2002-01-09 128380]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-09-19 139776]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2002-04-10 29638]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-09-03 12160]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\System32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-09-22 1330048]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2008-04-14 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2002-04-10 24554]
S3 EUSBMSD;eUSB SmartMedia Driver; C:\WINDOWS\System32\DRIVERS\EUSBMSD.SYS [2001-08-27 50528]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2002-07-12 141752]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-01 297752]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [1999-12-13 44032]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Kaiser\VPN Client\cvpnd.exe [2002-09-03 1282112]
R2 FGR Service;FGR Service; C:\Program Files\1208_Fiberlink\Fgrd.exe [2002-07-01 57344]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-02 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
S2 WinOLE;Microsoft Windows OLE; C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\service.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

Gmer-Logfile
GMER 1.0.15.15011 [GMER_3g9nscm2.exe] - http://www.gmer.net
Rootkit scan 2009-08-03 21:53:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xF74AC803] <-- ROOTKIT !!!

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [F74AC744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [F74AC51E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F74AC71A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F74AC6A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [F74AC744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F74AC380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [F74AC51E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F74AC380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F74AC6A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F74AC71A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [F74AC744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [F74AC51E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [F74AC744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [F74AC51E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [F74AC48B] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F74AC380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F74AC6A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [F74AC744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F74AC71A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [F74AC744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [F74AC51E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F74AC380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F74AC71A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F74AC6A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F74AC71A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F74AC6A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F74AC380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F74AC380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F74AC6A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F74AC71A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F74AC380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F74AC71A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F74AC6A7] IPVNMon.sys (IPVNMon/Visual Networks)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [SYSTEM] ESQULserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@imagepath
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULserv
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULl
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULclk
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@imagepath
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules@ESQULserv
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules@ESQULl
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules@ESQULclk
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@imagepath
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULserv
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULl
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULclk

---- EOF - GMER 1.0.15 ----

Powerful tools, lots of information there - :thumbup2:

Please let me know how to proceed, and thanks again for being there!

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:52 AM

Posted 04 August 2009 - 02:31 PM

Hi,

here we go:

Please take note of the following:

You have to plug in every external drive you have into your system and let him in, until I say you can take it out!!


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.When finished, it will produce a report for you.




Please post back with:
  • Combofix-Logfile
  • Fresh RSIT-Logfile
  • Fresh Gmer-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 ibcolder

ibcolder
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 08 August 2009 - 02:17 PM

Hi Tom,

I would not bump otherwise, but wanted you to know the thread is not dead...My friend has been away this week, it's his computer. I'll be posting the aforementioned logs as soon as he gets back.

Thanks again for your help with this.

#7 ibcolder

ibcolder
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 11 August 2009 - 04:27 AM

Hi Tom, the machine now seems clean! :thumbup2: :)
Here are the logs -
Combofix Log
ComboFix 09-08-10.01 - Ronald 08/10/2009 19:54.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.516 [GMT -7:00]
Running from: c:\documents and settings\Ronald\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?
c:\program files\Common Files\uninstall information
c:\recycler\S-1-5-21-57989841-1715567821-725345543-1004
c:\windows\system32\curity~1
c:\windows\system32\Data
c:\windows\system32\stem32~1


