Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After cleaning thoroughly, suspect trojan or rootkit.


  • This topic is locked This topic is locked
16 replies to this topic

#1 oldmobie

oldmobie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 30 January 2010 - 10:15 PM

I'm cleaning up a computer for a friend. It came to me with no antivirus, no anti spyware other than TSAntiSpy, and I believe the Windows firewall was disabled.
I installed Sunbelt Personal Firewall, and cleaned with AntiVir, CCleaner, ComboFix, cwshredder, Malwarebytes' Anti-Malware, Spybot - Search & Destroy, Spyware Blaster, Stinger and SUPERAntiSpyware. (I couldn't get Ad-Aware or RootRepeal to run on his machine.) After re-scanning until all scans came back clean 2 or 3 times, I decided to check out his TSAntiSpy to see if it was a problem. It "found" 1 result. (This PC is NOT currently connected to the internet.) Re-scanning with all of the above, Spybot S&D found 5 results. (I have since removed TSAntiSpy, with the owner's permission.) Subsequent scans are clean, but I'm suspicious now.

I found you while looking for someone to read a HijackThis! log for me. I followed your directions, and am posting/ attaching the required logs. (Minus ark.txt, as I still can't run Root Repeal on his system. I get the following error: "Windows - Virtual Memory Minimum Too Low Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help." Setting Virtual Memory to System managed doesn't help.)

I'd love to hear what you think and what you see in these logs. I want to be able to give it a clean bill of health or recommend professional help if necessary. Thank You!

Here are the logs:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 17:48:57.30 on Sat 01/30/2010
Internet Explorer: 6.0.2600.0000
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.254.128 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us6.hpwis.com/
uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
mStart Page = hxxp://us6.hpwis.com/
mSearch Bar = hxxp://srch-us6.hpwis.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /install
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [LaunchAntiSpy] c:\program files\defenderpro\TSAntiSpy.exe /startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2010-1-26 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2010-1-26 45416]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-1-23 269736]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-26 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-26 185089]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-7-30 95528]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-1-23 65576]
S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-22 64288]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-7-30 1361192]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-01-30 21:22:12 22912 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2010-01-30 21:22:12 21248 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2010-01-30 21:22:12 12672 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2010-01-30 21:22:11 0 d-----w- c:\program files\LG Electronics
2010-01-27 03:05:37 0 d-----w- c:\program files\Trend Micro
2010-01-27 02:58:41 0 d-----w- c:\program files\Avira
2010-01-27 02:58:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-27 02:47:14 89344 ----a-w- C:\MGlogs.zip
2010-01-27 02:46:41 0 d-----w- C:\MGtools
2010-01-26 02:55:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-26 02:55:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-26 02:51:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-26 02:51:43 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 01:36:27 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-26 01:30:23 2388432 ------w- C:\MGtools.exe
2010-01-25 10:45:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-25 10:45:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-24 22:41:22 16896 ------w- c:\windows\system32\fltlib.dll
2010-01-23 22:06:51 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-01-23 22:06:50 269736 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-01-23 22:06:37 0 d-----w- c:\program files\Sunbelt Software
2010-01-23 20:34:03 0 d-----w- c:\windows\pss
2010-01-23 05:25:56 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-23 05:25:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-23 05:25:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 05:00:19 77312 ----a-w- c:\windows\MBR.exe
2010-01-23 05:00:18 98816 ----a-w- c:\windows\sed.exe
2010-01-23 05:00:18 261632 ----a-w- c:\windows\PEV.exe
2010-01-23 05:00:18 161792 ----a-w- c:\windows\SWREG.exe
2010-01-23 04:52:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-23 04:51:46 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-23 04:51:01 0 d-----w- c:\program files\Lavasoft
2010-01-23 01:30:17 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-23 01:30:06 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-23 01:30:06 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-01-23 01:08:35 0 d-----w- c:\program files\CCleaner
2010-01-22 04:31:08 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-22 04:31:03 0 d-----w- c:\program files\SpywareBlaster

==================== Find3M ====================

2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr

============= FINISH: 17:50:33.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 07 February 2010 - 11:05 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 oldmobie

oldmobie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 07 February 2010 - 08:12 PM

No worries on the delay. I understand too few folks can and will do what you do, and there are a lot of "us" who come here for help. (Thanks!)

I cleaned it as well as I know how before my first post here, and haven't noticed any symptoms since. I've done nothing with the machine between my previous post and receiving your instructions. I hope that it's already fixed. What troubles me is the OLD symptom: after all scans were clean, I tried the rather suspect "TSAntispy", after which Spybot Search and Destroy found results again. I'd like to confirm that I haven't missed a bot that installs things later, after I've cleaned. It just stinks of 'trojan' to me.

So, here are the requested logs:

log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-02-07 18:08:26
Microsoft Windows XP Home Edition
System drive C: has 37 GB (70%) free of 52 GB
Total RAM: 254 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:17 PM, on 2/7/2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro\TSAntiSpy.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\System32\GPhotos.scr/200
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: efcyvuro - C:\WINDOWS\
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 6004 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#Deskjet#3320.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-25 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2001-10-04 844048]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - hp toolkit - C:\HP\EXPLOREBAR\HPTOOLKT.DLL [2002-06-04 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"NvCplDaemon"=NvQTwk,NvCplDaemon initialize []
"nwiz"=nwiz.exe /install []
"CamMonitor"=c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe [2002-06-18 69632]
"KBD"=C:\HP\KBD\KBD.EXE [2001-07-06 61440]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-05-09 155648]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2002-07-16 106549]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2001-12-19 212992]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2002-05-15 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2002-05-15 114688]
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-06-14 81920]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"LaunchAntiSpy"=C:\Program Files\DefenderPro\TSAntiSpy.exe /startup []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2001-08-02 1077277]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-01-05 2002160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-02-07 18:08:26 ----D---- C:\rsit
2010-01-30 22:49:45 ----D---- C:\Documents and Settings\Owner\Application Data\InterVideo
2010-01-30 15:31:25 ----A---- C:\WINDOWS\ModemLog_LGE CDMA USB Modem.txt
2010-01-30 15:22:11 ----D---- C:\Program Files\LG Electronics
2010-01-27 20:52:18 ----SHD---- C:\RECYCLER
2010-01-26 21:05:37 ----D---- C:\Program Files\Trend Micro
2010-01-26 20:58:41 ----D---- C:\Program Files\Avira
2010-01-26 20:58:41 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-01-26 20:46:41 ----D---- C:\MGtools
2010-01-26 19:02:50 ----A---- C:\ComboFix.txt
2010-01-25 20:55:33 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-25 20:55:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 19:36:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-01-25 19:30:23 ----N---- C:\MGtools.exe
2010-01-25 04:46:55 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-01-25 04:46:50 ----D---- C:\Program Files\Common Files\Java
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaws.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaw.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\java.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\deploytk.dll
2010-01-25 04:44:50 ----D---- C:\Program Files\Java
2010-01-25 04:43:48 ----D---- C:\Documents and Settings\Owner\Application Data\Sun
2010-01-24 16:41:22 ----N---- C:\WINDOWS\System32\fltlib.dll
2010-01-24 16:09:13 ----D---- C:\WINDOWS\temp
2010-01-23 16:06:37 ----D---- C:\Program Files\Sunbelt Software
2010-01-23 14:34:03 ----D---- C:\WINDOWS\pss
2010-01-22 23:25:56 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-01-22 23:25:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-22 23:25:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-22 23:00:19 ----A---- C:\WINDOWS\NIRCMD.exe
2010-01-22 23:00:19 ----A---- C:\WINDOWS\MBR.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\zip.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWSC.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWREG.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\sed.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\PEV.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\grep.exe
2010-01-22 23:00:10 ----D---- C:\WINDOWS\ERDNT
2010-01-22 22:59:14 ----D---- C:\Qoobox
2010-01-22 22:51:46 ----HDC---- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-22 22:51:01 ----D---- C:\Program Files\Lavasoft
2010-01-22 22:51:01 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-01-22 19:30:17 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 19:30:06 ----D---- C:\Program Files\SUPERAntiSpyware
2010-01-22 19:30:06 ----D---- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2010-01-22 19:21:16 ----DC---- C:\WINDOWS\System32\DRVSTORE
2010-01-22 19:08:35 ----D---- C:\Program Files\CCleaner
2010-01-21 22:31:49 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-01-21 22:31:08 ----A---- C:\WINDOWS\System32\MSSTDFMT.DLL
2010-01-21 22:31:03 ----D---- C:\Program Files\SpywareBlaster

