Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Kill AV & Rootkit Pakes M


  • This topic is locked This topic is locked
22 replies to this topic

#1 Sarahcc1984

Sarahcc1984

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 24 August 2009 - 03:07 PM

Hello,

I appear to have some evil little malware / spyware / viruses on my computer.

They have disabled the Windows Firewall, seem to be stopping me playing music through Media Player, are trying to download fake antivirus software, slowing down Firefox links AND causing odd messages to pop up which apparently are from Windows, but unless peeps at Microsoft suddenly forgot how to spell, I think they may be fake!

Shesh! I read around, installed lots of anti malware but the bugs wont go away!

If anyone could help me out I would be reeaaally greatful! I have attached logs as explained in the 'Read this before posting' thread.

Sarah x


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 20:40:21.20 on 24/08/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.462 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\SETTING.DAT
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [FLMOFFICE4DMOUSE] c:\program files\browser mouse\mouse32a.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [LWBMOUSE] c:\program files\browser mouse\browser mouse\1.1\MOUSE32A.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LVCOMSX] c:\winnt\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [Regedit32] c:\winnt\system32\regedit.exe
dRun: [braviax]
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dmx6fi~1.lnk - c:\program files\terratec\dmx 6fire\DMX6Fire.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163079250296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163085921625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: cru629.dat
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\80neu3cy.default\
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\80neu3cy.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-7-27 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [2007-11-11 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-3-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-3-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-3-8 108552]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [2008-1-25 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-18 297752]
R3 CLEDX;Team H2O CLEDX service;c:\winnt\system32\drivers\cledx.sys [2007-6-10 33792]
R3 dmxfire;DMX6fire WDM Audio;c:\winnt\system32\drivers\dmx6fire.sys [2003-8-29 148724]
R3 dmxsens;dmxsens;c:\winnt\system32\drivers\dmxsens.sys [2003-7-22 403968]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-19 1119888]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\administrator\desktop\sysprot\SysProtDrv.sys [2009-7-29 44288]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-11-29 49776]

=============== Created Last 30 ================

2009-08-24 20:32 11,264 a------- c:\winnt\braviax.exe
2009-08-24 20:32 6,144 a------- c:\winnt\system32\cru629.dat
2009-08-24 20:32 6,144 a------- c:\winnt\cru629.dat
2009-08-23 18:54 625,824 ac------ c:\winnt\system32\dllcache\ntfs.sys
2009-08-23 18:54 29,184 ac------ c:\winnt\system32\dllcache\beep.sys
2009-08-23 18:54 29,184 a------- c:\winnt\system32\drivers\beep.sys
2009-08-20 21:25 190,730 a------- c:\winnt\system32\wisdstr.exe
2009-08-20 21:25 11,264 a------- c:\winnt\system32\braviax.exe
2009-08-18 18:15 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-08-07 22:15 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-08-01 20:29 <DIR> --d----- c:\program files\ESET
2009-07-31 21:12 <DIR> --d----- c:\program files\Trend Micro
2009-07-30 21:15 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-07-30 20:58 <DIR> a-dshr-- C:\cmdcons
2009-07-30 20:53 219,648 a------- c:\winnt\PEV.exe
2009-07-30 20:53 161,792 a------- c:\winnt\SWREG.exe
2009-07-30 20:53 98,816 a------- c:\winnt\sed.exe
2009-07-30 20:40 <DIR> --d----- C:\ComboFix
2009-07-27 10:36 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-27 10:36 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-07-27 10:36 <DIR> --d----- c:\program files\Fluff
2009-07-27 09:20 <DIR> --d----- c:\program files\SBla
2009-07-27 09:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-27 09:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-27 09:07 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-07-27 09:06 15,688 a------- c:\winnt\system32\lsdelete.exe
2009-07-27 08:57 64,160 a------- c:\winnt\system32\drivers\Lbd.sys
2009-07-27 08:56 <DIR> --d----- c:\program files\Lavasoft
2009-07-27 08:50 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 08:48 <DIR> --d----- c:\program files\SBlaster
2009-07-26 21:15 <DIR> --d----- c:\winnt\ERUNT
2009-07-26 21:13 <DIR> --d----- C:\SDFix
2009-07-26 18:02 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-07-26 18:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-08-23 18:54 625,824 a------- c:\winnt\system32\drivers\ntfs.sys
2009-08-18 18:15 335,240 a------- c:\winnt\system32\drivers\avgldx86.sys
2006-11-09 16:01 271 ---sh--- c:\program files\desktop.ini
2006-11-09 16:01 21,952 ----h--- c:\program files\folder.htt

============= FINISH: 20:40:47.23 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/24 20:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xF3196000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BFA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xBA123000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Processes
-------------------
Path: C:\WINNT\system32\braviax.exe
PID: 2464 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76e087e

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINNT\System32\Drivers\Beep.SYS" at address 0xf78221a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76e0bfe

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Sarahcc1984

Sarahcc1984
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 04 September 2009 - 01:01 PM

Helllooooo!!

Anybody out there?!

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 04 September 2009 - 01:10 PM.


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 05 September 2009 - 10:46 PM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#4 Sarahcc1984

Sarahcc1984
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 07 September 2009 - 01:53 AM

Hello, sorry for my impatience! Please find logs as requested : ) I have run MBAM before and although it says it has quarantined and deleted files they have a tendency to reappear on reboot : (

S x

-----

Malwarebytes' Anti-Malware 1.39
Database version: 2652
Windows 5.1.2600 Service Pack 2

07/09/2009 07:13:21
mbam-log-2009-09-07 (07-13-21).txt

Scan type: Full Scan (C:\|D:\|X:\|)
Objects scanned: 203905
Time elapsed: 1 hour(s), 3 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
C:\WINNT\system32\wisdstr.exe (Rogue.PC_Antispyware2010) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\wisdstr.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\CX7E1G62\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
c:\program files\KORG\korg legacy\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
c:\program files\steinberg\cubase sx 3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
c:\program files\ik multimedia\amplitube\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
c:\WINNT\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINNT\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINNT\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
c:\WINNT\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINNT\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINNT\temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\WINNT\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



-----



Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-09-07 07:38:33
Microsoft Windows XP Professional Service Pack 2
System drive C: has 43 GB (45%) free of 94 GB
Total RAM: 958 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:38:47, on 07/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\WINNT\system32\taskmgr.exe
F:\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mswsock32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163079250296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163085921625
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

--
End of file - 7014 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\Ad-Aware Update (Weekly).job
C:\WINNT\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"FLMOFFICE4DMOUSE"=C:\Program Files\Browser MOUSE\mouse32a.exe [2006-11-12 360448]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
"HPDJ Taskbar Utility"=C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe [2001-07-23 200704]
"NvCplDaemon"=C:\WINNT\System32\NvCpl.dll [2005-12-01 7311360]
"nwiz"=nwiz.exe /install []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-08 136600]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"H2O"=C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [2005-10-23 385024]
"LWBMOUSE"=C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE [2001-11-20 356352]
"NvMediaCenter"=C:\WINNT\System32\NvMcTray.dll [2005-12-01 86016]
"SMSTray"=C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [2007-02-23 126976]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-18 2007832]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"LVCOMSX"=C:\WINNT\system32\LVCOMSX.EXE [2004-12-14 221184]
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe [2004-12-14 458752]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe [2004-12-14 217088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-08-07 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
DMX 6fire 2496 ControlPanel.lnk - C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="cru629.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINNT\system32\avgrsstx.dll [2009-08-18 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINNT\system32\wzcdlg.dll [2004-08-04 378368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"=C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NBF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nbf.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINNT\system32\sessmgr.exe"="C:\WINNT\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Administrator\Desktop\utorrent.exe"="C:\Documents and Settings\Administrator\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Disabled:Spybot - Search & Destroy"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 2 months======