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESQULserv.sys
-------\Legacy_ISEXENG
-------\Legacy_ZESOFT
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-08-08 14:02 . 2009-08-08 14:02 -------- d-----w- c:\documents and settings\Ronald\Citrix
2009-08-06 07:43 . 2008-04-14 12:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-04 03:13 . 2009-08-04 03:14 -------- d-----w- C:\rsit
2009-08-02 16:33 . 2009-08-02 16:33 -------- d-----w- c:\program files\Microsoft
2009-08-02 16:33 . 2009-08-02 16:33 -------- d-----w- c:\windows\Sun
2009-08-02 16:31 . 2009-08-02 16:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-02 16:31 . 2009-08-02 16:31 -------- d-----w- c:\program files\Java
2009-08-02 16:29 . 2009-08-02 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-02 16:29 . 2009-08-02 16:31 152576 ----a-w- c:\documents and settings\Ronald\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-08-01 09:08 . 2009-08-01 09:08 -------- d-----w- c:\program files\Trend Micro
2009-08-01 08:29 . 2009-08-01 08:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-01 08:29 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-01 08:29 . 2009-08-01 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-01 07:52 . 2009-08-10 07:19 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-01 07:50 . 2009-08-01 07:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-01 07:50 . 2009-08-01 07:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-01 07:50 . 2009-08-01 07:50 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-01 07:50 . 2009-08-01 07:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-01 07:50 . 2009-08-11 01:16 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-01 07:49 . 2009-08-01 07:49 -------- d-----w- c:\program files\AVG
2009-08-01 07:49 . 2009-08-01 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-01 07:22 . 2001-08-17 19:11 26568 -c--a-w- c:\windows\system32\dllcache\bcm4e5.sys
2009-08-01 07:21 . 2008-04-14 05:05 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2009-08-01 07:21 . 2001-08-17 20:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2009-08-01 07:21 . 2001-08-17 19:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2009-08-01 07:21 . 2001-08-17 20:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2009-08-01 07:21 . 2001-08-17 20:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2009-08-01 07:21 . 2001-08-17 21:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2009-08-01 07:21 . 2001-08-17 19:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2009-08-01 07:21 . 2001-08-17 21:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2009-08-01 07:21 . 2001-08-17 20:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2009-08-01 06:54 . 2009-08-01 06:54 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-01 06:54 . 2009-08-01 06:54 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-01 06:54 . 2009-08-01 06:54 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-01 06:54 . 2009-08-01 06:54 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-01 06:43 . 2008-04-14 12:42 176640 ------w- c:\windows\system32\napstat.exe
2009-08-01 06:42 . 2007-04-03 06:56 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll
2009-08-01 06:42 . 2007-04-03 06:56 19456 -c--a-w- c:\windows\system32\dllcache\agt0412.dll
2009-08-01 06:42 . 2007-04-03 06:56 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll
2009-08-01 06:41 . 2008-04-14 12:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-08-01 06:41 . 2008-04-14 12:42 695808 -c----w- c:\windows\system32\dllcache\drmv2clt.dll
2009-08-01 06:41 . 2008-04-14 12:42 774144 -c----w- c:\windows\system32\dllcache\setup_wm.exe
2009-08-01 06:41 . 2008-04-14 12:42 152064 -c----w- c:\windows\system32\dllcache\shmedia.dll
2009-08-01 06:41 . 2008-04-14 12:42 73728 -c----w- c:\windows\system32\dllcache\wmplayer.exe
2009-08-01 06:41 . 2008-04-14 12:42 809984 -c----w- c:\windows\system32\dllcache\wmvdmod.dll
2009-08-01 06:41 . 2008-04-14 12:42 303616 -c----w- c:\windows\system32\dllcache\wmstream.dll
2009-08-01 06:41 . 2008-04-14 12:42 759296 -c----w- c:\windows\system32\dllcache\wmsdmod.dll
2009-08-01 06:41 . 2008-04-14 12:42 670720 -c----w- c:\windows\system32\dllcache\wmadmoe.dll
2009-08-01 06:41 . 2008-04-14 12:42 408064 -c----w- c:\windows\system32\dllcache\wmadmod.dll
2009-08-01 06:41 . 2008-04-14 12:42 102400 -c----w- c:\windows\system32\dllcache\wmpshell.dll
2009-08-01 06:41 . 2008-04-14 05:58 2940928 -c----w- c:\windows\system32\dllcache\wmploc.dll
2009-08-01 06:38 . 2008-04-14 05:06 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys
2009-08-01 06:38 . 2008-04-14 07:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2009-08-01 02:52 . 2009-08-01 03:12 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-28 15:01 . 2009-07-28 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-26 04:52 . 2009-07-26 04:52 -------- d-----w- c:\documents and settings\Ronald\Application Data\AVG8
2009-07-26 03:56 . 2009-07-26 04:47 -------- d-----w- c:\program files\NoAdware
2009-07-15 15:43 . 2009-07-15 15:43 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-07-15 13:18 . 2009-07-15 13:18 56320 ----a-w- c:\windows\system32\ESQULacbqkbfrwimnalfrqewlctwfvdavpaiv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 21:50 . 2004-12-10 07:20 -------- d-----w- c:\program files\1208_Fiberlink
2009-08-08 14:02 . 2007-10-03 14:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-06 07:44 . 2005-08-30 02:35 -------- d-----w- c:\documents and settings\Janelle\Application Data\FotoTime
2009-08-06 07:40 . 2008-09-03 20:14 -------- d-----w- c:\documents and settings\Janelle\Application Data\Smilebox
2009-08-01 10:16 . 2005-06-28 14:35 -------- d-----w- c:\program files\Ftk
2009-08-01 09:05 . 2005-01-25 04:34 -------- d--h--w- c:\documents and settings\All Users\Application Data\wsxs
2009-08-01 08:29 . 2004-12-20 01:09 -------- d-----w- c:\program files\Lavasoft
2009-08-01 07:46 . 2006-05-21 00:04 -------- d-----w- c:\documents and settings\Ronald\Application Data\U3
2009-08-01 06:47 . 2003-07-24 06:04 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-07-26 02:18 . 2007-06-14 05:49 -------- d-----w- c:\program files\XoftSpySE
2009-06-26 16:50 . 2004-08-24 03:32 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2002-09-03 17:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-09-03 16:33 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-08 11:15 . 2009-05-12 23:33 205448 ----a-w- c:\documents and settings\Janelle\Application Data\Smilebox\SmileboxDvd.exe
2009-06-08 11:15 . 2009-05-12 23:33 168584 ----a-w- c:\documents and settings\Janelle\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-06-08 11:15 . 2008-07-31 03:56 373384 ----a-w- c:\documents and settings\Janelle\Application Data\Smilebox\SmileboxStarter.exe
2009-06-08 11:15 . 2008-07-31 03:53 266888 ----a-w- c:\documents and settings\Janelle\Application Data\Smilebox\SmileboxTray.exe
2009-06-08 11:08 . 2009-06-08 11:08 1548936 ----a-w- c:\documents and settings\Janelle\Application Data\Smilebox\SmileboxClient.exe
2009-06-08 10:45 . 2009-06-08 10:45 340616 ----a-w- c:\documents and settings\Janelle\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-06-08 10:45 . 2009-06-08 10:45 123528 ----a-w- c:\documents and settings\Janelle\Application Data\Smilebox\SmileboxUpdater.exe
2009-06-03 19:09 . 2003-12-31 07:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 14:25 . 2009-05-29 14:25 70984 ----a-w- c:\windows\java\g2mdlhlpx.exe
2009-05-21 06:50 . 2007-10-11 19:28 664 -c--a-w- c:\documents and settings\Ron B\Local Settings\Application Data\d3d9caps.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 224248]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-03-05 1603152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-01 2000152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-02 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-01 07:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaiser VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kaiser VPN Client.lnk
backup=c:\windows\pss\Kaiser VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP1116]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TFTP1116
backup=c:\windows\pss\TFTP1116Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronald^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=c:\documents and settings\Ronald\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=c:\windows\pss\Internet Explorer.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/1/2009 12:50 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/1/2009 12:50 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/1/2009 12:49 AM 297752]
R2 CVPNDRV;Kaiser IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [11/24/2008 12:28 AM 263751]
R2 FGR Service;FGR Service;c:\program files\1208_Fiberlink\Fgrd.exe [7/1/2002 7:36 AM 57344]
S2 WinOLE;Microsoft Windows OLE;c:\recycler\S-1-5-21-57989841-1715567821-725345543-1004\service.exe --> c:\recycler\S-1-5-21-57989841-1715567821-725345543-1004\service.exe [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [3/19/2009 9:15 AM 33176]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\162b7f72-8fa1-4ef2-8377-2ba8f6c59826]
c:\windows\system32\dcxnocq.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-08-11 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 21:44]