======List of files/folders modified in the last 1 months======

2010-02-07 18:08:39 ----D---- C:\WINDOWS\Prefetch
2010-02-07 18:05:02 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2010-02-07 18:04:47 ----D---- C:\WINDOWS\Debug
2010-02-01 04:43:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-30 22:51:43 ----D---- C:\WINDOWS\System32\CatRoot2
2010-01-30 19:40:59 ----D---- C:\WINDOWS\System32\drivers
2010-01-30 17:03:23 ----D---- C:\WINDOWS
2010-01-30 15:36:41 ----RD---- C:\Program Files
2010-01-30 15:34:11 ----D---- C:\WINDOWS\inf
2010-01-30 15:29:14 ----D---- C:\WINDOWS\system32
2010-01-30 15:22:11 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-30 14:58:02 ----RSHDC---- C:\WINDOWS\System32\dllcache
2010-01-30 14:57:44 ----HD---- C:\Program Files\WindowsUpdate
2010-01-29 23:24:32 ----RSH---- C:\BOOT.INI
2010-01-29 23:24:32 ----A---- C:\WINDOWS\win.ini
2010-01-29 23:24:32 ----A---- C:\WINDOWS\system.ini
2010-01-29 20:20:29 ----HDC---- C:\WINDOWS\$NtUninstallQ329115$
2010-01-27 20:18:34 ----D---- C:\Program Files\Google
2010-01-26 20:57:39 ----SHD---- C:\WINDOWS\Installer
2010-01-26 20:57:39 ----D---- C:\Config.Msi
2010-01-26 20:57:37 ----D---- C:\WINDOWS\WinSxS
2010-01-26 20:57:34 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-01-26 18:50:41 ----D---- C:\WINDOWS\AppPatch
2010-01-26 18:50:36 ----D---- C:\Program Files\Common Files
2010-01-25 19:21:53 ----D---- C:\Program Files\WildTangent
2010-01-24 21:08:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-24 17:05:55 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-01-24 16:41:52 ----SHD---- C:\System Volume Information
2010-01-24 16:41:52 ----D---- C:\WINDOWS\System32\Restore
2010-01-23 16:06:59 ----D---- C:\WINDOWS\System32\CatRoot
2010-01-23 14:09:50 ----HDC---- C:\WINDOWS\$NtUninstallQ324096$
2010-01-22 23:18:41 ----SD---- C:\WINDOWS\Tasks
2010-01-22 23:14:17 ----A---- C:\WINDOWS\System32\PerfStringBackup.INI
2010-01-22 23:09:50 ----D---- C:\WINDOWS\System32\config
2010-01-22 23:08:27 ----D---- C:\Temp
2010-01-22 23:08:04 ----D---- C:\Program Files\Internet Explorer
2010-01-22 19:12:13 ----D---- C:\WINDOWS\Minidump
2010-01-21 21:58:43 ----SHD---- C:\WINDOWS\VGVyZXNhIEhvdXNl
2010-01-21 21:58:03 ----D---- C:\WINDOWS\System32\Mz02r
2010-01-21 21:58:02 ----D---- C:\WINDOWS\System32\ib1
2010-01-21 21:57:10 ----D---- C:\WINDOWS\System32\cp1
2010-01-21 21:57:09 ----D---- C:\WINDOWS\System32\bo2
2010-01-21 21:57:01 ----D---- C:\WINDOWS\System32\aqVreo01
2010-01-21 21:35:16 ----D---- C:\WINDOWS\system
2010-01-21 21:34:44 ----D---- C:\Program Files\Windows NT
2010-01-21 21:34:34 ----DC---- C:\Program Files\HPSelect

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2002-07-24 82380]
R1 avgntdd;avgntdd; C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys [2009-02-13 45416]
R1 avipbb;avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-07-16 269736]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssmdrv;ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2002-06-22 656172]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2002-05-22 78045]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2002-01-24 623633]
R3 MxlW2k;MxlW2k; C:\WINDOWS\System32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-08 13780]
R3 ;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-17 23070]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\System32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-04-01 19072]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-04-01 51584]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2001-08-18 18944]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-05-03 931882]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\System32\drivers\rootrepeal.sys []
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-08 188032]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2001-08-17 24960]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2001-08-18 15616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2001-08-17 24832]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13824]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-25 153376]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-30 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-30 1361192]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2001-08-18 249344]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2002-05-03 61440]

-----------------EOF-----------------


info.txt:

info.txt logfile of random's system information tool 1.06 2010-02-07 18:09:24

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
ArcSoft Software Suite-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Detto IntelliMover Demo-->MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
easy Internet sign-up-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\Setup.exe" -l0x9
HijackThis 2.0.2-->"C:\MGTools\HijackThis.exe" /uninstall
HP Instant Support-->C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc-->MsiExec.exe /X{FF384BDE-429B-45AD-A0C6-E593393D9D1C}
HP Photo and Imaging 1.1 - Photosmart Cameras-->MsiExec.exe /X{1EEE2A9F-6471-42fa-8923-E8879168CE26}
hp toolkit-->c:\Windows\HPTK\unhptkit.exe
Inactive HP Printer Drivers (Remove only)-->RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel® 845G Chipset Graphics Driver Software-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.7 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MUSICMATCH Jukebox-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows-->C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
RecordNow Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
RecordNow-->MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Sunbelt Personal Firewall-->MsiExec.exe /X{F61A549E-9C8A-4859-8BFE-2A4A018BBA4A}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Virtual Villagers - A New Home (remove only)-->C:\Program Files\Virtual Villagers - A New Home\Uninstall.exe
Windows XP Hotfix (SP1) [See Q308677 for more information]-->C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309521 for more information]-->C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309691 for more information]-->C:\WINDOWS\$NtUninstallQ309691$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311842 for more information]-->C:\WINDOWS\$NtUninstallQ311842$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311889 for more information]-->C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q312370 for more information]-->C:\WINDOWS\$NtUninstallQ312370$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315000 for more information]-->C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315403 for more information]-->C:\WINDOWS\$NtUninstallQ315403$\spuninst\spuninst.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\uninst32.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\Uninst32.exe

======System event log======

Computer Name: FREDRICH-HOUSE3
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 256
Source Name: W32Time
Time Written: 20080519182934.000000-300
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 7000
Message: The Network Location Awareness (NLA) service failed to start due to the following error:
All pipe instances are busy.


