Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer locks up and or restarts without warning


  • This topic is locked This topic is locked
14 replies to this topic

#1 godly-creations

godly-creations

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 10 October 2009 - 04:09 PM

My computer constantly restarts and or locks up without warning. I have run avast, malwarebytes, superantispyware, and spyware blaster along with O&O defrag to try and fix the problem, but none of these programs are finding anything. Please help me resolve this issue.

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 25 October 2009 - 12:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 godly-creations

godly-creations
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 25 October 2009 - 05:58 PM

DDS (Ver_09-10-24.04) - NTFSx86
Run by Administrator at 18:53:23.45 on Sun 10/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2410 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 091025-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
C:\WINDOWS.0\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\spupdsvc.exe
C:\WINDOWS.0\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8XSD2STI\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.facebook.com/
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
BHO:  - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: {ab42cd1c-71ae-042e-ae38-7aa2e1cb4be4} - c:\windows.0\system32\ownc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [c:\program files\1&1\1&1 easylogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
uRun: [Hlnrymur] c:\windows.0\system32\s?mbols\?explore.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SansaDispatch] c:\documents and settings\administrator\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [\\Trixie-pc\EPSON Stylus Photo R380 Series] c:\windows.0\system32\spool\drivers\w32x86\3\e_fatiboa.exe /fu "c:\docume~1\admini~1\locals~1\temp\E_S39.tmp" /EF "HKCU"
mRun: [NeroFilterCheck] c:\windows.0\system32\NeroCheck.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [UIUCU] c:\docume~1\admini~1\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\windows.0\installer\{90120000-0030-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows.0\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245734198421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: gjhtgw.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows.0\system32\ddcBUnMf
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pbsbl19j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={401B3233-76F9-F402-4D52-DDC8B17E2456}&q=
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pbsbl19j.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pbsbl19j.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

As per the instructions you would have received, kindly ensure any onboard
script blocking tools have been disabled for they shall interfere with DDS.

DDS is a non-invasive diagnostic tool.

- DDS makes no registry writes/changes

- DDS does not create any permanent files/folders.

This scan should not take longer than three minutes to complete.

When the scan is complete, a logfile/report shall pop open.

Post the contents of the logfile to the forum where it was requested

We only require it to run just once. Dispose after use.


:::::::::::::::::::::::::::::::::::::::

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [2008-9-27 114768]
R1 bckd;bckd;c:\windows.0\system32\drivers\bckd.sys [2009-1-13 72992]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 74480]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [2008-9-27 20560]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-1-13 1078560]
R2 spupdsvc;Windows Service Pack Installer update service;c:\windows.0\system32\spupdsvc.exe [2008-6-14 26144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows.0\system32\drivers\motccgp.sys [2009-9-19 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows.0\system32\drivers\motccgpfl.sys [2009-9-19 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows.0\system32\drivers\motport.sys [2009-9-19 23680]
S3 npggsvc;nProtect GameGuard Service;c:\windows.0\system32\gamemon.des -service --> c:\windows.0\system32\GameMon.des -service [?]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows.0\system32\UnlockerDriver4.sys [2008-6-13 3584]
UnknownUnknown dump_wmimmc;dump_wmimmc; [x]

=============== Created Last 30 ================

2009-10-14 23:58:06 41872 ----a-w- c:\windows.0\system32\xfcodec.dll
2009-10-14 18:22:36 0 d-----w- c:\docume~1\admini~1\applic~1\EazyPlanet
2009-10-14 17:58:46 164144 ----a-w- c:\windows.0\system32\COMCT232.OCX
2009-10-14 17:58:43 0 d-----w- c:\docume~1\alluse~1.0\applic~1\EazyPlanet
2009-10-14 17:58:40 0 d-----w- c:\program files\EazyPlanet
2009-10-10 15:45:30 0 d-----w- c:\docume~1\admini~1\applic~1\stickies
2009-10-10 15:45:18 0 d-----w- c:\program files\stickies
2009-10-07 01:46:45 54156 ---ha-w- c:\windows.0\QTFont.qfn
2009-10-07 01:46:45 1409 ----a-w- c:\windows.0\QTFont.for
2009-10-01 01:45:14 0 d-sh--w- c:\windows.0\ftpcache
2009-09-30 22:58:08 0 d-----w- c:\program files\Selectsoft
2009-09-28 23:38:02 0 d-----w- c:\program files\Disney Interactive
2009-09-28 23:37:50 1266 ----a-w- c:\windows.0\disney.ini

==================== Find3M ====================

2009-09-19 19:13:08 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motport_01007.Wdf
2009-09-19 19:13:04 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2009-09-19 19:13:01 0 ---ha-w- c:\windows.0\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-19 19:13:01 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2009-09-19 19:13:01 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2009-09-11 14:18:39 136192 ----a-w- c:\windows.0\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows.0\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows.0\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows.0\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows.0\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows.0\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows.0\system32\ntkrnlpa.exe
2008-05-23 23:18:11 174 --sh--w- c:\program files\desktop.ini
2008-09-27 20:49:18 918153 --sha-w- c:\windows.0\system32\fMnUBcdd.ini2
2008-08-27 18:50:17 32768 -csha-w- c:\windows.0\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 18:53:50.42 ===============

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 26 October 2009 - 01:27 PM

Hello, godly-creations and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 godly-creations

godly-creations
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 26 October 2009 - 09:54 PM

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-26 22:42:23
Windows 5.1.2600 Service Pack 3
Running: ov71ux7g.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxliipod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA2FFE6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA2FFE574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA2FFEA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA2FFE14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA2FFE64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA2FFE08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA2FFE0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA2FFE76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA2FFE72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA2FFE8AE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA6B3A0B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes JMP 924AA2FF
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes CALL 4144EB40

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS.0\system32\SearchIndexer.exe[1108] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS.0\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS.0\system32\services.exe[620] @ C:\WINDOWS.0\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS.0\system32\services.exe[620] @ C:\WINDOWS.0\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.0\Explorer.EXE[1452] @ C:\WINDOWS.0\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip bckd.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp bckd.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp bckd.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp bckd.sys

---- EOF - GMER 1.0.15 ----

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 27 October 2009 - 01:48 PM

Hi,


how is your system running?