2009-08-08 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 21:44]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
SafeBoot-Lavasoft Ad-Aware Service


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxp://10.228.84.192/iSite3_3.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl.ini 1698 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Kaiser\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-08-11 20:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-11 03:12

Pre-Run: 9,961,738,240 bytes free
Post-Run: 9,926,594,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30

235 --- E O F --- 2009-08-03 10:04

GMER log
GMER 1.0.15.15011 [GMER_3g9nscm2.exe] - http://www.gmer.net
Rootkit scan 2009-08-10 21:47:04
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xF74D1803]

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\Combo-Fix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [F74D1744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [F74D151E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F74D171A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F74D16A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [F74D1744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F74D1380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [F74D151E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F74D1380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F74D16A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F74D171A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [F74D1744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [F74D151E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [F74D1744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [F74D151E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [F74D148B] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F74D1380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F74D16A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [F74D1744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F74D171A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [F74D1744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [F74D151E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F74D1380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F74D171A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F74D16A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F74D171A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F74D16A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F74D1380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F74D1380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F74D16A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F74D171A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F74D1380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F74D171A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F74D16A7] IPVNMon.sys (IPVNMon/Visual Networks)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@imagepath
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULserv
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULl
Reg HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys\modules@ESQULclk

---- EOF - GMER 1.0.15 ----

RSIT log
Logfile of random's system information tool 1.06 (written by random/random)
Run by Ronald at 2009-08-10 21:47:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 9 GB (17%) free of 57 GB
Total RAM: 767 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:47 PM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Kaiser\VPN Client\cvpnd.exe
C:\Program Files\1208_Fiberlink\Fgrd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ronald\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ronald.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://10.228.84.192/iSite3_3.cab
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.166,85.255.112.67
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Kaiser\VPN Client\cvpnd.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1208_Fiberlink\Fgrd.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft Windows OLE (WinOLE) - Unknown owner - C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\service.exe (file missing)