2009-09-07 07:38:33 ----D---- C:\rsit
2009-08-24 20:51:38 ----A---- C:\RootRepeal report 08-24-09 (20-51-38).txt
2009-08-18 18:15:00 ----A---- C:\WINNT\system32\avgrsstx.dll
2009-08-07 22:16:40 ----HDC---- C:\WINNT\$NtUninstallKB909394$
2009-08-07 22:15:29 ----D---- C:\Program Files\Microsoft ActiveSync
2009-08-02 11:13:52 ----SHD---- C:\RECYCLER
2009-08-01 20:29:45 ----D---- C:\Program Files\ESET
2009-08-01 14:39:45 ----A---- C:\ComboFix.txt
2009-08-01 14:25:08 ----D---- C:\WINNT\temp
2009-07-31 21:12:17 ----D---- C:\Program Files\Trend Micro
2009-07-30 20:59:00 ----A---- C:\Boot.bak
2009-07-30 20:58:53 ----RASHD---- C:\cmdcons
2009-07-30 20:53:13 ----A---- C:\WINNT\zip.exe
2009-07-30 20:53:13 ----A---- C:\WINNT\SWXCACLS.exe
2009-07-30 20:53:13 ----A---- C:\WINNT\SWSC.exe
2009-07-30 20:53:13 ----A---- C:\WINNT\SWREG.exe
2009-07-30 20:53:13 ----A---- C:\WINNT\sed.exe
2009-07-30 20:53:13 ----A---- C:\WINNT\PEV.exe
2009-07-30 20:53:13 ----A---- C:\WINNT\NIRCMD.exe
2009-07-30 20:53:13 ----A---- C:\WINNT\grep.exe
2009-07-30 20:40:30 ----D---- C:\WINNT\ERDNT
2009-07-30 20:40:29 ----D---- C:\ComboFix
2009-07-30 19:54:01 ----D---- C:\Qoobox
2009-07-27 10:36:02 ----D---- C:\Program Files\Fluff
2009-07-27 09:20:54 ----D---- C:\Program Files\SBla
2009-07-27 09:07:52 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-27 09:07:38 ----D---- C:\Program Files\SUPERAntiSpyware
2009-07-27 09:07:38 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-27 09:06:34 ----A---- C:\WINNT\system32\lsdelete.exe
2009-07-27 08:57:19 ----DC---- C:\WINNT\system32\DRVSTORE
2009-07-27 08:56:28 ----D---- C:\Program Files\Lavasoft
2009-07-27 08:56:28 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-07-27 08:50:59 ----HDC---- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 08:48:25 ----D---- C:\Program Files\SBlaster
2009-07-26 22:16:40 ----D---- C:\Documents and Settings\Administrator\Application Data\WinRAR
2009-07-26 21:15:06 ----D---- C:\WINNT\ERUNT
2009-07-26 21:13:44 ----D---- C:\SDFix
2009-07-26 18:51:06 ----A---- C:\WINNT\ntbtlog.txt
2009-07-26 18:02:56 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-07-26 18:02:50 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-24 23:58:31 ----D---- C:\Program Files\Kingpin
2009-07-16 14:47:55 ----D---- C:\Program Files\Common Files\DigiDesign
2009-07-14 20:36:04 ----D---- C:\Program Files\Digidesign
2009-07-14 20:35:55 ----D---- C:\Program Files\IK Multimedia

======List of files/folders modified in the last 2 months======

2009-09-07 07:29:15 ----D---- C:\WINNT\Prefetch
2009-09-07 07:26:18 ----AD---- C:\WINNT\system32
2009-09-07 07:17:14 ----AD---- C:\WINNT\security
2009-09-07 07:17:11 ----AD---- C:\WINNT
2009-09-07 07:16:44 ----RAD---- C:\Program Files
2009-09-07 07:16:44 ----AD---- C:\WINNT\system32\drivers
2009-09-07 07:15:57 ----A---- C:\WINNT\SchedLgU.Txt
2009-09-07 07:13:24 ----D---- C:\WINNT\system32\CatRoot2
2009-09-07 07:13:20 ----RASHDC---- C:\WINNT\system32\dllcache
2009-09-06 22:25:46 ----HD---- C:\$AVG8.VAULT$
2009-09-05 12:51:14 ----A---- C:\WINNT\NeroDigital.ini
2009-08-23 18:53:17 ----D---- C:\Program Files\Mozilla Firefox
2009-08-18 22:30:03 ----D---- C:\Documents and Settings\Administrator\Application Data\uTorrent
2009-08-10 20:54:38 ----A---- C:\WINNT\ModemLog_SAMSUNG Mobile USB Modem.txt
2009-08-08 19:38:54 ----SHD---- C:\WINNT\Installer
2009-08-08 19:38:54 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-08-08 19:38:40 ----AD---- C:\WINNT\Help
2009-08-07 22:25:31 ----A---- C:\WINNT\system32\PerfStringBackup.INI
2009-08-07 22:22:36 ----HD---- C:\WINNT\inf
2009-08-07 22:15:30 ----AD---- C:\Program Files\Common Files\Microsoft Shared
2009-08-07 22:15:29 ----D---- C:\WINNT\winsxs
2009-08-06 20:15:45 ----SD---- C:\WINNT\Tasks
2009-08-01 22:29:26 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-01 22:14:20 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2009-08-01 14:36:39 ----A---- C:\WINNT\system.ini
2009-08-01 14:24:17 ----AD---- C:\WINNT\AppPatch
2009-08-01 14:24:13 ----AD---- C:\Program Files\Common Files
2009-07-30 21:10:38 ----AD---- C:\WINNT\system32\config
2009-07-30 21:10:08 ----RD---- C:\WINNT\Web
2009-07-30 20:59:01 ----RASH---- C:\boot.ini
2009-07-30 20:53:22 ----D---- C:\WINNT\system32\NtmsData
2009-07-27 08:34:53 ----SHD---- C:\WINNT\CSC
2009-07-26 22:33:37 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-26 20:34:31 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-21 10:43:20 ----A---- C:\WINNT\WININIT.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Asapi;Asapi; C:\WINNT\system32\drivers\Asapi.sys [2002-04-17 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINNT\System32\Drivers\avgldx86.sys [2009-08-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINNT\System32\Drivers\avgmfx86.sys [2009-08-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINNT\System32\Drivers\avgtdix.sys [2009-05-04 108552]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2006-11-09 58000]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2006-11-09 23420]
R1 pctfw2;pctfw2; \??\C:\WINNT\system32\drivers\pctfw2.sys []
R1 PQNTDrv;PQNTDrv; C:\WINNT\system32\drivers\PQNTDrv.sys [2002-09-16 4228]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINNT\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R1 StarOpen;StarOpen; C:\WINNT\system32\drivers\StarOpen.sys [2006-07-24 5632]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 irda;IrDA Protocol; C:\WINNT\System32\DRIVERS\irda.sys [2004-08-04 87424]
R2 symlcbrd;symlcbrd; \??\C:\WINNT\system32\drivers\symlcbrd.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINNT\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 CLEDX;Team H2O CLEDX service; C:\WINNT\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 dmxfire;DMX6fire WDM Audio; C:\WINNT\system32\drivers\dmx6fire.sys [2003-08-29 148724]
R3 dmxsens;dmxsens; C:\WINNT\system32\drivers\dmxsens.sys [2003-07-22 403968]
R3 hidusb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINNT\System32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 NIC1394;1394 Net Driver; C:\WINNT\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINNT\system32\DRIVERS\nv4_mini.sys [2005-12-01 3535424]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINNT\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINNT\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 Rasirda;WAN Miniport (IrDA); C:\WINNT\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINNT\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S1 tga;tga; C:\WINNT\system32\drivers\tga.sys []
S3 AMDPCI;AMDPCI; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AMDPCI.sys []
S3 BCM43XX;Belkin 802.11 Network Adapter Driver; C:\WINNT\system32\DRIVERS\bcmwl5.sys [2006-01-20 425216]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 FXDRV;FXDRV; \??\E:\Fxdrv.sys []
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINNT\system32\drivers\lvusbsta.sys [2004-10-11 22016]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-08-04 15360]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PID_0928;Labtec WebCam(PID_0928); C:\WINNT\system32\DRIVERS\LV561AV.SYS [2004-10-11 211712]
S3 rootrepeal;rootrepeal; \??\C:\WINNT\system32\drivers\rootrepeal.sys []
S3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINNT\system32\DRIVERS\Rtlnic.sys [2004-07-16 69632]
S3 rtl8139;Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver; C:\WINNT\System32\DRIVERS\RTL8139.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINNT\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINNT\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINNT\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 SysProtDrv.sys;SysProtDrv.sys; \??\C:\Documents and Settings\Administrator\Desktop\SysProt\SysProtDrv.sys []
S3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINNT\system32\DRIVERS\usb8023x.sys [2005-10-21 12800]
S3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WpdUsb;WpdUsb; C:\WINNT\System32\Drivers\wpdusb.sys [2004-08-11 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 aic116x;aic116x; C:\WINNT\system32\drivers\aic116x.sys []
S4 ami0nt;ami0nt; C:\WINNT\system32\drivers\ami0nt.sys []
S4 BusLogic;BusLogic; C:\WINNT\system32\drivers\BusLogic.sys []
S4 cpqarry2;cpqarry2; C:\WINNT\system32\drivers\cpqarry2.sys []
S4 cpqfcalm;cpqfcalm; C:\WINNT\system32\drivers\cpqfcalm.sys []
S4 cpqfws2e;cpqfws2e; C:\WINNT\system32\drivers\cpqfws2e.sys []
S4 deckzpsx;deckzpsx; C:\WINNT\system32\drivers\deckzpsx.sys []
S4 EFS;EFS; C:\WINNT\system32\drivers\EFS.sys []
S4 Fd16_700;Fd16_700; C:\WINNT\system32\drivers\Fd16_700.sys []
S4 fireport;fireport; C:\WINNT\system32\drivers\fireport.sys []
S4 flashpnt;flashpnt; C:\WINNT\system32\drivers\flashpnt.sys []
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
S4 ipsraidn;ipsraidn; C:\WINNT\system32\drivers\ipsraidn.sys []
S4 lp6nds35;lp6nds35; C:\WINNT\system32\drivers\lp6nds35.sys []
S4 Ncrc710;Ncrc710; C:\WINNT\system32\drivers\Ncrc710.sys []
S4 Parallel;Parallel class driver; C:\WINNT\System32\DRIVERS\parallel.sys []
S4 ql2100;ql2100; C:\WINNT\system32\drivers\ql2100.sys []
S4 ultra66;ultra66; C:\WINNT\system32\drivers\ultra66.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
R2 Irmon;Infrared Monitor; C:\WINNT\System32\svchost.exe [2004-08-04 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-08 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINNT\System32\nvsvc32.exe [2005-12-01 131139]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-11-19 1119888]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINNT\system32\wdfmgr.exe [2004-08-11 38912]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINNT\System32\wltrysvc.exe [2006-01-20 18944]
S2 Fax;Fax; C:\WINNT\system32\fxssvc.exe [2004-08-04 267776]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-11-15 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-06-08 208896]
S3 UtilMan;Utility Manager; C:\WINNT\System32\UtilMan.exe [2004-08-04 50176]