Record Number: 226
Source Name: Service Control Manager
Time Written: 20080519172619.000000-300
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 7011
Message: Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.

Record Number: 224
Source Name: Service Control Manager
Time Written: 20080519172619.000000-300
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 7011
Message: Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.

Record Number: 222
Source Name: Service Control Manager
Time Written: 20080519172619.000000-300
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 34
Message: The time service has detected that the system time needs to be
changed by -348990 seconds. The time service will not change the system
time by more than -54000 seconds. Verify that your time and time zone
are correct, and that the time source time.windows.com (ntp.m|0x1|74.194.111.29:123->207.46.197.32:123) is working properly.

Record Number: 210
Source Name: W32Time
Time Written: 20080519172333.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application uirqy.exe, version 0.0.0.0, faulting module uirqy.exe, version 0.0.0.0, fault address 0x0002ad6e.

Record Number: 30
Source Name: Application Error
Time Written: 20080310213417.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application pano.exe, version 0.0.0.0, faulting module pano.exe, version 0.0.0.0, fault address 0x0002ad6e.

Record Number: 29
Source Name: Application Error
Time Written: 20080310195409.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application yuvasak.exe, version 0.0.0.0, faulting module yuvasak.exe, version 0.0.0.0, fault address 0x0002ad6e.

Record Number: 28
Source Name: Application Error
Time Written: 20080310102901.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application xcgmg.exe, version 0.0.0.0, faulting module xcgmg.exe, version 0.0.0.0, fault address 0x00006cf5.

Record Number: 27
Source Name: Application Error
Time Written: 20080310102639.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application kzkofemy.exe, version 0.0.0.0, faulting module kzkofemy.exe, version 0.0.0.0, fault address 0x0002c9ac.

Record Number: 24
Source Name: Application Error
Time Written: 20080308215715.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;c:\Python22;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


Gmer.log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-07 18:18:12
Windows 5.1.2600
Running: 5gybxqij.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwdcakoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xF0CA7FDC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xF0CA76E4]
SSDT F99AE6AE ZwCreateKey
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xF0CA6D0C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xF0CA6C18]
SSDT F99AE6A4 ZwCreateThread
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xF0CA808C]
SSDT F99AE6B3 ZwDeleteKey
SSDT F99AE6BD ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwLoadDriver [0xF935801C]
SSDT F99AE6C2 ZwLoadKey
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwMapViewOfSection [0xF9358168]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xF0CA79D0]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xF0CA4446]
SSDT F99AE690 ZwOpenProcess
SSDT F99AE695 ZwOpenThread
SSDT F99AE6CC ZwReplaceKey
SSDT F99AE6C7 ZwRestoreKey
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xF0CA7368]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xF0CA7D08]
SSDT F99AE6B8 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF0C090B0]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xF0CA7C5C]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)

Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ Microsoft Disk Quota
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoMachinePolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoBackgroundPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@PerUserLocalSettings 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@EnableAsynchronousProcessing 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@DllName dskquota.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessSecurityPolicyGPO
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@GenerateGroupPolicy SceGenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionRsopPlanningDebugLevel 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicyEx SceProcessSecurityPolicyGPOEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionDebugLevel 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ Security
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@EnableAsynchronousProcessing 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@MaxNoGPOListChangesInterval 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicyEx ProcessGroupPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DllName iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ Internet Explorer Branding
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoMachinePolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessEFSRecoveryGPO
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ EFS recovery
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ Software Installation
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@DllName appmgmts.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ProcessGroupPolicyEx ProcessGroupPolicyObjectsEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@RequiresSucessfulRegistry 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@PerUserLocalSettings 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@EventSources (Application Management,Application)?(MsiInstaller,Application)?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon SABWINLOLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff SABWINLOLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup SABWINLOStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown SABWINLOShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro@DllName efcyvuro.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro@Logon o
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro@Logoff f
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@DLLName igfxsrvc.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@Unlock WinlogonUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@HelpAssistant 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@TsInternetUser 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@SQLAgentCmdExec 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@NetShowServices 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IWAM_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IUSR_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@VUSR_ 65536

---- EOF - GMER 1.0.15 ----


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 08 February 2010 - 09:50 AM

Hi oldmobie,

Your logs look ok to me, just a few bits we will clean up.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the icon on your desktop.
  • Paste the following code under the area. Do not include the word "Code".
    CODE
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"=-
    "nwiz"=-
    "LaunchAntiSpy"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=-
    :Commands
    [Purity]
    [EmptyTemp]
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, Aclick on View sACcan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • OTM results
  • Kaspersky report
  • New Rsit log

Thanks

unite.jpg


#5 oldmobie

oldmobie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 11 February 2010 - 05:45 PM

Performed Erunt backup, ran OTM as instructed. (Log below.) I was finally able to get his machine online, but the connection is unstable and usually won't dial. (I doubt this is a symptom - I connect with a cell phone, and it's temperamental at best.) So I still can't do the Kaspersky scan.

The only problem I'm noticing is that the Windows clock seems to stop when the system hibernates. I've never heard of Spyware doing anything like that, so unless you say different, I'll consider it a setting or even a possible issue with the CMOS battery.

So, here's the log that I CAN post. As always, I appreciate your time and effort.

text of 02082010_164108.log

All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NvCplDaemon deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nwiz deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\LaunchAntiSpy deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr deleted successfully.
========== COMMANDS ==========
C:\Documents and Settings\Owner\My Documents\F?nts folder moved successfully.
C:\Documents and Settings\Owner\My Documents\?icrosoft.NET folder moved successfully.

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: delaney
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: Owner
->Temp folder emptied: 58077866 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 594079 bytes
RecycleBin emptied: 12829734 bytes

Total Files Cleaned = 68.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02082010_164108

Files moved on Reboot...

Registry entries deleted on Reboot...