--
End of file - 7236 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2007-10-19 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-08-01 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 744960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll [2009-02-09 82768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-02 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-02 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2007-10-19 817936]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll [2009-02-09 82768]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2007-06-08 224248]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-04-14 644696]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-03-04 1603152]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-01 2000152]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-02 148888]
"Microsoft Default Manager"=C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [2009-02-03 233304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe [2002-04-10 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\Documents and Settings\Ronald\Application Data\eetu.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aykJVM]
C:\documents and settings\ronald\local settings\temp\aykJVM.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe [2002-04-03 135264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EJ4kf]
C:\documents and settings\janelle\local settings\temp\EJ4kf.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FtkCPY]
C:\Program Files\Common Files\Java\ftkcpy.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoldenFTPserver]
C:\Program Files\Golden FTP Server\GoldenFTPServer.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2002-07-16 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p]
C:\documents and settings\janelle\local settings\temp\p.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picsvr]
C:\WINDOWS\system32\picsvr\picsvr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvs_b]
C:\program files\tvs\tvs_b.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
C:\PROGRA~1\VBouncer\VirtualBouncer.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
\mcvsshld.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-03-27 4670968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaiser VPN Client.lnk]
C:\PROGRA~1\Kaiser\VPNCLI~1\IPSECD~1.EXE [2002-09-03 1269836]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP1116]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTP1116 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ronald^Start Menu^Programs^Startup^Internet Explorer.lnk]
C:\PROGRA~1\INTERN~1\iexplore.exe [2008-04-14 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-01 11952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe"="C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-08-10 20:19:36 ----SHD---- C:\RECYCLER
2009-08-10 20:12:49 ----A---- C:\ComboFix.txt
2009-08-10 19:52:58 ----A---- C:\Boot.bak
2009-08-10 19:52:44 ----RASHD---- C:\cmdcons
2009-08-10 19:51:04 ----A---- C:\WINDOWS\zip.exe
2009-08-10 19:51:04 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-10 19:51:04 ----A---- C:\WINDOWS\SWSC.exe
2009-08-10 19:51:04 ----A---- C:\WINDOWS\SWREG.exe
2009-08-10 19:51:04 ----A---- C:\WINDOWS\sed.exe
2009-08-10 19:51:04 ----A---- C:\WINDOWS\PEV.exe
2009-08-10 19:51:04 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-10 19:51:04 ----A---- C:\WINDOWS\grep.exe
2009-08-10 19:34:09 ----D---- C:\WINDOWS\ERDNT
2009-08-10 19:34:04 ----D---- C:\Qoobox
2009-08-06 00:43:16 ----A---- C:\WINDOWS\system32\wmpns.dll
2009-08-03 20:13:43 ----D---- C:\rsit
2009-08-03 03:04:38 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-08-03 03:03:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-08-02 09:33:23 ----D---- C:\Program Files\Microsoft
2009-08-02 09:33:00 ----D---- C:\WINDOWS\Sun
2009-08-02 09:31:52 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-02 09:31:52 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-02 09:31:52 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-08-02 09:31:51 ----A---- C:\WINDOWS\system32\java.exe
2009-08-02 09:31:31 ----D---- C:\Program Files\Java
2009-08-02 09:29:22 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-08-02 09:28:51 ----D---- C:\Documents and Settings\Ronald\Application Data\Sun
2009-08-01 08:52:45 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-08-01 02:08:16 ----D---- C:\Program Files\Trend Micro
2009-08-01 01:29:50 ----HDC---- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-01 01:29:32 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-08-01 00:52:01 ----HD---- C:\$AVG8.VAULT$
2009-08-01 00:50:30 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-08-01 00:49:55 ----D---- C:\Program Files\AVG
2009-08-01 00:49:54 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-08-01 00:00:21 ----D---- C:\WINDOWS\Prefetch
2009-07-31 23:56:54 ----HDC---- C:\WINDOWS\$NtUninstallKB972260$
2009-07-31 23:56:45 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-31 23:56:36 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-31 23:56:19 ----HDC---- C:\WINDOWS\$NtUninstallKB969897$
2009-07-31 23:56:11 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-31 23:56:02 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-07-31 23:55:49 ----HDC---- C:\WINDOWS\$NtUninstallKB963027$
2009-07-31 23:55:42 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-31 23:55:35 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-31 23:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-31 23:55:20 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-31 23:55:10 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-07-31 23:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-07-31 23:54:54 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-31 23:54:43 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-07-31 23:54:28 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-07-31 23:54:16 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-07-31 23:54:14 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-07-31 23:54:14 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2009-07-31 23:54:14 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-31 23:54:13 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-07-31 23:53:59 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-07-31 23:53:51 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-07-31 23:53:44 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-07-31 23:53:35 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-07-31 23:53:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-07-31 23:53:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-07-31 23:53:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-31 23:52:50 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2009-07-31 23:52:37 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-07-31 23:52:30 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-07-31 23:52:22 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-07-31 23:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2009-07-31 23:52:02 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-07-31 23:51:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-07-31 23:51:42 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-31 23:51:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-07-31 23:51:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-07-31 23:51:12 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-07-31 23:50:59 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-07-31 23:50:49 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-07-31 23:50:41 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-07-31 23:50:32 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-07-31 23:50:20 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2009-07-31 23:50:13 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-07-31 23:50:07 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-07-31 23:49:59 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-31 23:44:32 ----N---- C:\WINDOWS\system32\msxml6r.dll
2009-07-31 23:44:31 ----A---- C:\WINDOWS\system32\msxml6.dll
2009-07-31 23:44:03 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2009-07-31 23:44:03 ----N---- C:\WINDOWS\system32\azroles.dll
2009-07-31 23:44:03 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3ui.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3svc.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3msm.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dot3api.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dimsroam.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2009-07-31 23:44:02 ----N---- C:\WINDOWS\system32\credssp.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapsvc.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapqec.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eappprxy.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapphost.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eappgnui.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eappcfg.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2009-07-31 23:44:01 ----N---- C:\WINDOWS\system32\eapolqec.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kmsvc.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdpash.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2009-07-31 23:44:00 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\napstat.exe
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\napmontr.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\napipsec.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mssha.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mmcperf.exe
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\mmcex.dll
2009-07-31 23:43:59 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qutil.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qcliprov.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qagentrt.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\qagent.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2009-07-31 23:43:58 ----N---- C:\WINDOWS\system32\onex.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\tspkg.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\setupn.exe
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-07-31 23:43:57 ----N---- C:\WINDOWS\system32\rasqec.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\wmphoto.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\wlanapi.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2009-07-31 23:43:56 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2009-07-31 23:43:55 ----N---- C:\WINDOWS\system32\xmllite.dll
2009-07-31 23:43:54 ----D---- C:\WINDOWS\system32\scripting
2009-07-31 23:43:54 ----D---- C:\WINDOWS\system32\en-us
2009-07-31 23:43:51 ----D---- C:\WINDOWS\l2schemas
2009-07-31 23:43:50 ----D---- C:\WINDOWS\system32\en
2009-07-31 23:38:41 ----D---- C:\WINDOWS\network diagnostic
2009-07-31 23:36:16 ----A---- C:\WINDOWS\003376_.tmp
2009-07-31 19:52:07 ----D---- C:\WINDOWS\SxsCaPendDel
2009-07-29 03:00:25 ----HDC---- C:\WINDOWS\$NtUninstallKB972260_0$
2009-07-28 08:01:09 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-07-25 21:52:20 ----D---- C:\Documents and Settings\Ronald\Application Data\AVG8
2009-07-25 20:56:10 ----D---- C:\Program Files\NoAdware
2009-07-15 06:18:43 ----A---- C:\WINDOWS\system32\ESQULacbqkbfrwimnalfrqewlctwfvdavpaiv.dll
2009-07-15 03:02:18 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 03:02:06 ----HDC---- C:\WINDOWS\$NtUninstallKB971633_0$
2009-07-15 03:01:50 ----HDC---- C:\WINDOWS\$NtUninstallKB961371_0$