-----------------EOF-----------------



-----


info.txt logfile of random's system information tool 1.06 2009-09-07 07:38:48

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINNT\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINNT\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player 10 Plugin-->C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINNT\system32\Macromed\Flash\UninstFl.exe -q
Adobe InDesign CS-->RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{416DFEDD-9F1B-4EFC-AF70-FCA891AE0251}\zidxp.exe"
ALi USB2.0 Driver-->C:\WINNT\system32\UnUSB20.EXE RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E1DCD15-C9F1-49CE-807B-198C8241EB6B}\Setup.exe" -uninst
AmpliTube Metal-->C:\Program Files\InstallShield Installation Information\{9EDEF5B1-B740-4DFF-AC16-E2428E1713E8}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
AmpliTube2-->C:\Program Files\InstallShield Installation Information\{C95AACD4-9507-4F5C-9D53-22B1ACCFECD1}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
Another Matrix Screen Saver-->"C:\Program Files\Another Matrix Screen Saver\unins000.exe"
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASAPI Update-->C:\WINNT\system32\IWUNIN~1.EXE -uninstall C:\WINNT\ISUNINST.EXE -fC:\PROGRA~1\VOB\ASAPIU~1\ASAPI.isu
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Belkin Wireless G Plus Desktop Card-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D59CAED6-39AF-4F87-AD40-C10C3906B7A4}\setup.exe" -l0x9 -removeonly
Browser Mouse-->C:\Program Files\Browser Mouse\Browser Mouse\1.1\unins000.EXE
Browser MOUSE-->C:\Program Files\Browser MOUSE\uninst00.exe
Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{5662C158-CA24-4228-BF6C-596FADA08682} /l1033
Canon Camera Window DS for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7B847C9D-6758-45E6-B598-3BD8F43EAE9E}
Canon Camera Window DVC for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A70D14C6-FF2C-4B8E-A643-7E74EC607614}
Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E73534D5-CC93-4C63-9072-5A9734255C74}
Canon EOS Kiss_N REBEL_XT 350D TWAIN Driver-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E1CBE373-9A91-4CA8-9ACA-C037AE362C56}
Canon Internet Library for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F81FBFC-9A37-431F-9050-14B55485DF5A}
Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A0F34E4E-25F0-4B68-AE8F-EF0C15CB1FED}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities Digital Photo Professional 2.2-->"C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\DPP\Uninst.ini"
Canon Utilities EOS Capture 1.3-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{16480125-0428-4097-9A2A-74464004D169}
Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
ComicRack v0.9.80-->C:\Program Files\ComicRack\uninst.exe
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DirectVobSub (remove only)-->"C:\Program Files\DirectVobSub\uninstall.exe"
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DMX 6fire 24/96 ControlPanel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A33D692-8679-4142-94C7-0BB784B9B3A3}\Setup.exe" -l0x9
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
FirstClass® Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B35C417-2649-11D6-83D1-0050FC01225C}\setup.exe" -l0x9 -uninst
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB909394)-->"C:\WINNT\$NtUninstallKB909394$\spuninst\spuninst.exe"
hp deskjet 920c series (Remove only)-->C:\Program Files\hp deskjet 920c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=920c -huninstall
IK Multimedia Amplitube v1.3-->C:\PROGRA~1\IKMULT~1\AMPLIT~1\UNWISE.EXE C:\PROGRA~1\IKMULT~1\AMPLIT~1\INSTALL.LOG
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Korg Legacy Collection v1.0.0.2-->C:\PROGRA~1\KORG\KORGLE~1\UNWISE.EXE C:\PROGRA~1\KORG\KORGLE~1\INSTALL.LOG
Labtec WebCam Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Labtec® Camera Driver-->"C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Magic ISO Maker v5.4 (build 0256)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Fluff\unins000.exe"
MaxType LITE 1.6.22-->"C:\Program Files\MaxType LITE\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Native Instruments Absynth 4-->C:\PROGRA~1\NATIVE~1\ABSYNT~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\ABSYNT~1\INSTALL.LOG
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS-->C:\PROGRA~1\NATIVE~1\Massive\UNWISE.EXE C:\PROGRA~1\NATIVE~1\Massive\INSTALL.LOG
Native Instruments Reaktor v5.1.0 Addon-->C:\PROGRA~1\NATIVE~1\REAKTO~1\Library\UNWISE.EXE C:\PROGRA~1\NATIVE~1\REAKTO~1\Library\INSTALL.LOG
Native Instruments Reaktor v5.1.0-->C:\PROGRA~1\NATIVE~1\REAKTO~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\REAKTO~1\INSTALL.LOG
Nero 7 Premium-->MsiExec.exe /I{692854CC-97EF-4307-B787-8C6787B91033}
NVIDIA Drivers-->C:\WINNT\system32\nvudisp.exe UninstallGUI
oggcodecs 0.71.0946-->C:\Program Files\illiminable\oggcodecs\uninst.exe
OpenOffice.org 2.4-->MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
Photomatix Pro version 2.2.3-->"C:\Program Files\Photomatix\unins000.exe"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PowerQuest PartitionMagic 8.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
QuarkXPress 6.1-->MsiExec.exe /I{FF0B0792-F6E7-4627-B820-EA50617E223B}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Reason 4.0-->"C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
SAMSUNG CDMA Modem Driver Set-->C:\WINNT\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Media Studio-->C:\Program Files\InstallShield Installation Information\{C20CE592-B0F8-4D20-BF31-0151CA6331A6}\Setup.exe -runfromtemp -l0x0009 -removeonly
Samsung Mobile phone USB driver Software-->C:\WINNT\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINNT\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINNT\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Security Task Manager 1.7e-->C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINNT\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINNT\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINNT\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINNT\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINNT\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINNT\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINNT\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINNT\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINNT\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINNT\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINNT\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINNT\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINNT\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINNT\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINNT\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINNT\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINNT\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINNT\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINNT\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINNT\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINNT\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINNT\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINNT\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINNT\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINNT\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINNT\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINNT\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINNT\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINNT\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINNT\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINNT\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINNT\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINNT\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINNT\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINNT\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923810)-->"C:\WINNT\$NtUninstallKB923810$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINNT\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINNT\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINNT\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINNT\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINNT\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINNT\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINNT\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINNT\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINNT\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINNT\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINNT\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINNT\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINNT\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINNT\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINNT\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINNT\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINNT\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINNT\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINNT\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINNT\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINNT\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINNT\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINNT\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINNT\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINNT\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINNT\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINNT\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINNT\$NtUninstallKB944653$\spuninst\spuninst.exe"
Shockwave-->C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SBla\unins000.exe"
Stamina 2.5-->"C:\Program Files\Stamina\uninstall.exe"
Steinberg Cubase SX v3.1.1.944-->C:\PROGRA~1\STEINB~1\CUBASE~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\CUBASE~1\INSTALL.LOG
Steinberg WaveLab 5.01b-->C:\PROGRA~1\STEINB~1\WaveLab\UNWISE.EXE C:\PROGRA~1\STEINB~1\WaveLab\INSTALL.LOG
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
SyncroSoft Emu (Remove only)-->C:\Program Files\SyncroSoft\Pos\H2O\Uninst.exe
Syncrosoft's License Control-->C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
Update for Windows XP (KB894391)-->"C:\WINNT\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINNT\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINNT\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINNT\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINNT\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINNT\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINNT\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINNT\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINNT\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINNT\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINNT\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINNT\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINNT\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINNT\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINNT\$NtUninstallKB942840$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINNT\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Hotfix - KB873339-->C:\WINNT\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINNT\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINNT\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINNT\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINNT\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINNT\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINNT\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINNT\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Service Pack 2-->C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins000.exe"
Zip Motion Block Video codec (Remove Only)-->rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\ZMBV.INF