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 11 February 2010 - 06:08 PM

Yes that doesn't really sound like a malware issue, you could ask in one of the other forums about it when we are finished here.
Can you post a new Rsit log as well please and do this following step.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg


#7 oldmobie

oldmobie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 11 February 2010 - 10:37 PM

log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-02-11 21:19:33
Microsoft Windows XP Home Edition
System drive C: has 36 GB (70%) free of 52 GB
Total RAM: 254 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:09 PM, on 2/11/2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\System32\ssstars.scr
C:\Documents and Settings\Owner\Desktop\Security\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\System32\GPhotos.scr/200
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efcyvuro - efcyvuro.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5808 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#Deskjet#3320.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-25 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2001-10-04 844048]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - hp toolkit - C:\HP\EXPLOREBAR\HPTOOLKT.DLL [2002-06-04 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"CamMonitor"=c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe [2002-06-18 69632]
"KBD"=C:\HP\KBD\KBD.EXE [2001-07-06 61440]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-05-09 155648]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2002-07-16 106549]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2001-12-19 212992]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2002-05-15 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2002-05-15 114688]
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-06-14 81920]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2001-08-02 1077277]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-01-05 2002160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro]
efcyvuro.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-05-15 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-02-10 10:04:53 ----D---- C:\Documents and Settings\Owner\Application Data\AVG8
2010-02-09 18:43:24 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-02-09 18:20:23 ----D---- C:\WINDOWS\Sun
2010-02-08 16:36:22 ----D---- C:\Program Files\ERUNT
2010-02-07 18:08:26 ----D---- C:\rsit
2010-01-30 22:49:45 ----D---- C:\Documents and Settings\Owner\Application Data\InterVideo
2010-01-30 15:31:25 ----A---- C:\WINDOWS\ModemLog_LGE CDMA USB Modem.txt
2010-01-30 15:22:11 ----D---- C:\Program Files\LG Electronics
2010-01-27 20:52:18 ----SHD---- C:\RECYCLER
2010-01-26 21:05:37 ----D---- C:\Program Files\Trend Micro
2010-01-26 20:58:41 ----D---- C:\Program Files\Avira
2010-01-26 20:46:41 ----D---- C:\MGtools
2010-01-26 19:02:50 ----A---- C:\ComboFix.txt
2010-01-25 20:55:33 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-25 20:55:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 19:36:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-01-25 19:30:23 ----N---- C:\MGtools.exe
2010-01-25 04:46:55 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-01-25 04:46:50 ----D---- C:\Program Files\Common Files\Java
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaws.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaw.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\java.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\deploytk.dll
2010-01-25 04:44:50 ----D---- C:\Program Files\Java
2010-01-25 04:43:48 ----D---- C:\Documents and Settings\Owner\Application Data\Sun
2010-01-24 16:41:22 ----N---- C:\WINDOWS\System32\fltlib.dll
2010-01-24 16:09:13 ----D---- C:\WINDOWS\temp
2010-01-23 16:06:37 ----D---- C:\Program Files\Sunbelt Software
2010-01-23 14:34:03 ----D---- C:\WINDOWS\pss
2010-01-22 23:25:56 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-01-22 23:25:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-22 23:25:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-22 23:00:19 ----A---- C:\WINDOWS\NIRCMD.exe
2010-01-22 23:00:19 ----A---- C:\WINDOWS\MBR.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\zip.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWSC.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWREG.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\sed.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\PEV.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\grep.exe
2010-01-22 23:00:10 ----D---- C:\WINDOWS\ERDNT
2010-01-22 22:59:14 ----D---- C:\Qoobox
2010-01-22 22:51:46 ----HDC---- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-22 22:51:01 ----D---- C:\Program Files\Lavasoft
2010-01-22 22:51:01 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-01-22 19:30:17 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 19:30:06 ----D---- C:\Program Files\SUPERAntiSpyware
2010-01-22 19:30:06 ----D---- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2010-01-22 19:21:16 ----DC---- C:\WINDOWS\System32\DRVSTORE
2010-01-22 19:08:35 ----D---- C:\Program Files\CCleaner
2010-01-21 22:31:49 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-01-21 22:31:08 ----A---- C:\WINDOWS\System32\MSSTDFMT.DLL
2010-01-21 22:31:03 ----D---- C:\Program Files\SpywareBlaster

======List of files/folders modified in the last 1 months======

2010-02-11 21:09:47 ----D---- C:\WINDOWS\Prefetch
2010-02-11 01:46:37 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2010-02-11 01:46:24 ----D---- C:\WINDOWS\Debug
2010-02-11 01:45:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-11 01:37:57 ----D---- C:\WINDOWS\System32\drivers
2010-02-11 01:36:22 ----SHD---- C:\WINDOWS\Installer
2010-02-11 01:36:22 ----D---- C:\Config.Msi
2010-02-11 01:36:20 ----D---- C:\WINDOWS\WinSxS
2010-02-11 01:36:17 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-11 01:13:33 ----D---- C:\WINDOWS\System32\CatRoot2
2010-02-09 18:48:35 ----D---- C:\WINDOWS
2010-02-08 19:27:48 ----D---- C:\WINDOWS\system32
2010-02-08 19:27:47 ----A---- C:\WINDOWS\System32\PerfStringBackup.INI
2010-02-08 19:27:25 ----D---- C:\WINDOWS\System32\CatRoot
2010-02-08 19:25:46 ----D---- C:\WINDOWS\inf
2010-02-08 16:36:22 ----RD---- C:\Program Files
2010-01-30 15:22:11 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-30 14:58:02 ----RSHDC---- C:\WINDOWS\System32\dllcache
2010-01-30 14:57:44 ----HD---- C:\Program Files\WindowsUpdate
2010-01-29 23:24:32 ----RSH---- C:\BOOT.INI
2010-01-29 23:24:32 ----A---- C:\WINDOWS\win.ini
2010-01-29 23:24:32 ----A---- C:\WINDOWS\system.ini
2010-01-29 20:20:29 ----HDC---- C:\WINDOWS\$NtUninstallQ329115$
2010-01-27 20:18:34 ----D---- C:\Program Files\Google
2010-01-26 18:50:41 ----D---- C:\WINDOWS\AppPatch
2010-01-26 18:50:36 ----D---- C:\Program Files\Common Files
2010-01-25 19:21:53 ----D---- C:\Program Files\WildTangent
2010-01-24 21:08:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-24 17:05:55 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-01-24 16:41:52 ----SHD---- C:\System Volume Information
2010-01-24 16:41:52 ----D---- C:\WINDOWS\System32\Restore
2010-01-23 14:09:50 ----HDC---- C:\WINDOWS\$NtUninstallQ324096$
2010-01-22 23:18:41 ----SD---- C:\WINDOWS\Tasks
2010-01-22 23:09:50 ----D---- C:\WINDOWS\System32\config
2010-01-22 23:08:27 ----D---- C:\Temp
2010-01-22 23:08:04 ----D---- C:\Program Files\Internet Explorer
2010-01-22 19:12:13 ----D---- C:\WINDOWS\Minidump
2010-01-21 21:58:43 ----SHD---- C:\WINDOWS\VGVyZXNhIEhvdXNl
2010-01-21 21:58:03 ----D---- C:\WINDOWS\System32\Mz02r
2010-01-21 21:58:02 ----D---- C:\WINDOWS\System32\ib1
2010-01-21 21:57:10 ----D---- C:\WINDOWS\System32\cp1
2010-01-21 21:57:09 ----D---- C:\WINDOWS\System32\bo2
2010-01-21 21:57:01 ----D---- C:\WINDOWS\System32\aqVreo01
2010-01-21 21:35:16 ----D---- C:\WINDOWS\system
2010-01-21 21:34:44 ----D---- C:\Program Files\Windows NT
2010-01-21 21:34:34 ----DC---- C:\Program Files\HPSelect