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 godly-creations

godly-creations
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 27 October 2009 - 04:09 PM

My computer is still having the same problems. Sometimes it just locks up and doesn't want to do anything forcing me to do a hard restart and other times it just restarts itself without warning. Many times while I'm working on my college homework. It is very frustrating. Here are the 2 logs that you have requested.


info.txt logfile of random's system information tool 1.06 2009-10-27 17:02:44

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS.0\INF\PCHealth.inf
1&1 EasyLogin-->C:\Program Files\1&1\1&1 EasyLogin\Uninstall.exe
1001 Tangram Puzzles-->"C:\Program Files\Selectsoft\1001 Tangram Puzzles\uninstall.exe"
2002 Games-->"C:\Program Files\Selectsoft\2002 Games\uninstall.exe"
2002 Kakuro Puzzles-->"C:\Program Files\Selectsoft\2002 Kakuro Puzzles\uninstall.exe"
2002 Pentamino Puzzles-->"C:\Program Files\Selectsoft\2002 Pentamino Puzzles\uninstall.exe"
2002 Space Out Games-->"C:\Program Files\Selectsoft\2002 Space Out Games\uninstall.exe"
2002 Sudoku Games-->"C:\Program Files\Selectsoft\2002 Sudoku Games\uninstall.exe"
3003 Crystal Mazes-->"C:\Program Files\Selectsoft\3003 Crystal Mazes\uninstall.exe"
500 Solitaire Games-->"C:\Program Files\Selectsoft\500 Solitaire Games\uninstall.exe"
7-Zip 4.20-->"C:\Program Files\7-Zip\Uninstall.exe"
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS.0\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS.0\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
ATI Display Driver-->rundll32 C:\WINDOWS.0\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avanquest update-->"C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -runfromtemp -l0x0009 -removeonly
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Axialis IconWorkshop 6.0-->C:\Program Files\Axialis\IconWorkshop\UnInstall.exe "IconWorkshop" "IconWorkshop.exe"
Blue CoatŪ K9 Web Protection 4.0.288-->C:\Program Files\Blue Coat K9 Web Protection\uninst.exe
ConTEXT-->"C:\Program Files\ConTEXT\unins000.exe"
DataPilot-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{AB6E9CF7-7A9B-4973-9A1D-96FB27F4B6AC} /l1033
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD2one 1.5.1-->C:\Program Files\DVD2one\uninst.exe
EazyPaper-->C:\Program Files\EazyPlanet\EazyPaper\uninst-EazyPaper.exe
e-Sword Bible Screen Saver-->MsiExec.exe /X{32B54E53-E2AA-4175-83F3-8A70474AAD3E}
e-Sword Macros for Word 2007-->MsiExec.exe /X{94AEA2F7-293E-4503-A640-DB15CBDD62CA}
e-Sword-->MsiExec.exe /I{87791AF4-4D4C-43DC-97BF-05EEEE5187F2}
Google SketchUp 7-->MsiExec.exe /I{E5D52570-5EF1-4576-A434-6CCD92268F0F}
HammerHead Rhythm Station-->C:\Program Files\HammerHead\Uninstall.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS.0\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Home Budget-->MsiExec.exe /I{F6D0FF05-0B73-436C-B35C-B8392FF17E2A}
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS.0\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS.0\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS.0\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS.0\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS.0\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS.0\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
InfiniaChess-->"C:\Program Files\InfiniaChess\unins000.exe"
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Jasc Animation Shop 3-->MsiExec.exe /I{7C4196CA-CA41-4F34-9C08-7724E7705D52}
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LightScribe System Software 1.14.25.1-->MsiExec.exe /X{DA9DAC64-C947-47BA-B411-8A1959B177CF}
LightScribe Template Designs - Fantasy Pack 1-->MsiExec.exe /X{DE72186D-A4A5-4504-839C-B14FC3432DA1}
LightScribe Template Designs - Wedding Pack 1-->MsiExec.exe /X{15B6EAD9-E83D-458F-AF6F-B8F865FA4F28}
LightScribeTemplateLabeler-->MsiExec.exe /X{305D4B08-5807-4475-B1C8-D54685534864}
Macromedia Shockwave Player-->C:\WINDOWS.0\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS.0\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v4.9 (build 0144)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS.0\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS.0\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft Access 2002 Runtime-->MsiExec.exe /I{901C0409-6000-11D3-8CFE-0050048383C9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS.0\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS.0\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS.0\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS.0\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS.0\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS.0\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola Driver Installation 3.8.0-->MsiExec.exe /I{221E5BB1-E4B5-485A-A74B-5D4D5BF21E62}
Motorola Phone Tools-->C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe -runfromtemp -l0x0009 -removeonly
Motorola Software Update-->MsiExec.exe /I{922D9CCA-4317-425F-9AA5-94829DF8BA6D}
Mozilla Firefox (3.5.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe
Nero 6 Enterprise Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers-->C:\WINDOWS.0\system32\nvuide.exe UninstallGUI
O&O Defrag Professional Edition-->MsiExec.exe /I{53480370-6CA2-47EC-BC05-02B4B9271C31}
OpenOffice.org 2.4-->MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
PHP 5.2.1-->MsiExec.exe /I{EF812FEC-6B0C-4B1C-8C4F-C88FEB415EFE}
Pinball Panic-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{703DE3AE-513C-11D6-B2F9-0002A5E32BEF}\setup.exe" Pinball Panic
PowerDVD-->C:\PROGRA~1\CYBERL~1\PowerDVD\DOCUME~1\ADMINI~1\APPLIC~1\MICROS~1\HTMLHE~1\UNWISE.EXE C:\PROGRA~1\CYBERL~1\PowerDVD\DOCUME~1\ADMINI~1\APPLIC~1\MICROS~1\HTMLHE~1\INSTALL.LOG
Putty-->"C:\Program Files\Putty\unins000.exe"
Puzzle and Board XP Championship-->"C:\Program Files\Selectsoft\Puzzle and Board XP Championship\uninstall.exe"
QuickTime Alternative 1.50-->"C:\Program Files\QuickTime Alternative\unins000.exe"
Rappelz_USA-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E144A786-D2DD-428B-9C1A-0EE3FA3515EA}\setup.exe" -l0x9 -removeonly
Real Alternative 1.41-->"C:\Program Files\Real Alternative\unins000.exe"
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS.0\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS.0\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS.0\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS.0\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS.0\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS.0\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS.0\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS.0\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS.0\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS.0\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS.0\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS.0\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS.0\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS.0\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS.0\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS.0\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS.0\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS.0\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS.0\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS.0\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS.0\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS.0\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS.0\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS.0\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS.0\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS.0\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS.0\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS.0\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS.0\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS.0\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS.0\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS.0\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS.0\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS.0\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS.0\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS.0\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS.0\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS.0\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS.0\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS.0\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS.0\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS.0\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS.0\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS.0\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS.0\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS.0\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS.0\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS.0\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS.0\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS.0\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS.0\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS.0\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS.0\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS.0\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS.0\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS.0\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS.0\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS.0\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS.0\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS.0\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS.0\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS.0\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS.0\$NtUninstallKB975467$\spuninst\spuninst.exe"
SimpleD Budget-->"C:\Program Files\SimpleD Budget\uninstall.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Stickies 5.2b-->"C:\WINDOWS.0\lsb_un20.exe" /C=UC /N=Stickies 5.2b
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
TeamSpeak Overlay BETA 2 (#63)-->"C:\Program Files\TSO\uninstall.exe"
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS.0\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS.0\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS.0\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS.0\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS.0\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS.0\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS.0\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS.0\$NtUninstallKB973815$\spuninst\spuninst.exe"
USB-IrDA Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10F5D9BB-E2F2-4B18-A65D-928B73D22E6F}\SETUP.EXE" -l0x9
WalkingBible 1.0.4-->C:\Program Files\WalkingBible\uninstall.exe
Winamp Remote-->"C:\Program Files\Winamp Remote\uninstall.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS.0\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS.0\ie8\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS.0\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS.0\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip 9.0-->C:\PROGRA~1\Winzip\PROGRA~1\Winzip\UNWISE.EXE C:\PROGRA~1\Winzip\PROGRA~1\Winzip\INSTALL.LOG
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Xilisoft Video Converter Ultimate-->C:\Program Files\Xilisoft\Video Converter Ultimate\Uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zuma Deluxe 1.0-->C:\Program Files\Zuma\Zuma Deluxe\PopUninstall.exe "C:\Program Files\Zuma\Zuma Deluxe\Install.log"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF [2008-05-18]