======Security center information======

AV: AVG Anti-Virus Free (outdated)

======System event log======

Computer Name: RICKS
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
Beep

Record Number: 26414
Source Name: Service Control Manager
Time Written: 20090721104524.000000+060
Event Type: error
User:

Computer Name: RICKS
Event Code: 15
Message: RSM cannot manage library PhysicalDrive2. The database is corrupt.

Record Number: 26402
Source Name: Removable Storage Service
Time Written: 20090721085232.000000+060
Event Type: error
User:

Computer Name: RICKS
Event Code: 10010
Message: The server {0B365333-F00A-4598-924E-04C5AD497AD7} did not register with DCOM within the required timeout.

Record Number: 26401
Source Name: DCOM
Time Written: 20090721084436.000000+060
Event Type: error
User: RICKS\Administrator

Computer Name: RICKS
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
Beep

Record Number: 26383
Source Name: Service Control Manager
Time Written: 20090721084336.000000+060
Event Type: error
User:

Computer Name: RICKS
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 26376
Source Name: W32Time
Time Written: 20090720231800.000000+060
Event Type: warning
User:

=====Application event log=====

Computer Name: RICKS
Event Code: 1085
Message: The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.

Record Number: 3599
Source Name: Userenv
Time Written: 20090425193749.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: RICKS
Event Code: 1202
Message: Security policies were propagated with warning.
0x4b8 : An extended error has occurred.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".

Record Number: 3598
Source Name: SceCli
Time Written: 20090425193749.000000+060
Event Type: warning
User:

Computer Name: RICKS
Event Code: 1085
Message: The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.

Record Number: 3597
Source Name: Userenv
Time Written: 20090425175125.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: RICKS
Event Code: 1202
Message: Security policies were propagated with warning.
0x4b8 : An extended error has occurred.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".

Record Number: 3596
Source Name: SceCli
Time Written: 20090425175125.000000+060
Event Type: warning
User:

Computer Name: RICKS
Event Code: 1085
Message: The Group Policy client-side extension Security failed to execute. Please look for any errors reported earlier by that extension.

Record Number: 3595
Source Name: Userenv
Time Written: 20090425161323.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Samsung\Samsung PC Studio 3;C:\WINNT\Microsoft.NET\Framework\v2.0.50727;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=2f02
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 07 September 2009 - 05:09 AM

Hi Sarahcc1984,

No worries we understand the frustration of having to wait so long, unfortunately their are just so many people seeking help, and not enough people
to help them.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job. Please keep it disabled whilst I am helping you then you can enable it again
when your clean.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.

Next

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



It appears you have been running combofix, I would like to see the log it produced.

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt in your next reply.

Then please post back here with the following:
  • Gmer log
  • Combofix.txt
Thanks

unite.jpg


#6 Sarahcc1984

Sarahcc1984
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 07 September 2009 - 04:21 PM

Hello,

Oh dear, that is really bad news! I have disconnected the PC from the internet, and changed my passwords. I am now working from a laptop.

If its ok with you I would like to try and remove the Rootkit, though I do understand this may not be possible. I will work on the laptop and use my computer at work for secure stuff (I am really beginning to like Macs, apart from their cost!)

Really it would be cool just to get my music back and have the system run smoothly, Windows has been asking for the OS disc as it tells me there are problems with integral files. This has just occurred recently after it picked up the virus / malware.

Anyhoo please find the logs requested below, and I will speak to my brother about reformatting the PC and starting again if it cannot be fixed.