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2002-07-24 82380]
R1 avgntdd;avgntdd; C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys [2009-02-13 45416]
R1 avipbb;avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-07-16 269736]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssmdrv;ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2002-06-22 656172]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2002-05-22 78045]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2002-01-24 623633]
R3 MxlW2k;MxlW2k; C:\WINDOWS\System32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-08 13780]
R3 ;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-17 23070]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\System32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-04-01 19072]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-04-01 51584]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2001-08-18 18944]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-05-03 931882]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\System32\drivers\rootrepeal.sys []
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-08 188032]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2001-08-17 24960]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2001-08-18 15616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2001-08-17 24832]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13824]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-25 153376]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-30 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-30 1361192]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2001-08-18 249344]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2002-05-03 61440]

-----------------EOF-----------------

info.txt (Not sure if you needed this.):

info.txt logfile of random's system information tool 1.06 2010-02-11 21:20:14

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
ArcSoft Software Suite-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Detto IntelliMover Demo-->MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
easy Internet sign-up-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\Setup.exe" -l0x9
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\MGTools\HijackThis.exe" /uninstall
HP Instant Support-->C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc-->MsiExec.exe /X{FF384BDE-429B-45AD-A0C6-E593393D9D1C}
HP Photo and Imaging 1.1 - Photosmart Cameras-->MsiExec.exe /X{1EEE2A9F-6471-42fa-8923-E8879168CE26}
hp toolkit-->c:\Windows\HPTK\unhptkit.exe
Inactive HP Printer Drivers (Remove only)-->RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel® 845G Chipset Graphics Driver Software-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.7 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MUSICMATCH Jukebox-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows-->C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
RecordNow Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
RecordNow-->MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Sunbelt Personal Firewall-->MsiExec.exe /X{F61A549E-9C8A-4859-8BFE-2A4A018BBA4A}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Virtual Villagers - A New Home (remove only)-->C:\Program Files\Virtual Villagers - A New Home\Uninstall.exe
Windows XP Hotfix (SP1) [See Q308677 for more information]-->C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309521 for more information]-->C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309691 for more information]-->C:\WINDOWS\$NtUninstallQ309691$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311842 for more information]-->C:\WINDOWS\$NtUninstallQ311842$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311889 for more information]-->C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q312370 for more information]-->C:\WINDOWS\$NtUninstallQ312370$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315000 for more information]-->C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315403 for more information]-->C:\WINDOWS\$NtUninstallQ315403$\spuninst\spuninst.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\uninst32.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\Uninst32.exe

======System event log======

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 413
Source Name: Win32k
Time Written: 20081226014708.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 412
Source Name: Win32k
Time Written: 20081226010353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 411
Source Name: Win32k
Time Written: 20081226003353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 410
Source Name: Win32k
Time Written: 20081226000408.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 409
Source Name: Win32k
Time Written: 20081225234853.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application uuygt.exe, version 0.0.0.0, faulting module uuygt.exe, version 0.0.0.0, fault address 0x0002adaf.

Record Number: 45
Source Name: Application Error
Time Written: 20080314100546.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application pasazdn.exe, version 0.0.0.0, faulting module pasazdn.exe, version 0.0.0.0, fault address 0x0002bc8c.

Record Number: 44
Source Name: Application Error
Time Written: 20080314033404.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application jazn.exe, version 0.0.0.0, faulting module jazn.exe, version 0.0.0.0, fault address 0x0002adaf.

Record Number: 43
Source Name: Application Error
Time Written: 20080314032633.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application qotkizpu.exe, version 0.0.0.0, faulting module qotkizpu.exe, version 0.0.0.0, fault address 0x0002ad6e.

Record Number: 42
Source Name: Application Error
Time Written: 20080312220038.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2600.0, faulting module mshtml.dll, version 6.0.2600.0, fault address 0x001120cf.

Record Number: 40
Source Name: Application Error
Time Written: 20080311182324.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;c:\Python22;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

mbr.log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 12 February 2010 - 11:03 AM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the icon on your desktop.
  • Paste the following code under the area. Do not include the word "Code".
    CODE
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro]
    :Commands
    [Reboot]
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



You don't have the latest service pack for windows, The service packs patch security vulnerabilities found in windows. You should
keep these upto date to keep you protected against malware, that can take advantage of these security vulnerabilities to attack
your system.The latest service pack is SP3, Click on Start >> All programs >> Windows update then select Express
and allow it to install all updates including SP3.
Note: If it prompts you to install an ActiveX control allow it to install it.


Then please post back here with the following logs:
  • OTM results
  • New Rsit log

Thanks

unite.jpg


#9 oldmobie

oldmobie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 12 February 2010 - 06:13 PM

02122010_153021.log:

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro\ deleted successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.8.0 log created on 02122010_153021


log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-02-12 15:40:53
Microsoft Windows XP Home Edition
System drive C: has 36 GB (70%) free of 52 GB
Total RAM: 254 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:28 PM, on 2/12/2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Documents and Settings\Owner\Desktop\Security\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\System32\GPhotos.scr/200
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5809 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#Deskjet#3320.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-25 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2001-10-04 844048]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - hp toolkit - C:\HP\EXPLOREBAR\HPTOOLKT.DLL [2002-06-04 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"CamMonitor"=c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe [2002-06-18 69632]
"KBD"=C:\HP\KBD\KBD.EXE [2001-07-06 61440]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-05-09 155648]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2002-07-16 106549]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2001-12-19 212992]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2002-05-15 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2002-05-15 114688]
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-06-14 81920]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2001-08-02 1077277]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-01-05 2002160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-05-15 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-02-10 10:04:53 ----D---- C:\Documents and Settings\Owner\Application Data\AVG8
2010-02-09 18:43:24 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-02-09 18:20:23 ----D---- C:\WINDOWS\Sun
2010-02-08 16:36:22 ----D---- C:\Program Files\ERUNT
2010-02-07 18:08:26 ----D---- C:\rsit
2010-01-30 22:49:45 ----D---- C:\Documents and Settings\Owner\Application Data\InterVideo
2010-01-30 15:31:25 ----A---- C:\WINDOWS\ModemLog_LGE CDMA USB Modem.txt
2010-01-30 15:22:11 ----D---- C:\Program Files\LG Electronics
2010-01-27 20:52:18 ----SHD---- C:\RECYCLER
2010-01-26 21:05:37 ----D---- C:\Program Files\Trend Micro
2010-01-26 20:58:41 ----D---- C:\Program Files\Avira
2010-01-26 20:46:41 ----D---- C:\MGtools
2010-01-26 19:02:50 ----A---- C:\ComboFix.txt
2010-01-25 20:55:33 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-25 20:55:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 19:36:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-01-25 19:30:23 ----N---- C:\MGtools.exe
2010-01-25 04:46:55 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-01-25 04:46:50 ----D---- C:\Program Files\Common Files\Java
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaws.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaw.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\java.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\deploytk.dll
2010-01-25 04:44:50 ----D---- C:\Program Files\Java
2010-01-25 04:43:48 ----D---- C:\Documents and Settings\Owner\Application Data\Sun
2010-01-24 16:41:22 ----N---- C:\WINDOWS\System32\fltlib.dll
2010-01-24 16:09:13 ----D---- C:\WINDOWS\temp
2010-01-23 16:06:37 ----D---- C:\Program Files\Sunbelt Software
2010-01-23 14:34:03 ----D---- C:\WINDOWS\pss
2010-01-22 23:25:56 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-01-22 23:25:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-22 23:25:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-22 23:00:19 ----A---- C:\WINDOWS\NIRCMD.exe
2010-01-22 23:00:19 ----A---- C:\WINDOWS\MBR.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\zip.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWSC.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWREG.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\sed.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\PEV.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\grep.exe
2010-01-22 23:00:10 ----D---- C:\WINDOWS\ERDNT
2010-01-22 22:59:14 ----D---- C:\Qoobox
2010-01-22 22:51:46 ----HDC---- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-22 22:51:01 ----D---- C:\Program Files\Lavasoft
2010-01-22 22:51:01 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-01-22 19:30:17 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 19:30:06 ----D---- C:\Program Files\SUPERAntiSpyware
2010-01-22 19:30:06 ----D---- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2010-01-22 19:21:16 ----DC---- C:\WINDOWS\System32\DRVSTORE
2010-01-22 19:08:35 ----D---- C:\Program Files\CCleaner
2010-01-21 22:31:49 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-01-21 22:31:08 ----A---- C:\WINDOWS\System32\MSSTDFMT.DLL
2010-01-21 22:31:03 ----D---- C:\Program Files\SpywareBlaster