======Security center information======

AV: avast! antivirus 4.8.1351 [VPS 091027-0]

======System event log======

Computer Name: KEVINS-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D7D425EB0. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 676
Source Name: Dhcp
Time Written: 20091021042130.000000-240
Event Type: warning
User:

Computer Name: KEVINS-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D7D425EB0. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 674
Source Name: Dhcp
Time Written: 20091021042120.000000-240
Event Type: warning
User:

Computer Name: KEVINS-PC
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 665
Source Name: W32Time
Time Written: 20091020175909.000000-240
Event Type: warning
User:

Computer Name: KEVINS-PC
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service ImapiService with arguments "-Service"
in order to run the server:
{520CCA63-51A5-11D3-9144-00104BA11C5E}

Record Number: 664
Source Name: DCOM
Time Written: 20091020123522.000000-240
Event Type: error
User: KEVINS-PC\Administrator

Computer Name: KEVINS-PC
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service ImapiService with arguments "-Service"
in order to run the server:
{520CCA63-51A5-11D3-9144-00104BA11C5E}

Record Number: 663
Source Name: DCOM
Time Written: 20091020122901.000000-240
Event Type: error
User: KEVINS-PC\Administrator

=====Application event log=====

Computer Name: KEVINS-PC
Event Code: 1517
Message: Windows saved user KEVINS-PC\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 52
Source Name: Userenv
Time Written: 20090814115209.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: KEVINS-PC
Event Code: 1517
Message: Windows saved user KEVINS-PC\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 42
Source Name: Userenv
Time Written: 20090813040131.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: KEVINS-PC
Event Code: 1000
Message: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Record Number: 35
Source Name: Application Error
Time Written: 20090812142214.000000-240
Event Type: error
User:

Computer Name: KEVINS-PC
Event Code: 1517
Message: Windows saved user KEVINS-PC\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 29
Source Name: Userenv
Time Written: 20090812035839.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: KEVINS-PC
Event Code: 1000
Message: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Record Number: 20
Source Name: Application Error
Time Written: 20090811204213.000000-240
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PHP\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"PHPRC"=C:\Program Files\PHP\