Thanks again for helping! : )

GMER 1.0.15.15077 [zumnbmlj.exe] - http://www.gmer.net
Rootkit scan 2009-09-07 21:27:09
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76E087E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76E0BFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF39EC0B0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs [86199C01] Ntfs.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


ComboFix 09-07-29.04 - Administrator 07/09/2009 22:02.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.584 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 06:38 . 2009-09-07 06:38 -------- d-----w- C:\rsit
2009-08-23 17:54 . 2009-08-23 17:54 625824 -c--a-w- c:\winnt\system32\dllcache\ntfs.sys
2009-08-19 06:33 . 2009-08-19 06:33 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-18 17:15 . 2009-08-18 17:15 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 20:44 . 2009-07-27 08:09 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-07 18:49 . 2009-05-19 08:04 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2009-08-23 17:54 . 2001-08-23 12:00 625824 ----a-w- c:\winnt\system32\drivers\ntfs.sys
2009-08-19 06:33 . 2009-07-27 09:36 -------- d-----w- c:\program files\Fluff
2009-08-18 21:30 . 2007-03-11 13:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-18 17:15 . 2009-03-08 10:09 335240 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-08-18 17:15 . 2009-03-08 10:09 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-08-08 18:38 . 2009-08-07 21:15 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-07 16:42 . 2009-07-27 08:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-03 12:36 . 2009-07-27 09:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-07-27 09:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-08-01 21:29 . 2007-12-14 22:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-01 21:14 . 2009-08-01 21:14 1507 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D33A333FC5212A23D8ECC5D54132E172.dll
2009-08-01 21:14 . 2009-08-01 21:14 652 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE.dll
2009-08-01 21:14 . 2007-03-11 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-01 21:14 . 2009-08-01 21:14 139 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1FBBCDDC3072CB6439B8CB8CA1E1AEAA.dll
2009-08-01 19:29 . 2009-08-01 19:29 -------- d-----w- c:\program files\ESET
2009-07-31 20:12 . 2009-07-31 20:12 -------- d-----w- c:\program files\Trend Micro
2009-07-27 08:20 . 2009-07-27 08:20 -------- d-----w- c:\program files\SBla
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-27 07:56 . 2009-07-27 07:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-03 14:49 . 2009-07-27 07:57 64160 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-07-03 14:49 . 2009-07-27 08:06 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2006-11-09 15:01 . 2006-11-09 13:21 21952 ---h--w- c:\program files\folder.htt
2009-08-15 10:34 . 2008-12-20 15:17 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-07-26 23:06 . 2007-07-26 23:06 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-07-26 23:06 . 2007-07-26 23:06 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-07-26 23:06 . 2007-07-26 23:06 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-30_20.14.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-09-23 00:16 . 2005-09-23 00:16 57344 c:\winnt\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80u.dll
+ 2005-09-23 00:16 . 2005-09-23 00:16 69632 c:\winnt\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfcm80.dll
+ 2009-09-07 20:43 . 2009-09-07 20:43 16384 c:\winnt\temp\Perflib_Perfdata_528.dat
- 2001-08-23 12:00 . 2005-06-10 23:53 57856 c:\winnt\system32\spoolsv.exe
+ 2001-08-23 12:00 . 2004-08-04 00:56 57856 c:\winnt\system32\spoolsv.exe
- 2001-05-08 12:00 . 2009-03-30 16:40 64270 c:\winnt\system32\perfc009.dat
+ 2001-05-08 12:00 . 2009-08-07 21:25 64270 c:\winnt\system32\perfc009.dat
+ 2007-11-22 18:12 . 2005-10-21 01:47 12800 c:\winnt\system32\drivers\usb8023x.sys
+ 2001-08-23 12:00 . 2005-10-21 01:47 12800 c:\winnt\system32\drivers\usb8023.sys
+ 2007-11-22 18:12 . 2005-10-21 01:47 30592 c:\winnt\system32\drivers\rndismpx.sys
+ 2001-08-23 12:00 . 2005-10-21 01:47 30592 c:\winnt\system32\drivers\rndismp.sys
+ 2001-08-23 12:00 . 2004-08-04 00:56 57856 c:\winnt\system32\dllcache\spoolsv.exe
+ 2009-08-07 21:15 . 2005-10-21 01:47 12800 c:\winnt\Driver Cache\i386\usb8023x.sys
+ 2009-08-07 21:15 . 2005-10-21 01:47 30592 c:\winnt\Driver Cache\i386\rndismpx.sys
+ 2009-08-07 21:16 . 2004-08-03 23:04 12672 c:\winnt\$NtUninstallKB909394$\usb8023x.sys
+ 2009-08-07 21:16 . 2004-08-03 23:04 12672 c:\winnt\$NtUninstallKB909394$\usb8023.sys
+ 2009-08-07 21:16 . 2004-08-03 23:04 30080 c:\winnt\$NtUninstallKB909394$\rndismpx.sys
+ 2009-08-07 21:16 . 2004-08-03 23:04 30080 c:\winnt\$NtUninstallKB909394$\rndismp.sys
+ 2001-08-23 12:00 . 2004-08-04 00:56 577024 c:\winnt\system32\user32.dll
+ 2001-05-08 12:00 . 2009-08-07 21:25 406460 c:\winnt\system32\perfh009.dat
- 2001-05-08 12:00 . 2009-03-30 16:40 406460 c:\winnt\system32\perfh009.dat
+ 2001-08-23 12:00 . 2001-08-23 12:00 924432 c:\winnt\system32\mfc40u.dll
+ 2001-08-23 12:00 . 2004-08-03 23:14 359040 c:\winnt\system32\drivers\tcpip.sys
+ 2001-08-23 12:00 . 2004-08-04 00:56 577024 c:\winnt\system32\dllcache\user32.dll
+ 2001-08-23 12:00 . 2004-08-03 23:14 359040 c:\winnt\system32\dllcache\tcpip.sys
+ 2001-08-23 12:00 . 2001-08-23 12:00 924432 c:\winnt\system32\dllcache\mfc40u.dll
+ 2001-08-23 12:00 . 2004-08-04 00:56 611328 c:\winnt\system32\dllcache\comctl32.dll
+ 2001-08-23 12:00 . 2004-08-04 00:56 611328 c:\winnt\system32\comctl32.dll
+ 2009-08-07 21:16 . 2005-10-12 23:12 371424 c:\winnt\$NtUninstallKB909394$\spuninst\updspapi.dll
+ 2009-08-07 21:16 . 2005-10-12 23:12 213216 c:\winnt\$NtUninstallKB909394$\spuninst\spuninst.exe
+ 2005-09-23 00:16 . 2005-09-23 00:16 1079808 c:\winnt\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80u.dll
+ 2005-09-23 00:16 . 2005-09-23 00:16 1093632 c:\winnt\winsxs\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\mfc80.dll
+ 2001-08-23 12:00 . 2004-08-03 23:20 2180992 c:\winnt\system32\ntoskrnl.exe
+ 2001-08-17 13:48 . 2004-08-03 22:59 2056832 c:\winnt\system32\ntkrnlpa.exe
+ 2001-08-23 12:00 . 2004-08-03 23:20 2180992 c:\winnt\system32\dllcache\ntoskrnl.exe
+ 2001-08-17 13:48 . 2004-08-03 22:59 2056832 c:\winnt\system32\dllcache\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-07 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-11-12 360448]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-07-23 200704]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2005-12-01 7311360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [2001-11-20 356352]
"NvMediaCenter"="c:\winnt\System32\NvMcTray.dll" [2005-12-01 86016]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"LVCOMSX"="c:\winnt\system32\LVCOMSX.EXE" [2004-12-14 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-12-14 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-12-14 217088]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-04 143360]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2005-12-01 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-11 110592]
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2006-11-9 335872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 17:15 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [27/07/2009 08:57 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [11/11/2007 13:36 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [08/03/2009 11:09 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [08/03/2009 11:09 108552]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [25/01/2008 20:22 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18/08/2009 18:14 297752]
R3 CLEDX;Team H2O CLEDX service;c:\winnt\system32\drivers\cledx.sys [10/06/2007 16:59 33792]
R3 dmxfire;DMX6fire WDM Audio;c:\winnt\system32\drivers\dmx6fire.sys [29/08/2003 10:30 148724]
R3 dmxsens;dmxsens;c:\winnt\system32\drivers\dmxsens.sys [22/07/2003 15:07 403968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrator\Desktop\SysProt\SysProtDrv.sys [29/07/2009 20:07 44288]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [29/11/2006 18:26 49776]
.
Contents of the 'Scheduled Tasks' folder

2009-07-27 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.google.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80neu3cy.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80neu3cy.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 22:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(648)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(7716)
c:\winnt\system32\nview.dll
c:\winnt\system32\nvwddi.dll
c:\winnt\System32\shdoclc.dll
.
Completion time: 2009-09-07 22:05
ComboFix-quarantined-files.txt 2009-09-07 21:05
ComboFix2.txt 2009-08-01 13:39
ComboFix3.txt 2009-07-31 19:20
ComboFix4.txt 2009-07-30 20:17

Pre-Run: 44,853,243,904 bytes free
Post-Run: 44,824,870,912 bytes free

250 --- E O F --- 2007-12-12 18:51

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 08 September 2009 - 06:57 PM

Hi,

Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job. Please keep it disabled whilst I am helping you then you can enable it again
when your clean.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.