======List of files/folders modified in the last 1 months======

2010-02-12 15:32:28 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2010-02-12 15:32:16 ----D---- C:\WINDOWS\Debug
2010-02-12 15:30:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-12 15:29:49 ----D---- C:\WINDOWS\Prefetch
2010-02-11 01:37:57 ----D---- C:\WINDOWS\System32\drivers
2010-02-11 01:36:22 ----SHD---- C:\WINDOWS\Installer
2010-02-11 01:36:22 ----D---- C:\Config.Msi
2010-02-11 01:36:20 ----D---- C:\WINDOWS\WinSxS
2010-02-11 01:36:17 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-11 01:13:33 ----D---- C:\WINDOWS\System32\CatRoot2
2010-02-09 18:48:35 ----D---- C:\WINDOWS
2010-02-08 19:27:48 ----D---- C:\WINDOWS\system32
2010-02-08 19:27:47 ----A---- C:\WINDOWS\System32\PerfStringBackup.INI
2010-02-08 19:27:25 ----D---- C:\WINDOWS\System32\CatRoot
2010-02-08 19:25:46 ----D---- C:\WINDOWS\inf
2010-02-08 16:36:22 ----RD---- C:\Program Files
2010-01-30 15:22:11 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-30 14:58:02 ----RSHDC---- C:\WINDOWS\System32\dllcache
2010-01-30 14:57:44 ----HD---- C:\Program Files\WindowsUpdate
2010-01-29 23:24:32 ----RSH---- C:\BOOT.INI
2010-01-29 23:24:32 ----A---- C:\WINDOWS\win.ini
2010-01-29 23:24:32 ----A---- C:\WINDOWS\system.ini
2010-01-29 20:20:29 ----HDC---- C:\WINDOWS\$NtUninstallQ329115$
2010-01-27 20:18:34 ----D---- C:\Program Files\Google
2010-01-26 18:50:41 ----D---- C:\WINDOWS\AppPatch
2010-01-26 18:50:36 ----D---- C:\Program Files\Common Files
2010-01-25 19:21:53 ----D---- C:\Program Files\WildTangent
2010-01-24 21:08:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-24 17:05:55 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-01-24 16:41:52 ----SHD---- C:\System Volume Information
2010-01-24 16:41:52 ----D---- C:\WINDOWS\System32\Restore
2010-01-23 14:09:50 ----HDC---- C:\WINDOWS\$NtUninstallQ324096$
2010-01-22 23:18:41 ----SD---- C:\WINDOWS\Tasks
2010-01-22 23:09:50 ----D---- C:\WINDOWS\System32\config
2010-01-22 23:08:27 ----D---- C:\Temp
2010-01-22 23:08:04 ----D---- C:\Program Files\Internet Explorer
2010-01-22 19:12:13 ----D---- C:\WINDOWS\Minidump
2010-01-21 21:58:43 ----SHD---- C:\WINDOWS\VGVyZXNhIEhvdXNl
2010-01-21 21:58:03 ----D---- C:\WINDOWS\System32\Mz02r
2010-01-21 21:58:02 ----D---- C:\WINDOWS\System32\ib1
2010-01-21 21:57:10 ----D---- C:\WINDOWS\System32\cp1
2010-01-21 21:57:09 ----D---- C:\WINDOWS\System32\bo2
2010-01-21 21:57:01 ----D---- C:\WINDOWS\System32\aqVreo01
2010-01-21 21:35:16 ----D---- C:\WINDOWS\system
2010-01-21 21:34:44 ----D---- C:\Program Files\Windows NT
2010-01-21 21:34:34 ----DC---- C:\Program Files\HPSelect

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2002-07-24 82380]
R1 avgntdd;avgntdd; C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys [2009-02-13 45416]
R1 avipbb;avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-07-16 269736]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssmdrv;ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2002-06-22 656172]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2002-05-22 78045]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2002-01-24 623633]
R3 MxlW2k;MxlW2k; C:\WINDOWS\System32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-08 13780]
R3 ;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-17 23070]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\System32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-04-01 19072]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-04-01 51584]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2001-08-18 18944]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-05-03 931882]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\System32\drivers\rootrepeal.sys []
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-08 188032]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2001-08-17 24960]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2001-08-18 15616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2001-08-17 24832]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13824]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-25 153376]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-30 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-30 1361192]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2001-08-18 249344]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2002-05-03 61440]

-----------------EOF-----------------


info.txt

info.txt logfile of random's system information tool 1.06 2010-02-12 15:41:32

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
ArcSoft Software Suite-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Detto IntelliMover Demo-->MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
easy Internet sign-up-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\Setup.exe" -l0x9
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\MGTools\HijackThis.exe" /uninstall
HP Instant Support-->C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc-->MsiExec.exe /X{FF384BDE-429B-45AD-A0C6-E593393D9D1C}
HP Photo and Imaging 1.1 - Photosmart Cameras-->MsiExec.exe /X{1EEE2A9F-6471-42fa-8923-E8879168CE26}
hp toolkit-->c:\Windows\HPTK\unhptkit.exe
Inactive HP Printer Drivers (Remove only)-->RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel® 845G Chipset Graphics Driver Software-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.7 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MUSICMATCH Jukebox-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows-->C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
RecordNow Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
RecordNow-->MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Sunbelt Personal Firewall-->MsiExec.exe /X{F61A549E-9C8A-4859-8BFE-2A4A018BBA4A}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Virtual Villagers - A New Home (remove only)-->C:\Program Files\Virtual Villagers - A New Home\Uninstall.exe
Windows XP Hotfix (SP1) [See Q308677 for more information]-->C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309521 for more information]-->C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309691 for more information]-->C:\WINDOWS\$NtUninstallQ309691$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311842 for more information]-->C:\WINDOWS\$NtUninstallQ311842$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311889 for more information]-->C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q312370 for more information]-->C:\WINDOWS\$NtUninstallQ312370$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315000 for more information]-->C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315403 for more information]-->C:\WINDOWS\$NtUninstallQ315403$\spuninst\spuninst.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\uninst32.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\Uninst32.exe

======System event log======

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 442
Source Name: Win32k
Time Written: 20081226160353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 441
Source Name: Win32k
Time Written: 20081226153353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 440
Source Name: Win32k
Time Written: 20081226150353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 439
Source Name: Win32k
Time Written: 20081226143353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 438
Source Name: Win32k
Time Written: 20081226140353.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application uuygt.exe, version 0.0.0.0, faulting module uuygt.exe, version 0.0.0.0, fault address 0x0002adaf.