-----------------EOF-----------------




Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-10-27 17:02:36
Microsoft Windows XP Professional Service Pack 3
System drive C: has 134 GB (74%) free of 181 GB
Total RAM: 3070 MB (80% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:41 PM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\spupdsvc.exe
C:\WINDOWS.0\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {AB42CD1C-71AE-042E-AE38-7AA2E1CB4BE4} - C:\WINDOWS.0\system32\ownc.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [Hlnrymur] C:\WINDOWS.0\system32\s?mbols\?explore.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [\\Trixie-pc\EPSON Stylus Photo R380 Series] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE /FU "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_S39.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1245734198421
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: gjhtgw.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.0\system32\GameMon.des.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe

--
End of file - 8595 bytes

======Scheduled tasks folder======

C:\WINDOWS.0\tasks\User_Feed_Synchronization-{0245EAF1-7DDC-40A2-9F40-1A322E092162}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB42CD1C-71AE-042E-AE38-7AA2E1CB4BE4}]
C:\WINDOWS.0\system32\ownc.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS.0\system32\NeroCheck.exe [2001-07-09 155648]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-08-11 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"RTHDCPL"=C:\WINDOWS.0\RTHDCPL.EXE [2008-05-28 16862720]
"Alcmtr"=C:\WINDOWS.0\ALCMTR.EXE [2005-05-03 69632]
"UIUCU"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE [2003-04-10 495616]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-08-17 81000]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"KernelFaultCheck"=C:\WINDOWS.0\system32\dumprep 0 -k []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS.0\system32\ctfmon.exe [2008-04-13 15360]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"=1&1 EasyLogin HIDE []
"Hlnrymur"=C:\WINDOWS.0\system32\s?mbols\?explore.exe []
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-10-14 2000112]
"SansaDispatch"=C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe [2009-10-12 79872]
"\\Trixie-pc\EPSON Stylus Photo R380 Series"=C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE [2006-10-17 143360]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office Outlook 2007.lnk - C:\WINDOWS.0\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="gjhtgw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-04 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-09-27 77824]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS.0\system32\ddcBUnMf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoRun"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Winamp Remote\bin\Orb.exe"="C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"C:\Program Files\Winamp Remote\bin\OrbTray.exe"="C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"
"C:\Program Files\stickies\stickies.exe"="C:\Program Files\stickies\stickies.exe:*:Enabled:Stickies 5.2b"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-10-27 17:02:36 ----D---- C:\rsit
2009-10-14 22:37:46 ----SHD---- C:\Config.Msi
2009-10-14 22:36:32 ----HDC---- C:\WINDOWS.0\$NtUninstallKB958869$
2009-10-14 22:34:25 ----HDC---- C:\WINDOWS.0\$NtUninstallKB969059$
2009-10-14 22:34:20 ----HDC---- C:\WINDOWS.0\$NtUninstallKB954155_WM9$
2009-10-14 22:34:14 ----HDC---- C:\WINDOWS.0\$NtUninstallKB974112$
2009-10-14 22:34:10 ----HDC---- C:\WINDOWS.0\$NtUninstallKB975025$
2009-10-14 22:34:04 ----HDC---- C:\WINDOWS.0\$NtUninstallKB974571$
2009-10-14 22:33:18 ----HDC---- C:\WINDOWS.0\$NtUninstallKB971486$
2009-10-14 22:33:11 ----HDC---- C:\WINDOWS.0\$NtUninstallKB973525$
2009-10-14 22:33:03 ----HDC---- C:\WINDOWS.0\$NtUninstallKB975467$
2009-10-14 19:58:06 ----A---- C:\WINDOWS.0\system32\xfcodec.dll
2009-10-14 14:22:36 ----D---- C:\Documents and Settings\Administrator\Application Data\EazyPlanet
2009-10-14 13:58:43 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EazyPlanet
2009-10-14 13:58:40 ----D---- C:\Program Files\EazyPlanet
2009-10-10 11:45:30 ----D---- C:\Documents and Settings\Administrator\Application Data\stickies
2009-10-10 11:45:18 ----D---- C:\Program Files\stickies
2009-09-30 21:45:14 ----SHD---- C:\WINDOWS.0\ftpcache
2009-09-30 18:58:08 ----D---- C:\Program Files\Selectsoft
2009-09-28 19:38:02 ----D---- C:\Program Files\Disney Interactive
2009-09-28 19:37:50 ----A---- C:\WINDOWS.0\disney.ini