Next

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Posted Image

Next

You still have some leftovers from an incomplete uninstallation of Norton security products on your computer.

To remove the leftovers please download and run the Norton Removal Tool.

Note: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
If you use ACT! or WinFAX, back up those databases before you proceed.


Next

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Next

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "braviax"=-
    [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
    "braviax"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Then please post back here with the following:
  • OTM results
  • New Rsit log
Thanks

unite.jpg


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 13 September 2009 - 09:45 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 19 September 2009 - 06:20 AM

Topic reopened at OP request.

unite.jpg


#10 Sarahcc1984

Sarahcc1984
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 19 September 2009 - 07:20 AM

Hey,

Thanks so much for reopening the topic!

Please find the requested reports below:

All processes killed
========== REGISTRY ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\braviax not found.
Unable to set value : HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\"braviax"|-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] /E!
Unable to set value : HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\"AppInit_DLLS"|"" /E!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 18466148 bytes
->Temporary Internet Files folder emptied: 82054 bytes
->Java cache emptied: 10776086 bytes
->FireFox cache emptied: 45100862 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 3622703 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINNT\msdownld.tmp folder deleted successfully.
C:\WINNT\msiinst.tmp folder deleted successfully.
C:\WINNT\NV2201088.TMP folder deleted successfully.
%systemroot% .tmp files removed: 4651237 bytes
%systemroot%\System32 .tmp files removed: 30455924 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 1826 bytes

Total Files Cleaned = 107.95 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09192009_111009

Files moved on Reboot...

Registry entries deleted on Reboot...





Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-09-19 11:34:43
Microsoft Windows XP Professional Service Pack 2
System drive C: has 43 GB (46%) free of 94 GB
Total RAM: 958 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:45, on 19/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\WINNT\notepad.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mswsock32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163079250296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163085921625
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--
End of file - 6676 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\Ad-Aware Update (Weekly).job
C:\WINNT\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"FLMOFFICE4DMOUSE"=C:\Program Files\Browser MOUSE\mouse32a.exe [2006-11-12 360448]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
"HPDJ Taskbar Utility"=C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe [2001-07-23 200704]
"NvCplDaemon"=C:\WINNT\System32\NvCpl.dll [2005-12-01 7311360]
"nwiz"=nwiz.exe /install []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-08 136600]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"H2O"=C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [2005-10-23 385024]
"LWBMOUSE"=C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE [2001-11-20 356352]
"NvMediaCenter"=C:\WINNT\System32\NvMcTray.dll [2005-12-01 86016]
"SMSTray"=C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [2007-02-23 126976]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-18 2007832]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"LVCOMSX"=C:\WINNT\system32\LVCOMSX.EXE [2004-12-14 221184]
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe [2004-12-14 458752]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe [2004-12-14 217088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-08-07 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
DMX 6fire 2496 ControlPanel.lnk - C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINNT\system32\avgrsstx.dll [2009-08-18 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINNT\system32\wzcdlg.dll [2004-08-04 378368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"=C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NBF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nbf.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINNT\system32\sessmgr.exe"="C:\WINNT\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Administrator\Desktop\utorrent.exe"="C:\Documents and Settings\Administrator\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Disabled:Spybot - Search & Destroy"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-09-19 11:10:09 ----D---- C:\_OTM
2009-09-19 11:05:37 ----D---- C:\Program Files\ERUNT
2009-09-19 10:16:42 ----SHD---- C:\RECYCLER
2009-09-19 10:16:25 ----SD---- C:\Combo-Fix
2009-09-07 22:05:41 ----A---- C:\ComboFix.txt
2009-09-07 07:38:33 ----D---- C:\rsit
2009-08-24 20:51:38 ----A---- C:\RootRepeal report 08-24-09 (20-51-38).txt

======List of files/folders modified in the last 1 months======

2009-09-19 11:12:18 ----D---- C:\WINNT\ERDNT
2009-09-19 11:12:18 ----AD---- C:\WINNT\system32
2009-09-19 11:12:00 ----AD---- C:\WINNT\security
2009-09-19 11:10:45 ----A---- C:\WINNT\SchedLgU.Txt
2009-09-19 11:10:20 ----D---- C:\WINNT\Prefetch
2009-09-19 11:10:15 ----D---- C:\WINNT\temp
2009-09-19 11:10:15 ----AD---- C:\WINNT
2009-09-19 11:05:37 ----RAD---- C:\Program Files
2009-09-19 10:28:07 ----D---- C:\WINNT\system32\CatRoot2
2009-09-19 10:28:05 ----HD---- C:\WINNT\inf
2009-09-19 10:28:02 ----SHD---- C:\System Volume Information
2009-09-19 10:28:02 ----D---- C:\WINNT\system32\Restore
2009-09-19 10:26:41 ----AD---- C:\WINNT\system32\drivers
2009-09-19 10:24:18 ----SHD---- C:\WINNT\Installer
2009-09-19 10:24:17 ----SD---- C:\WINNT\Tasks
2009-09-19 10:21:58 ----D---- C:\Program Files\Mozilla Firefox
2009-09-19 10:20:45 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-09-07 22:03:28 ----A---- C:\WINNT\system.ini
2009-09-07 07:13:20 ----RASHDC---- C:\WINNT\system32\dllcache
2009-09-06 22:25:46 ----HD---- C:\$AVG8.VAULT$
2009-09-05 12:51:14 ----A---- C:\WINNT\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Asapi;Asapi; C:\WINNT\system32\drivers\Asapi.sys [2002-04-17 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINNT\System32\Drivers\avgldx86.sys [2009-08-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINNT\System32\Drivers\avgmfx86.sys [2009-08-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINNT\System32\Drivers\avgtdix.sys [2009-05-04 108552]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2006-11-09 58000]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2006-11-09 23420]
R1 pctfw2;pctfw2; \??\C:\WINNT\system32\drivers\pctfw2.sys []
R1 PQNTDrv;PQNTDrv; C:\WINNT\system32\drivers\PQNTDrv.sys [2002-09-16 4228]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINNT\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R1 StarOpen;StarOpen; C:\WINNT\system32\drivers\StarOpen.sys [2006-07-24 5632]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 irda;IrDA Protocol; C:\WINNT\System32\DRIVERS\irda.sys [2004-08-04 87424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINNT\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 CLEDX;Team H2O CLEDX service; C:\WINNT\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 dmxfire;DMX6fire WDM Audio; C:\WINNT\system32\drivers\dmx6fire.sys [2003-08-29 148724]
R3 dmxsens;dmxsens; C:\WINNT\system32\drivers\dmxsens.sys [2003-07-22 403968]
R3 hidusb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINNT\System32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 NIC1394;1394 Net Driver; C:\WINNT\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINNT\system32\DRIVERS\nv4_mini.sys [2005-12-01 3535424]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINNT\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINNT\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 Rasirda;WAN Miniport (IrDA); C:\WINNT\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINNT\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S1 tga;tga; C:\WINNT\system32\drivers\tga.sys []
S3 AMDPCI;AMDPCI; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AMDPCI.sys []
S3 BCM43XX;Belkin 802.11 Network Adapter Driver; C:\WINNT\system32\DRIVERS\bcmwl5.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 FXDRV;FXDRV; \??\E:\Fxdrv.sys []
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINNT\system32\drivers\lvusbsta.sys [2004-10-11 22016]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-08-04 15360]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PID_0928;Labtec WebCam(PID_0928); C:\WINNT\system32\DRIVERS\LV561AV.SYS [2004-10-11 211712]
S3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINNT\system32\DRIVERS\Rtlnic.sys [2004-07-16 69632]
S3 rtl8139;Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver; C:\WINNT\System32\DRIVERS\RTL8139.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINNT\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINNT\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINNT\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 SysProtDrv.sys;SysProtDrv.sys; \??\C:\Documents and Settings\Administrator\Desktop\SysProt\SysProtDrv.sys []
S3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINNT\system32\DRIVERS\usb8023x.sys [2005-10-21 12800]
S3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WpdUsb;WpdUsb; C:\WINNT\System32\Drivers\wpdusb.sys [2004-08-11 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 aic116x;aic116x; C:\WINNT\system32\drivers\aic116x.sys []
S4 ami0nt;ami0nt; C:\WINNT\system32\drivers\ami0nt.sys []
S4 BusLogic;BusLogic; C:\WINNT\system32\drivers\BusLogic.sys []
S4 cpqarry2;cpqarry2; C:\WINNT\system32\drivers\cpqarry2.sys []
S4 cpqfcalm;cpqfcalm; C:\WINNT\system32\drivers\cpqfcalm.sys []
S4 cpqfws2e;cpqfws2e; C:\WINNT\system32\drivers\cpqfws2e.sys []
S4 deckzpsx;deckzpsx; C:\WINNT\system32\drivers\deckzpsx.sys []
S4 EFS;EFS; C:\WINNT\system32\drivers\EFS.sys []
S4 Fd16_700;Fd16_700; C:\WINNT\system32\drivers\Fd16_700.sys []
S4 fireport;fireport; C:\WINNT\system32\drivers\fireport.sys []
S4 flashpnt;flashpnt; C:\WINNT\system32\drivers\flashpnt.sys []
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
S4 ipsraidn;ipsraidn; C:\WINNT\system32\drivers\ipsraidn.sys []
S4 lp6nds35;lp6nds35; C:\WINNT\system32\drivers\lp6nds35.sys []
S4 Ncrc710;Ncrc710; C:\WINNT\system32\drivers\Ncrc710.sys []
S4 Parallel;Parallel class driver; C:\WINNT\System32\DRIVERS\parallel.sys []
S4 ql2100;ql2100; C:\WINNT\system32\drivers\ql2100.sys []
S4 ultra66;ultra66; C:\WINNT\system32\drivers\ultra66.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
R2 Irmon;Infrared Monitor; C:\WINNT\System32\svchost.exe [2004-08-04 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-08 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINNT\System32\nvsvc32.exe [2005-12-01 131139]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINNT\system32\wdfmgr.exe [2004-08-11 38912]
S2 Fax;Fax; C:\WINNT\system32\fxssvc.exe [2004-08-04 267776]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-11-15 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-06-08 208896]
S3 UtilMan;Utility Manager; C:\WINNT\System32\UtilMan.exe [2004-08-04 50176]