Record Number: 45
Source Name: Application Error
Time Written: 20080314100546.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application pasazdn.exe, version 0.0.0.0, faulting module pasazdn.exe, version 0.0.0.0, fault address 0x0002bc8c.

Record Number: 44
Source Name: Application Error
Time Written: 20080314033404.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application jazn.exe, version 0.0.0.0, faulting module jazn.exe, version 0.0.0.0, fault address 0x0002adaf.

Record Number: 43
Source Name: Application Error
Time Written: 20080314032633.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application qotkizpu.exe, version 0.0.0.0, faulting module qotkizpu.exe, version 0.0.0.0, fault address 0x0002ad6e.

Record Number: 42
Source Name: Application Error
Time Written: 20080312220038.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2600.0, faulting module mshtml.dll, version 6.0.2600.0, fault address 0x001120cf.

Record Number: 40
Source Name: Application Error
Time Written: 20080311182324.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;c:\Python22;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 12 February 2010 - 06:24 PM

It doesn't look like you have updated to SP3, is their any particular reason why? you are leaving you self open to infection without the
latest updates.

unite.jpg


#11 oldmobie

oldmobie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 12 February 2010 - 06:24 PM

02122010_153021.log:

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcyvuro\ deleted successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.8.0 log created on 02122010_153021


log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-02-12 15:40:53
Microsoft Windows XP Home Edition
System drive C: has 36 GB (70%) free of 52 GB
Total RAM: 254 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:28 PM, on 2/12/2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Documents and Settings\Owner\Desktop\Security\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\System32\GPhotos.scr/200
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5809 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#Deskjet#3320.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-25 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2001-10-04 844048]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - hp toolkit - C:\HP\EXPLOREBAR\HPTOOLKT.DLL [2002-06-04 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"CamMonitor"=c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe [2002-06-18 69632]
"KBD"=C:\HP\KBD\KBD.EXE [2001-07-06 61440]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-05-09 155648]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2002-07-16 106549]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2001-12-19 212992]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2002-05-15 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2002-05-15 114688]
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-06-14 81920]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2001-08-02 1077277]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-01-05 2002160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-05-15 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-02-10 10:04:53 ----D---- C:\Documents and Settings\Owner\Application Data\AVG8
2010-02-09 18:43:24 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-02-09 18:20:23 ----D---- C:\WINDOWS\Sun
2010-02-08 16:36:22 ----D---- C:\Program Files\ERUNT
2010-02-07 18:08:26 ----D---- C:\rsit
2010-01-30 22:49:45 ----D---- C:\Documents and Settings\Owner\Application Data\InterVideo
2010-01-30 15:31:25 ----A---- C:\WINDOWS\ModemLog_LGE CDMA USB Modem.txt
2010-01-30 15:22:11 ----D---- C:\Program Files\LG Electronics
2010-01-27 20:52:18 ----SHD---- C:\RECYCLER
2010-01-26 21:05:37 ----D---- C:\Program Files\Trend Micro
2010-01-26 20:58:41 ----D---- C:\Program Files\Avira
2010-01-26 20:46:41 ----D---- C:\MGtools
2010-01-26 19:02:50 ----A---- C:\ComboFix.txt
2010-01-25 20:55:33 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-25 20:55:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 19:36:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-01-25 19:30:23 ----N---- C:\MGtools.exe
2010-01-25 04:46:55 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-01-25 04:46:50 ----D---- C:\Program Files\Common Files\Java
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaws.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\javaw.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\java.exe
2010-01-25 04:45:50 ----A---- C:\WINDOWS\System32\deploytk.dll
2010-01-25 04:44:50 ----D---- C:\Program Files\Java
2010-01-25 04:43:48 ----D---- C:\Documents and Settings\Owner\Application Data\Sun
2010-01-24 16:41:22 ----N---- C:\WINDOWS\System32\fltlib.dll
2010-01-24 16:09:13 ----D---- C:\WINDOWS\temp
2010-01-23 16:06:37 ----D---- C:\Program Files\Sunbelt Software
2010-01-23 14:34:03 ----D---- C:\WINDOWS\pss
2010-01-22 23:25:56 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-01-22 23:25:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-22 23:25:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-22 23:00:19 ----A---- C:\WINDOWS\NIRCMD.exe
2010-01-22 23:00:19 ----A---- C:\WINDOWS\MBR.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\zip.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWSC.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\SWREG.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\sed.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\PEV.exe
2010-01-22 23:00:18 ----A---- C:\WINDOWS\grep.exe
2010-01-22 23:00:10 ----D---- C:\WINDOWS\ERDNT
2010-01-22 22:59:14 ----D---- C:\Qoobox
2010-01-22 22:51:46 ----HDC---- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-22 22:51:01 ----D---- C:\Program Files\Lavasoft
2010-01-22 22:51:01 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-01-22 19:30:17 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-22 19:30:06 ----D---- C:\Program Files\SUPERAntiSpyware
2010-01-22 19:30:06 ----D---- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2010-01-22 19:21:16 ----DC---- C:\WINDOWS\System32\DRVSTORE
2010-01-22 19:08:35 ----D---- C:\Program Files\CCleaner
2010-01-21 22:31:49 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-01-21 22:31:08 ----A---- C:\WINDOWS\System32\MSSTDFMT.DLL
2010-01-21 22:31:03 ----D---- C:\Program Files\SpywareBlaster