======List of files/folders modified in the last 1 months======

2009-10-27 17:02:24 ----D---- C:\WINDOWS.0\Prefetch
2009-10-27 17:01:17 ----D---- C:\Program Files\Blue Coat K9 Web Protection
2009-10-27 15:14:05 ----D---- C:\WINDOWS.0\Temp
2009-10-27 11:12:21 ----D---- C:\WINDOWS.0\system32\drivers
2009-10-27 11:11:29 ----D---- C:\WINDOWS.0\system32\CatRoot2
2009-10-27 09:23:00 ----A---- C:\WINDOWS.0\SchedLgU.Txt
2009-10-27 06:40:46 ----D---- C:\Program Files\e-Sword
2009-10-26 22:51:47 ----D---- C:\WINDOWS.0\Minidump
2009-10-26 22:51:47 ----D---- C:\WINDOWS.0
2009-10-22 04:31:01 ----D---- C:\WINDOWS.0\system32\oodag
2009-10-22 04:20:57 ----D---- C:\Program Files\Winamp Remote
2009-10-21 22:40:12 ----D---- C:\Documents and Settings\Administrator\Application Data\Xfire
2009-10-21 12:47:20 ----D---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Microsoft Help
2009-10-21 08:52:18 ----D---- C:\WINDOWS.0\network diagnostic
2009-10-21 04:20:43 ----SD---- C:\Program Files\Xfire
2009-10-15 10:38:25 ----D---- C:\Program Files\Mozilla Firefox
2009-10-15 04:16:09 ----D---- C:\WINDOWS.0\system32
2009-10-14 22:41:38 ----RSD---- C:\WINDOWS.0\assembly
2009-10-14 22:41:07 ----D---- C:\WINDOWS.0\Microsoft.NET
2009-10-14 22:38:51 ----SHD---- C:\WINDOWS.0\Installer
2009-10-14 22:38:38 ----A---- C:\WINDOWS.0\system32\PerfStringBackup.INI
2009-10-14 22:38:23 ----D---- C:\WINDOWS.0\WinSxS
2009-10-14 22:36:50 ----HD---- C:\WINDOWS.0\inf
2009-10-14 22:36:47 ----RSHDC---- C:\WINDOWS.0\system32\dllcache
2009-10-14 22:36:46 ----D---- C:\Program Files\Internet Explorer
2009-10-14 22:36:40 ----D---- C:\WINDOWS.0\ie8updates
2009-10-14 22:36:37 ----HD---- C:\WINDOWS.0\$hf_mig$
2009-10-14 22:36:34 ----A---- C:\WINDOWS.0\imsins.BAK
2009-10-14 22:32:04 ----D---- C:\Program Files\SUPERAntiSpyware
2009-10-14 13:58:40 ----RD---- C:\Program Files
2009-10-13 21:31:15 ----D---- C:\WINDOWS.0\system32\CatRoot
2009-10-11 17:02:36 ----A---- C:\WINDOWS.0\NeroDigital.ini
2009-10-07 20:58:10 ----AD---- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\TEMP
2009-10-07 20:58:07 ----D---- C:\Program Files\SpywareBlaster
2009-10-07 10:03:45 ----D---- C:\WINDOWS.0\Help
2009-10-02 14:01:57 ----A---- C:\WINDOWS.0\system32\MRT.exe
2009-09-30 22:45:23 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2009-09-30 20:51:50 ----A---- C:\WINDOWS.0\win.ini
2009-09-28 20:10:08 ----D---- C:\WINDOWS.0\system
2009-09-28 20:09:35 ----HD---- C:\Program Files\InstallShield Installation Information
2009-09-28 20:09:18 ----D---- C:\Program Files\FinePixViewer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS.0\system32\drivers\Aavmker4.sys [2009-08-17 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS.0\system32\drivers\aswSP.sys [2009-08-17 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS.0\system32\drivers\aswTdi.sys [2009-08-17 51376]
R1 bckd;bckd; C:\WINDOWS.0\system32\drivers\bckd.sys [2009-01-13 72992]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2009-08-17 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS.0\system32\drivers\aswMon2.sys [2009-08-17 94160]
R3 aswRdr;aswRdr; C:\WINDOWS.0\system32\drivers\aswRdr.sys [2009-08-17 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS.0\system32\DRIVERS\ati2mtag.sys [2006-11-28 2830336]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS.0\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS.0\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS.0\system32\drivers\RtkHDAud.sys [2008-06-02 4752384]
R3 mouhid;Mouse HID Driver; C:\WINDOWS.0\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS.0\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 RT61;Gigabyte RT61 Wireless Driver; C:\WINDOWS.0\system32\DRIVERS\RT61.sys [2007-05-13 479360]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SetupSys;Conexant Setup API; C:\WINDOWS.0\system32\drivers\SetupSys.sys [2001-01-09 8811]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS.0\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS.0\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS.0\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS.0\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 EagleNT;EagleNT; \??\C:\WINDOWS.0\system32\drivers\EagleNT.sys []
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS.0\system32\DRIVERS\motccgp.sys [2009-01-29 18688]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS.0\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS.0\system32\DRIVERS\motmodem.sys [2009-01-29 23680]
S3 motport;Motorola USB Diagnostic Port; C:\WINDOWS.0\system32\DRIVERS\motport.sys [2009-01-29 23680]
S3 NIC1394;1394 Net Driver; C:\WINDOWS.0\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS.0\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 UnlockerDriver4;UnlockerDriver4 Driver; \??\C:\WINDOWS.0\system32\UnlockerDriver4.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS.0\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbsermpt;Motorola USB Modem Driver for MPT; C:\WINDOWS.0\system32\DRIVERS\usbsermpt.sys [2008-07-23 22768]
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP; C:\WINDOWS.0\system32\DRIVERS\usbsermptxp.sys [2008-07-23 25600]
S3 Wdf01000;Wdf01000; C:\WINDOWS.0\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
S3 WpdUsb;WpdUsb; C:\WINDOWS.0\system32\DRIVERS\wpdusb.sys [2004-08-11 18944]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS.0\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS.0\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-08-17 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS.0\system32\Ati2evxx.exe [2006-11-28 430080]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-08-17 138680]
R2 bckwfs;Blue Coat K9 Web Protection; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [2009-01-13 1078560]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2008-08-22 73728]
R2 O&O Defrag;O&O Defrag; C:\WINDOWS.0\system32\oodag.exe [2005-05-11 225280]
R2 spupdsvc;Windows Service Pack Installer update service; C:\WINDOWS.0\system32\spupdsvc.exe [2009-05-12 26144]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS.0\system32\wdfmgr.exe [2004-08-11 38912]
R2 WSearch;Windows Search; C:\WINDOWS.0\system32\SearchIndexer.exe [2008-05-26 439808]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS.0\system32\svchost.exe [2008-04-13 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-08-17 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-08-17 352920]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-05-15 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS.0\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS.0\system32\GameMon.des [2009-07-13 3091868]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usprserv;User Privilege Service; C:\WINDOWS.0\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 28 October 2009 - 12:41 PM

Hi,



Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 godly-creations

godly-creations
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 28 October 2009 - 01:29 PM