-----------------EOF-----------------

#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 20 September 2009 - 07:33 AM

Hello,

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back here with the following logs:
  • Kaspersky report
  • New Rsit log
Thanks

unite.jpg


#12 Sarahcc1984

Sarahcc1984
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 September 2009 - 01:19 AM

Hello, old Java removed, new Java installed & reports as requested!


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 21, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 20, 2009 20:57:24
Records in database: 2864428
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
X:\

Scan statistics:
Objects scanned: 111273
Threats found: 2
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 07:04:34


File name / Threat / Threats count
services.exe\mswsock32.dll/services.exe\mswsock32.dll Infected: Trojan.Win32.Agent.aykf 1
C:\WINNT\system32\mswsock32.dll/C:\WINNT\system32\mswsock32.dll Infected: Trojan.Win32.Agent.aykf 6
C:\Program Files\Mozilla Firefox\chrome\error.jar Infected: Trojan.Win32.Agent.aykf 1
C:\WINNT\system32\dllcache\ntfs.sys Infected: Virus.Win32.Protector.c 1
C:\WINNT\system32\drivers\ntfs.sys Infected: Virus.Win32.Protector.c 1
C:\WINNT\system32\mswsock32.dll Infected: Trojan.Win32.Agent.aykf 1

Selected area has been scanned.




---






Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-09-21 06:48:06
Microsoft Windows XP Professional Service Pack 2
System drive C: has 43 GB (45%) free of 94 GB
Total RAM: 958 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:48:21, on 21/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mswsock32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163079250296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163085921625
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--
End of file - 7025 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\Ad-Aware Update (Weekly).job
C:\WINNT\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-09-20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"FLMOFFICE4DMOUSE"=C:\Program Files\Browser MOUSE\mouse32a.exe [2006-11-12 360448]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
"HPDJ Taskbar Utility"=C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe [2001-07-23 200704]
"NvCplDaemon"=C:\WINNT\System32\NvCpl.dll [2005-12-01 7311360]
"nwiz"=nwiz.exe /install []
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"H2O"=C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [2005-10-23 385024]
"LWBMOUSE"=C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE [2001-11-20 356352]
"NvMediaCenter"=C:\WINNT\System32\NvMcTray.dll [2005-12-01 86016]
"SMSTray"=C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [2007-02-23 126976]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-18 2007832]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"LVCOMSX"=C:\WINNT\system32\LVCOMSX.EXE [2004-12-14 221184]
"LogitechVideoRepair"=C:\Program Files\Logitech\Video\ISStart.exe [2004-12-14 458752]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe [2004-12-14 217088]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-20 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-08-07 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
DMX 6fire 2496 ControlPanel.lnk - C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINNT\system32\avgrsstx.dll [2009-08-18 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINNT\system32\wzcdlg.dll [2004-08-04 378368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"=C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NBF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nbf.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINNT\system32\sessmgr.exe"="C:\WINNT\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Administrator\Desktop\utorrent.exe"="C:\Documents and Settings\Administrator\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Disabled:Spybot - Search & Destroy"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-09-20 19:57:32 ----A---- C:\WINNT\system32\javaws.exe
2009-09-20 19:57:32 ----A---- C:\WINNT\system32\javaw.exe
2009-09-20 19:57:32 ----A---- C:\WINNT\system32\java.exe
2009-09-19 11:10:09 ----D---- C:\_OTM
2009-09-19 11:05:37 ----D---- C:\Program Files\ERUNT
2009-09-19 10:16:42 ----SHD---- C:\RECYCLER
2009-09-07 22:05:41 ----A---- C:\ComboFix.txt
2009-09-07 07:38:33 ----D---- C:\rsit
2009-08-24 20:51:38 ----A---- C:\RootRepeal report 08-24-09 (20-51-38).txt