======List of files/folders modified in the last 1 months======

2010-02-12 15:32:28 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2010-02-12 15:32:16 ----D---- C:\WINDOWS\Debug
2010-02-12 15:30:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-12 15:29:49 ----D---- C:\WINDOWS\Prefetch
2010-02-11 01:37:57 ----D---- C:\WINDOWS\System32\drivers
2010-02-11 01:36:22 ----SHD---- C:\WINDOWS\Installer
2010-02-11 01:36:22 ----D---- C:\Config.Msi
2010-02-11 01:36:20 ----D---- C:\WINDOWS\WinSxS
2010-02-11 01:36:17 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-11 01:13:33 ----D---- C:\WINDOWS\System32\CatRoot2
2010-02-09 18:48:35 ----D---- C:\WINDOWS
2010-02-08 19:27:48 ----D---- C:\WINDOWS\system32
2010-02-08 19:27:47 ----A---- C:\WINDOWS\System32\PerfStringBackup.INI
2010-02-08 19:27:25 ----D---- C:\WINDOWS\System32\CatRoot
2010-02-08 19:25:46 ----D---- C:\WINDOWS\inf
2010-02-08 16:36:22 ----RD---- C:\Program Files
2010-01-30 15:22:11 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-30 14:58:02 ----RSHDC---- C:\WINDOWS\System32\dllcache
2010-01-30 14:57:44 ----HD---- C:\Program Files\WindowsUpdate
2010-01-29 23:24:32 ----RSH---- C:\BOOT.INI
2010-01-29 23:24:32 ----A---- C:\WINDOWS\win.ini
2010-01-29 23:24:32 ----A---- C:\WINDOWS\system.ini
2010-01-29 20:20:29 ----HDC---- C:\WINDOWS\$NtUninstallQ329115$
2010-01-27 20:18:34 ----D---- C:\Program Files\Google
2010-01-26 18:50:41 ----D---- C:\WINDOWS\AppPatch
2010-01-26 18:50:36 ----D---- C:\Program Files\Common Files
2010-01-25 19:21:53 ----D---- C:\Program Files\WildTangent
2010-01-24 21:08:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-24 17:05:55 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-01-24 16:41:52 ----SHD---- C:\System Volume Information
2010-01-24 16:41:52 ----D---- C:\WINDOWS\System32\Restore
2010-01-23 14:09:50 ----HDC---- C:\WINDOWS\$NtUninstallQ324096$
2010-01-22 23:18:41 ----SD---- C:\WINDOWS\Tasks
2010-01-22 23:09:50 ----D---- C:\WINDOWS\System32\config
2010-01-22 23:08:27 ----D---- C:\Temp
2010-01-22 23:08:04 ----D---- C:\Program Files\Internet Explorer
2010-01-22 19:12:13 ----D---- C:\WINDOWS\Minidump
2010-01-21 21:58:43 ----SHD---- C:\WINDOWS\VGVyZXNhIEhvdXNl
2010-01-21 21:58:03 ----D---- C:\WINDOWS\System32\Mz02r
2010-01-21 21:58:02 ----D---- C:\WINDOWS\System32\ib1
2010-01-21 21:57:10 ----D---- C:\WINDOWS\System32\cp1
2010-01-21 21:57:09 ----D---- C:\WINDOWS\System32\bo2
2010-01-21 21:57:01 ----D---- C:\WINDOWS\System32\aqVreo01
2010-01-21 21:35:16 ----D---- C:\WINDOWS\system
2010-01-21 21:34:44 ----D---- C:\Program Files\Windows NT
2010-01-21 21:34:34 ----DC---- C:\Program Files\HPSelect

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
R1 AFS2K;AFS2k; C:\WINDOWS\System32\drivers\AFS2K.sys [2002-07-24 82380]
R1 avgntdd;avgntdd; C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys [2009-02-13 45416]
R1 avipbb;avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-07-16 269736]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssmdrv;ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2002-06-22 656172]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2002-05-22 78045]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2002-01-24 623633]
R3 MxlW2k;MxlW2k; C:\WINDOWS\System32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-08 13780]
R3 ;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-17 23070]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\System32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-04-01 19072]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-04-01 51584]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2001-08-18 18944]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2002-05-03 931882]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\System32\drivers\rootrepeal.sys []
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-08 188032]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2001-08-17 24960]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2001-08-18 15616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2001-08-17 24832]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13824]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-25 153376]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-30 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-30 1361192]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2001-08-18 249344]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2002-05-03 61440]

-----------------EOF-----------------


info.txt

info.txt logfile of random's system information tool 1.06 2010-02-12 15:41:32

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
ArcSoft Software Suite-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Detto IntelliMover Demo-->MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
easy Internet sign-up-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\Setup.exe" -l0x9
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\MGTools\HijackThis.exe" /uninstall
HP Instant Support-->C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc-->MsiExec.exe /X{FF384BDE-429B-45AD-A0C6-E593393D9D1C}
HP Photo and Imaging 1.1 - Photosmart Cameras-->MsiExec.exe /X{1EEE2A9F-6471-42fa-8923-E8879168CE26}
hp toolkit-->c:\Windows\HPTK\unhptkit.exe
Inactive HP Printer Drivers (Remove only)-->RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel® 845G Chipset Graphics Driver Software-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.7 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MUSICMATCH Jukebox-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows-->C:\WINDOWS\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
RecordNow Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
RecordNow-->MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Sunbelt Personal Firewall-->MsiExec.exe /X{F61A549E-9C8A-4859-8BFE-2A4A018BBA4A}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Virtual Villagers - A New Home (remove only)-->C:\Program Files\Virtual Villagers - A New Home\Uninstall.exe
Windows XP Hotfix (SP1) [See Q308677 for more information]-->C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309521 for more information]-->C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q309691 for more information]-->C:\WINDOWS\$NtUninstallQ309691$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311842 for more information]-->C:\WINDOWS\$NtUninstallQ311842$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q311889 for more information]-->C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q312370 for more information]-->C:\WINDOWS\$NtUninstallQ312370$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315000 for more information]-->C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe
Windows XP Hotfix (SP1) [See Q315403 for more information]-->C:\WINDOWS\$NtUninstallQ315403$\spuninst\spuninst.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\uninst32.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\Uninst32.exe

======System event log======

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 442
Source Name: Win32k
Time Written: 20081226160353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 441
Source Name: Win32k
Time Written: 20081226153353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 440
Source Name: Win32k
Time Written: 20081226150353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 439
Source Name: Win32k
Time Written: 20081226143353.000000-360
Event Type: warning
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 438
Source Name: Win32k
Time Written: 20081226140353.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application uuygt.exe, version 0.0.0.0, faulting module uuygt.exe, version 0.0.0.0, fault address 0x0002adaf.

Record Number: 45
Source Name: Application Error
Time Written: 20080314100546.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application pasazdn.exe, version 0.0.0.0, faulting module pasazdn.exe, version 0.0.0.0, fault address 0x0002bc8c.

Record Number: 44
Source Name: Application Error
Time Written: 20080314033404.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application jazn.exe, version 0.0.0.0, faulting module jazn.exe, version 0.0.0.0, fault address 0x0002adaf.

Record Number: 43
Source Name: Application Error
Time Written: 20080314032633.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application qotkizpu.exe, version 0.0.0.0, faulting module qotkizpu.exe, version 0.0.0.0, fault address 0x0002ad6e.

Record Number: 42
Source Name: Application Error
Time Written: 20080312220038.000000-360
Event Type: error
User:

Computer Name: FREDRICH-HOUSE3
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2600.0, faulting module mshtml.dll, version 6.0.2600.0, fault address 0x001120cf.

Record Number: 40
Source Name: Application Error
Time Written: 20080311182324.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;c:\Python22;C:\Program files\PC-Doctor for Windows XP\WINDSAPI
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 12 February 2010 - 06:29 PM

You have just posted the same logs again huh.gif did you see my question here

unite.jpg


#13 oldmobie

oldmobie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 12 February 2010 - 06:32 PM

Sorry, I seem to have posted that twice.

I couldn't get his machine connected to install the windows updates. Is it possible to download them on a different machine and transfer via flashdrive?

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 12 February 2010 - 06:51 PM

You can download and use this package, apart from this your logs look good to me so we can wrap this up smile.gif


Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler



unite.jpg


#15 oldmobie

oldmobie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 12 February 2010 - 07:57 PM

Very much appreciated, syler! To follow up with my friend, I'll see that your steps are followed. I'll also make him a copy. I'm downloading SP3 now.

Please feel free to close my thread (or mark as fixed.) dance.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users