ComboFix 09-10-27.08 - Administrator 10/28/2009 14:00.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2441 [GMT -4:00]
Running from: h:\downloads\schrauber.exe
AV: avast! antivirus 4.8.1351 [VPS 091028-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2960648262-1852630441-374174503-1000
c:\$recycle.bin\S-1-5-21-3204723173-2959488199-85017739-500
c:\windows.0\system32\12290548.dll
c:\windows.0\system32\23497581.dll
c:\windows.0\system32\fMnUBcdd.ini
c:\windows.0\system32\fMnUBcdd.ini2
c:\windows.0\system32\Mswrkdmk.dll
c:\windows.0\system32\smbols~1
c:\windows.0\system32\zip32.dll

c:\windows.0\system32\calc.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 21:02 . 2009-10-27 21:02 -------- d-----w- C:\rsit
2009-10-14 23:58 . 2009-10-14 23:58 41872 ----a-w- c:\windows.0\system32\xfcodec.dll
2009-10-14 18:22 . 2009-10-14 18:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\EazyPlanet
2009-10-14 17:58 . 2009-10-14 17:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\EazyPlanet
2009-10-14 17:58 . 2009-10-14 17:58 -------- d-----w- c:\program files\EazyPlanet
2009-10-10 15:45 . 2009-10-10 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\stickies
2009-10-10 15:45 . 2009-10-10 15:45 -------- d-----w- c:\program files\stickies
2009-10-01 01:45 . 2009-10-01 01:45 -------- d-sh--w- c:\windows.0\ftpcache
2009-09-30 22:58 . 2009-10-01 03:09 -------- d-----w- c:\program files\Selectsoft
2009-09-28 23:38 . 2009-09-28 23:38 -------- d-----w- c:\program files\Disney Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 18:06 . 2009-05-26 00:35 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-10-28 00:56 . 2008-06-14 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-10-27 17:21 . 2009-08-18 20:21 10 ----a-w- c:\windows.0\popcinfo.dat
2009-10-27 10:40 . 2008-05-16 15:50 -------- d-----w- c:\program files\e-Sword
2009-10-22 08:20 . 2008-08-22 15:38 -------- d-----w- c:\program files\Winamp Remote
2009-10-21 16:47 . 2008-10-23 16:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Microsoft Help
2009-10-21 08:20 . 2008-04-25 16:09 -------- d-s---w- c:\program files\Xfire
2009-10-15 02:32 . 2008-05-17 13:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-08 00:58 . 2008-09-27 20:41 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2009-10-08 00:58 . 2008-05-17 13:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-29 00:09 . 2007-01-12 04:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 00:09 . 2009-09-19 16:15 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:37 . 2008-08-29 13:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-09-19 19:37 . 2009-06-20 03:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\W Photo Studio Viewer
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motport_01007.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2009-09-19 18:58 . 2008-05-08 23:11 -------- d-----w- c:\program files\Motorola Phone Tools
2009-09-19 18:54 . 2008-05-08 23:12 -------- d-----w- c:\program files\Avanquest update
2009-09-19 16:21 . 2009-09-19 16:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\FUJIFILM
2009-09-11 14:18 . 2002-12-31 12:00 136192 ----a-w- c:\windows.0\system32\msv1_0.dll
2009-09-10 12:07 . 2008-06-14 03:24 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2002-12-31 12:00 58880 ----a-w- c:\windows.0\system32\msasn1.dll
2009-08-29 08:08 . 2002-12-31 12:00 916480 ----a-w- c:\windows.0\system32\wininet.dll
2009-08-26 08:00 . 2002-12-31 12:00 247326 ----a-w- c:\windows.0\system32\strmdll.dll
2009-08-17 16:10 . 2008-09-27 16:20 1279456 ----a-w- c:\windows.0\system32\aswBoot.exe
2009-08-17 16:06 . 2008-09-27 16:20 93392 ----a-w- c:\windows.0\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-09-27 16:20 94160 ----a-w- c:\windows.0\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-09-27 16:23 114768 ----a-w- c:\windows.0\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-09-27 16:23 20560 ----a-w- c:\windows.0\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-09-27 16:20 51376 ----a-w- c:\windows.0\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-09-27 16:20 23152 ----a-w- c:\windows.0\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-09-27 16:20 26944 ----a-w- c:\windows.0\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-09-27 16:20 97480 ----a-w- c:\windows.0\system32\AVASTSS.scr
2009-08-06 23:24 . 2008-06-14 03:14 327896 ----a-w- c:\windows.0\system32\wucltui.dll
2009-08-06 23:24 . 2008-06-14 03:14 209632 ----a-w- c:\windows.0\system32\wuweb.dll
2009-08-06 23:24 . 2008-06-14 03:14 35552 ----a-w- c:\windows.0\system32\wups.dll
2009-08-06 23:24 . 2007-07-30 23:19 44768 ----a-w- c:\windows.0\system32\wups2.dll
2009-08-06 23:24 . 2008-06-14 03:14 53472 ----a-w- c:\windows.0\system32\wuauclt.exe
2009-08-06 23:24 . 2002-12-31 12:00 96480 ----a-w- c:\windows.0\system32\cdm.dll
2009-08-06 23:23 . 2008-06-14 03:14 575704 ----a-w- c:\windows.0\system32\wuapi.dll
2009-08-06 23:23 . 2008-06-14 03:14 1929952 ----a-w- c:\windows.0\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-31 12:00 204800 ----a-w- c:\windows.0\system32\mswebdvd.dll
2009-08-04 15:13 . 2002-12-31 12:00 2145280 ----a-w- c:\windows.0\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-12-31 12:00 2023936 ----a-w- c:\windows.0\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hlnrymur"="c:\windows.0\system32\s?mbols\?explore.exe" [?]
"c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-15 2000112]
"SansaDispatch"="c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-10-12 79872]
"\\Trixie-pc\EPSON Stylus Photo R380 Series"="c:\windows.0\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-10-17 143360]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows.0\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows.0\RTHDCPL.exe [2008-05-28 16862720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows.0\system32\narrator.exe [2008-04-14 53760]

c:\users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Microsoft Office Outlook 2007.lnk - c:\windows.0\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2008-10-23 845584]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-27 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 01:17 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\stickies\\stickies.exe"=