======List of files/folders modified in the last 1 months======

2009-08-10 20:12:51 ----D---- C:\WINDOWS\system32\drivers
2009-08-10 20:12:51 ----D---- C:\WINDOWS\system32
2009-08-10 20:12:14 ----AD---- C:\WINDOWS\Temp
2009-08-10 20:12:06 ----SD---- C:\WINDOWS\Tasks
2009-08-10 20:11:48 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-10 20:11:42 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-10 20:08:56 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-10 20:06:18 ----AD---- C:\WINDOWS
2009-08-10 20:06:18 ----A---- C:\WINDOWS\system.ini
2009-08-10 20:01:49 ----D---- C:\WINDOWS\system32\config
2009-08-10 19:59:42 ----AD---- C:\Program Files\Common Files
2009-08-10 19:58:34 ----D---- C:\WINDOWS\AppPatch
2009-08-10 19:52:58 ----RASH---- C:\boot.ini
2009-08-10 19:51:37 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-08 14:50:55 ----D---- C:\Program Files\1208_Fiberlink
2009-08-08 06:50:47 ----AC---- C:\WINDOWS\system32\fwlog.txt
2009-08-06 00:41:33 ----D---- C:\PERRLA
2009-08-03 20:09:52 ----HD---- C:\WINDOWS\inf
2009-08-03 03:03:57 ----A---- C:\WINDOWS\imsins.BAK
2009-08-03 03:02:31 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-02 18:25:49 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-02 09:33:55 ----SHD---- C:\WINDOWS\Installer
2009-08-02 09:33:26 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-02 09:33:23 ----AD---- C:\Program Files
2009-08-02 09:32:12 ----D---- C:\Program Files\MSN
2009-08-01 10:22:45 ----AC---- C:\WINDOWS\OEWABLog.txt
2009-08-01 08:52:46 ----D---- C:\WINDOWS\WinSxS
2009-08-01 03:16:55 ----D---- C:\Program Files\Ftk
2009-08-01 02:05:54 ----HD---- C:\Documents and Settings\All Users\Application Data\wsxs
2009-08-01 01:29:32 ----D---- C:\Program Files\Lavasoft
2009-08-01 00:49:44 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-01 00:46:47 ----D---- C:\Documents and Settings\Ronald\Application Data\U3
2009-08-01 00:00:28 ----AC---- C:\WINDOWS\setuplog.txt
2009-07-31 23:59:51 ----D---- C:\WINDOWS\system32\Setup
2009-07-31 23:59:51 ----D---- C:\WINDOWS\ime
2009-07-31 23:59:51 ----D---- C:\Program Files\Internet Explorer
2009-07-31 23:59:50 ----D---- C:\WINDOWS\system32\wbem
2009-07-31 23:59:48 ----RSD---- C:\WINDOWS\Fonts
2009-07-31 23:59:05 ----D---- C:\WINDOWS\security
2009-07-31 23:50:14 ----D---- C:\Program Files\Messenger
2009-07-31 23:44:33 ----D---- C:\WINDOWS\ServicePackFiles
2009-07-31 23:44:30 ----D---- C:\Program Files\Windows Media Player
2009-07-31 23:44:27 ----D---- C:\WINDOWS\Help
2009-07-31 23:43:54 ----D---- C:\WINDOWS\system32\usmt
2009-07-31 23:43:50 ----D---- C:\WINDOWS\system32\bits
2009-07-31 23:43:50 ----D---- C:\WINDOWS\PeerNet
2009-07-31 23:43:50 ----D---- C:\Program Files\Movie Maker
2009-07-31 23:41:22 ----D---- C:\WINDOWS\system32\Restore
2009-07-31 23:41:22 ----D---- C:\WINDOWS\system32\npp
2009-07-31 23:41:21 ----D---- C:\WINDOWS\msagent
2009-07-31 23:41:19 ----D---- C:\WINDOWS\srchasst
2009-07-31 23:41:18 ----D---- C:\Program Files\NetMeeting
2009-07-31 23:41:17 ----D---- C:\WINDOWS\system32\Com
2009-07-31 23:41:13 ----D---- C:\Program Files\Windows NT
2009-07-31 23:41:13 ----D---- C:\Program Files\Outlook Express
2009-07-31 23:41:09 ----D---- C:\Program Files\Common Files\System
2009-07-31 23:40:43 ----D---- C:\WINDOWS\system32\oobe
2009-07-31 23:40:41 ----D---- C:\WINDOWS\system
2009-07-31 23:38:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-31 23:35:53 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-07-31 23:35:07 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-31 23:30:29 ----D---- C:\WINDOWS\EHome
2009-07-25 20:20:09 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-07-25 20:15:22 ----D---- C:\Documents and Settings
2009-07-25 19:29:06 ----A---- C:\WINDOWS\win.ini
2009-07-25 19:18:58 ----D---- C:\Program Files\XoftSpySE
2009-07-18 09:05:06 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-18 09:05:06 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-15 08:36:48 ----AC---- C:\WINDOWS\ODBC.INI
2009-07-15 08:33:48 ----D---- C:\WINDOWS\Registration
2009-07-15 00:55:19 ----D---- C:\iSiteLogs