======List of files/folders modified in the last 1 months======

2009-09-21 06:48:09 ----D---- C:\WINNT\Prefetch
2009-09-21 06:16:54 ----D---- C:\WINNT\temp
2009-09-20 20:15:51 ----D---- C:\Program Files\Mozilla Firefox
2009-09-20 19:57:35 ----SHD---- C:\WINNT\Installer
2009-09-20 19:57:32 ----AD---- C:\WINNT\system32
2009-09-20 19:57:13 ----A---- C:\WINNT\system32\deploytk.dll
2009-09-20 19:56:20 ----D---- C:\Program Files\Java
2009-09-20 19:56:19 ----AD---- C:\Program Files\Common Files
2009-09-20 17:11:30 ----AD---- C:\WINNT\security
2009-09-19 23:32:48 ----A---- C:\WINNT\SchedLgU.Txt
2009-09-19 18:47:46 ----A---- C:\WINNT\NeroDigital.ini
2009-09-19 12:01:18 ----RAD---- C:\Program Files
2009-09-19 12:00:35 ----D---- C:\Program Files\FirstClass
2009-09-19 12:00:35 ----D---- C:\Documents and Settings\All Users\Application Data\FirstClass
2009-09-19 12:00:35 ----AD---- C:\WINNT
2009-09-19 11:59:07 ----SD---- C:\WINNT\Tasks
2009-09-19 11:12:18 ----D---- C:\WINNT\ERDNT
2009-09-19 10:28:07 ----D---- C:\WINNT\system32\CatRoot2
2009-09-19 10:28:05 ----HD---- C:\WINNT\inf
2009-09-19 10:28:02 ----SHD---- C:\System Volume Information
2009-09-19 10:28:02 ----D---- C:\WINNT\system32\Restore
2009-09-19 10:26:41 ----AD---- C:\WINNT\system32\drivers
2009-09-19 10:20:45 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-09-07 22:03:28 ----A---- C:\WINNT\system.ini
2009-09-07 07:13:20 ----RASHDC---- C:\WINNT\system32\dllcache
2009-09-06 22:25:46 ----HD---- C:\$AVG8.VAULT$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Asapi;Asapi; C:\WINNT\system32\drivers\Asapi.sys [2002-04-17 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINNT\System32\Drivers\avgldx86.sys [2009-08-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINNT\System32\Drivers\avgmfx86.sys [2009-08-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINNT\System32\Drivers\avgtdix.sys [2009-05-04 108552]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2006-11-09 58000]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2006-11-09 23420]
R1 pctfw2;pctfw2; \??\C:\WINNT\system32\drivers\pctfw2.sys []
R1 PQNTDrv;PQNTDrv; C:\WINNT\system32\drivers\PQNTDrv.sys [2002-09-16 4228]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINNT\system32\drivers\SCDEmu.sys [2007-01-20 31644]
R1 StarOpen;StarOpen; C:\WINNT\system32\drivers\StarOpen.sys [2006-07-24 5632]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 irda;IrDA Protocol; C:\WINNT\System32\DRIVERS\irda.sys [2004-08-04 87424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINNT\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 CLEDX;Team H2O CLEDX service; C:\WINNT\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 dmxfire;DMX6fire WDM Audio; C:\WINNT\system32\drivers\dmx6fire.sys [2003-08-29 148724]
R3 dmxsens;dmxsens; C:\WINNT\system32\drivers\dmxsens.sys [2003-07-22 403968]
R3 hidusb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINNT\System32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 NIC1394;1394 Net Driver; C:\WINNT\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINNT\system32\DRIVERS\nv4_mini.sys [2005-12-01 3535424]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINNT\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINNT\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 Rasirda;WAN Miniport (IrDA); C:\WINNT\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINNT\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S1 tga;tga; C:\WINNT\system32\drivers\tga.sys []
S3 AMDPCI;AMDPCI; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AMDPCI.sys []
S3 BCM43XX;Belkin 802.11 Network Adapter Driver; C:\WINNT\system32\DRIVERS\bcmwl5.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 FXDRV;FXDRV; \??\E:\Fxdrv.sys []
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINNT\system32\drivers\lvusbsta.sys [2004-10-11 22016]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-08-04 15360]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 PID_0928;Labtec WebCam(PID_0928); C:\WINNT\system32\DRIVERS\LV561AV.SYS [2004-10-11 211712]
S3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINNT\system32\DRIVERS\Rtlnic.sys [2004-07-16 69632]
S3 rtl8139;Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver; C:\WINNT\System32\DRIVERS\RTL8139.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINNT\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINNT\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINNT\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 SysProtDrv.sys;SysProtDrv.sys; \??\C:\Documents and Settings\Administrator\Desktop\SysProt\SysProtDrv.sys []
S3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINNT\system32\DRIVERS\usb8023x.sys [2005-10-21 12800]
S3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WpdUsb;WpdUsb; C:\WINNT\System32\Drivers\wpdusb.sys [2004-08-11 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 aic116x;aic116x; C:\WINNT\system32\drivers\aic116x.sys []
S4 ami0nt;ami0nt; C:\WINNT\system32\drivers\ami0nt.sys []
S4 BusLogic;BusLogic; C:\WINNT\system32\drivers\BusLogic.sys []
S4 cpqarry2;cpqarry2; C:\WINNT\system32\drivers\cpqarry2.sys []
S4 cpqfcalm;cpqfcalm; C:\WINNT\system32\drivers\cpqfcalm.sys []
S4 cpqfws2e;cpqfws2e; C:\WINNT\system32\drivers\cpqfws2e.sys []
S4 deckzpsx;deckzpsx; C:\WINNT\system32\drivers\deckzpsx.sys []
S4 EFS;EFS; C:\WINNT\system32\drivers\EFS.sys []
S4 Fd16_700;Fd16_700; C:\WINNT\system32\drivers\Fd16_700.sys []
S4 fireport;fireport; C:\WINNT\system32\drivers\fireport.sys []
S4 flashpnt;flashpnt; C:\WINNT\system32\drivers\flashpnt.sys []
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
S4 ipsraidn;ipsraidn; C:\WINNT\system32\drivers\ipsraidn.sys []
S4 lp6nds35;lp6nds35; C:\WINNT\system32\drivers\lp6nds35.sys []
S4 Ncrc710;Ncrc710; C:\WINNT\system32\drivers\Ncrc710.sys []
S4 Parallel;Parallel class driver; C:\WINNT\System32\DRIVERS\parallel.sys []
S4 ql2100;ql2100; C:\WINNT\system32\drivers\ql2100.sys []
S4 ultra66;ultra66; C:\WINNT\system32\drivers\ultra66.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
R2 Irmon;Infrared Monitor; C:\WINNT\System32\svchost.exe [2004-08-04 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-09-20 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINNT\System32\nvsvc32.exe [2005-12-01 131139]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINNT\system32\wdfmgr.exe [2004-08-11 38912]
S2 Fax;Fax; C:\WINNT\system32\fxssvc.exe [2004-08-04 267776]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-11-15 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-06-08 208896]
S3 UtilMan;Utility Manager; C:\WINNT\System32\UtilMan.exe [2004-08-04 50176]

-----------------EOF-----------------

#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 21 September 2009 - 01:27 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#14 Sarahcc1984

Sarahcc1984
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 September 2009 - 01:37 PM

Heloo, I have attached the Combofix log, I wasn't sure if you wanted it posting or attaching, but thought I would attach it to err on the side of caution!

S x

Attached Files



#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:38 AM

Posted 21 September 2009 - 05:27 PM

Hi Sarahcc1984,

I see that you didn't run combofix from the desktop it is important that you follow my instructions exactly.

  • Go to Start >> Run, and type Notepad into the run box, then click Ok.
  • Copy and paste the following code into Notepad. ( Do not include the word "CODE")
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
  • Click on the File tab, and select Save.
  • In the box that opens type Regfix.reg for the File name.
  • Change the Save as type to All Files, then save it to your Desktop. (It should look like this Posted Image)
  • Double click Regfix.reg, Select yes when it prompts you, then Ok.
Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    :filefind
    beep.sys
    services.exe
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

Download LSPFix and save to your desktop.
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Select (highlight) all instances of mswsock32.dll in the left column under "Keep".
  • Click the arrow >> so it goes over to the right column under "Remove".
  • Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
  • Restart your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Delete the following files:

    C:\winnt\system32\mswsock32.dll

  • Restart your computer normally.
For instructions with screen shots, see the "Using LSP-Fix Tutorial".

Please post back here with the following logs:
  • SystemLook.txt
  • New Rsit log
Thanks

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users