R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [9/27/2008 12:23 PM 114768]
R1 bckd;bckd;c:\windows.0\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [9/27/2008 12:23 PM 20560]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows.0\system32\drivers\motccgp.sys [9/19/2009 2:57 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows.0\system32\drivers\motccgpfl.sys [9/19/2009 2:57 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows.0\system32\drivers\motport.sys [9/19/2009 2:57 PM 23680]
S3 npggsvc;nProtect GameGuard Service;c:\windows.0\system32\GameMon.des -service --> c:\windows.0\system32\GameMon.des -service [?]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows.0\system32\UnlockerDriver4.sys [6/13/2008 11:12 PM 3584]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows.0\Tasks\User_Feed_Synchronization-{0245EAF1-7DDC-40A2-9F40-1A322E092162}.job
- c:\windows.0\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows.0\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pbsbl19j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={401B3233-76F9-F402-4D52-DDC8B17E2456}&q=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pbsbl19j.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pbsbl19j.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{AB42CD1C-71AE-042E-AE38-7AA2E1CB4BE4} - c:\windows.0\system32\ownc.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 14:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows.0\TEMP\_av_proI.tm~a02624
c:\windows.0\TEMP\_av_proI.tm~a02624\setup.lok 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows.0\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1275210071-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,59,72,54,ab,cc,4e,9e,7d,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,59,72,54,ab,cc,4e,9e,7d,e5,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,59,72,54,ab,cc,4e,9e,7d,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows.0\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(2588)
c:\windows.0\system32\WININET.dll
c:\windows.0\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\combofix\CF21761.exe
c:\program files\Microsoft Office\Office12\OUTLOOK.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows.0\system32\oodag.exe
c:\windows.0\system32\wdfmgr.exe
c:\windows.0\system32\SearchIndexer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 14:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 18:15

Pre-Run: 140,856,897,536 bytes free
Post-Run: 141,015,756,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 2E54A30B0E5360BDC8913331E5073D51

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 28 October 2009 - 01:51 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SRPeek::
c:\windows.0\system32\calc.exe

File::
c:\windows.0\system32\s?mbols\?explore.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hlnrymur"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 godly-creations

godly-creations
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 28 October 2009 - 02:11 PM

ComboFix 09-10-27.08 - Administrator 10/28/2009 15:02.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2532 [GMT -4:00]
Running from: h:\downloads\schrauber.exe
Command switches used :: h:\downloads\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 091028-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows.0\system32\calc.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-28 18:53 . 2009-10-28 18:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-10-27 21:02 . 2009-10-27 21:02 -------- d-----w- C:\rsit
2009-10-14 23:58 . 2009-10-14 23:58 41872 ----a-w- c:\windows.0\system32\xfcodec.dll
2009-10-14 18:22 . 2009-10-14 18:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\EazyPlanet
2009-10-14 17:58 . 2009-10-14 17:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\EazyPlanet
2009-10-14 17:58 . 2009-10-14 17:58 -------- d-----w- c:\program files\EazyPlanet
2009-10-10 15:45 . 2009-10-10 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\stickies
2009-10-10 15:45 . 2009-10-10 15:45 -------- d-----w- c:\program files\stickies
2009-10-01 01:45 . 2009-10-01 01:45 -------- d-sh--w- c:\windows.0\ftpcache
2009-09-30 22:58 . 2009-10-01 03:09 -------- d-----w- c:\program files\Selectsoft
2009-09-28 23:38 . 2009-09-28 23:38 -------- d-----w- c:\program files\Disney Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 19:01 . 2009-05-26 00:35 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-10-28 18:53 . 2009-05-18 14:05 -------- d-----w- c:\program files\Google
2009-10-28 00:56 . 2008-06-14 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-10-27 17:21 . 2009-08-18 20:21 10 ----a-w- c:\windows.0\popcinfo.dat
2009-10-27 10:40 . 2008-05-16 15:50 -------- d-----w- c:\program files\e-Sword
2009-10-22 08:20 . 2008-08-22 15:38 -------- d-----w- c:\program files\Winamp Remote
2009-10-21 16:47 . 2008-10-23 16:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Microsoft Help
2009-10-21 08:20 . 2008-04-25 16:09 -------- d-s---w- c:\program files\Xfire
2009-10-15 02:32 . 2008-05-17 13:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-08 00:58 . 2008-09-27 20:41 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2009-10-08 00:58 . 2008-05-17 13:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-29 00:09 . 2007-01-12 04:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 00:09 . 2009-09-19 16:15 -------- d-----w- c:\program files\FinePixViewer
2009-09-19 23:37 . 2008-08-29 13:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-09-19 19:37 . 2009-06-20 03:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\W Photo Studio Viewer
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motport_01007.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2009-09-19 19:13 . 2009-09-19 19:13 0 ---ha-w- c:\windows.0\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2009-09-19 18:58 . 2008-05-08 23:11 -------- d-----w- c:\program files\Motorola Phone Tools
2009-09-19 18:54 . 2008-05-08 23:12 -------- d-----w- c:\program files\Avanquest update
2009-09-19 16:21 . 2009-09-19 16:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\FUJIFILM
2009-09-11 14:18 . 2002-12-31 12:00 136192 ----a-w- c:\windows.0\system32\msv1_0.dll
2009-09-10 12:07 . 2008-06-14 03:24 -------- d-----w- c:\program files\Java
2009-09-04 21:03 . 2002-12-31 12:00 58880 ----a-w- c:\windows.0\system32\msasn1.dll
2009-08-29 08:08 . 2002-12-31 12:00 916480 ------w- c:\windows.0\system32\wininet.dll
2009-08-26 08:00 . 2002-12-31 12:00 247326 ----a-w- c:\windows.0\system32\strmdll.dll
2009-08-17 16:10 . 2008-09-27 16:20 1279456 ----a-w- c:\windows.0\system32\aswBoot.exe
2009-08-17 16:06 . 2008-09-27 16:20 93392 ----a-w- c:\windows.0\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2008-09-27 16:20 94160 ----a-w- c:\windows.0\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-09-27 16:23 114768 ----a-w- c:\windows.0\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-09-27 16:23 20560 ----a-w- c:\windows.0\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2008-09-27 16:20 51376 ----a-w- c:\windows.0\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-09-27 16:20 23152 ----a-w- c:\windows.0\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2008-09-27 16:20 26944 ----a-w- c:\windows.0\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2008-09-27 16:20 97480 ----a-w- c:\windows.0\system32\AVASTSS.scr
2009-08-06 23:24 . 2008-06-14 03:14 327896 ----a-w- c:\windows.0\system32\wucltui.dll
2009-08-06 23:24 . 2008-06-14 03:14 209632 ----a-w- c:\windows.0\system32\wuweb.dll
2009-08-06 23:24 . 2008-06-14 03:14 35552 ----a-w- c:\windows.0\system32\wups.dll
2009-08-06 23:24 . 2007-07-30 23:19 44768 ----a-w- c:\windows.0\system32\wups2.dll
2009-08-06 23:24 . 2008-06-14 03:14 53472 ------w- c:\windows.0\system32\wuauclt.exe
2009-08-06 23:24 . 2002-12-31 12:00 96480 ----a-w- c:\windows.0\system32\cdm.dll
2009-08-06 23:23 . 2008-06-14 03:14 575704 ----a-w- c:\windows.0\system32\wuapi.dll
2009-08-06 23:23 . 2008-06-14 03:14 1929952 ----a-w- c:\windows.0\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-31 12:00 204800 ----a-w- c:\windows.0\system32\mswebdvd.dll
2009-08-04 15:13 . 2002-12-31 12:00 2145280 ------w- c:\windows.0\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-12-31 12:00 2023936 ------w- c:\windows.0\system32\ntkrnlpa.exe
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-15 2000112]
"SansaDispatch"="c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-10-12 79872]
"\\Trixie-pc\EPSON Stylus Photo R380 Series"="c:\windows.0\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" [2006-10-17 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows.0\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows.0\RTHDCPL.exe [2008-05-28 16862720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows.0\system32\narrator.exe [2008-04-14 53760]