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-01 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-01 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-08-01 108552]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2003-07-26 59440]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2003-07-26 23724]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2002-04-10 236032]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2002-04-10 117898]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2002-04-10 206336]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-09-03 12032]
R2 CVPNDRV;Kaiser IPsec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRV.sys []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R2 Stltrk2k;Stltrk2k; C:\WINDOWS\system32\drivers\Stltrk2k.sys [2000-06-02 13806]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 catchme;catchme; \??\C:\Combo-Fix\catchme.sys []
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2002-01-09 128380]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-09-19 139776]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2002-04-10 29638]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-09-03 12160]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\System32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-09-22 1330048]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 aujasnkj;aujasnkj; \??\C:\DOCUME~1\Ronald\LOCALS~1\Temp\aujasnkj.sys []
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2008-04-14 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2002-04-10 24554]
S3 EUSBMSD;eUSB SmartMedia Driver; C:\WINDOWS\System32\DRIVERS\EUSBMSD.SYS [2001-08-27 50528]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2002-07-12 141752]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-01 297752]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [1999-12-13 44032]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Kaiser\VPN Client\cvpnd.exe [2002-09-03 1282112]
R2 FGR Service;FGR Service; C:\Program Files\1208_Fiberlink\Fgrd.exe [2002-07-01 57344]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-02 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
S2 WinOLE;Microsoft Windows OLE; C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\service.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

Thanks so much for your help in getting this resolved! The only thing I saw left was in the GMER log above (HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys lines), none in more recent or current control sets, I think a reboot from now, it will all be gone. :)

I was able to get AVG updated, and Spybot Search and Destroy as well. Yahoo no longer redirects to dangerous sites (used Spybot Search and Destroy as a reference site). I also re-enabled AVG Resident Shield.

Please tell me, I want to learn this, why did we not use Combofix earlier in the process? Is there a danger in running this tool, even unscripted? Or is it because you wanted to see a full set of logs before and after Combofix ran? Or are these both a factor?

Thanks again for the Awesome help!

Edited by ibcolder, 11 August 2009 - 04:29 AM.


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:52 AM

Posted 11 August 2009 - 11:21 PM

Hi,

Great job :thumbup2:

But there is still a lot of work :).

Please plug in all external drives!



Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\ESQULacbqkbfrwimnalfrqewlctwfvdavpaiv.dll
c:\windows\system32\dcxnocq.exe

Folder::
c:\documents and settings\All Users\Application Data\wsxs
c:\recycler
K:\RECYCLER

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\162b7f72-8fa1-4ef2-8377-2ba8f6c59826]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5EDB03AF-0341-4e96-9E9B-3171522E4BAF}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aykJVM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EJ4kf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FtkCPY]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picsvr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvs_b]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2bf35e-e85d-11da-b75f-0007e9d6255a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a2bf35f-e85d-11da-b75f-0007e9d6255a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a974464-0b64-11de-b8b3-0007e9d6255a}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=-

Driver::
WinOLE

DDS::
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

Reglock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





Answer to your questions:

We will see everytime a full set of logfiles, before we begin to clean. There can be something that attachs out tools or the tools are not nedded. Combofix is very powerfull and should only be used by trained persons :).




Please post back with:
  • Combofix-Logfile
  • Malwarebytes-Logfile
  • Fresh RSIT-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:52 PM

Posted 16 August 2009 - 07:40 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users