c:\users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Microsoft Office Outlook 2007.lnk - c:\windows.0\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2008-10-23 845584]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-27 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 01:17 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\stickies\\stickies.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R1 aswSP;avast! Self Protection;c:\windows.0\system32\drivers\aswSP.sys [9/27/2008 12:23 PM 114768]
R1 bckd;bckd;c:\windows.0\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows.0\system32\drivers\aswFsBlk.sys [9/27/2008 12:23 PM 20560]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows.0\system32\drivers\motccgp.sys [9/19/2009 2:57 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows.0\system32\drivers\motccgpfl.sys [9/19/2009 2:57 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows.0\system32\drivers\motport.sys [9/19/2009 2:57 PM 23680]
S3 npggsvc;nProtect GameGuard Service;c:\windows.0\system32\GameMon.des -service --> c:\windows.0\system32\GameMon.des -service [?]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows.0\system32\UnlockerDriver4.sys [6/13/2008 11:12 PM 3584]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows.0\Tasks\User_Feed_Synchronization-{0245EAF1-7DDC-40A2-9F40-1A322E092162}.job
- c:\windows.0\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows.0\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pbsbl19j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={401B3233-76F9-F402-4D52-DDC8B17E2456}&q=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pbsbl19j.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pbsbl19j.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows.0\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1275210071-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,59,72,54,ab,cc,4e,9e,7d,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,59,72,54,ab,cc,4e,9e,7d,e5,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,2f,59,72,54,ab,cc,4e,9e,7d,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows.0\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3280)
c:\windows.0\system32\WININET.dll
c:\windows.0\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\webcheck.dll
.
Completion time: 2009-10-28 15:10
ComboFix-quarantined-files.txt 2009-10-28 19:10
ComboFix2.txt 2009-10-28 18:15

Pre-Run: 140,980,068,352 bytes free
Post-Run: 140,933,070,848 bytes free

- - End Of File - - 1F50549D4DCACE598131515B745311AB

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 28 October 2009 - 02:39 PM

Hi,

Do you have a windows-CD?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 godly-creations

godly-creations
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 28 October 2009 - 02:45 PM

No I don't, this computer originally came with windows vista but it got overwritten with winxp by one of my kids who got their hands on a winxp disc from a friend and it has been returned. But when they installed the winxp it destroyed the factory restore drive that was installed on the computer by HP. So as of now all I have is winxp which is installed here. I can't afford to buy another copy of windows vista to get it reinstalled on here. It has been running fine for a long time and now it is giving me all kinds of problems. And nothing I do seems to help it. I have worked on computers for a long time and I am still stumped.

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 28 October 2009 - 02:50 PM

Are you able to borrow one from a friend with the same system? We have to replace a system file.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:02:58 AM

Posted 02 November 2009 - 05:12 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users