Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with possibly multiple trojans etc


  • This topic is locked This topic is locked
13 replies to this topic

#1 figueroa4

figueroa4

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 March 2010 - 01:56 PM

I am trying to help my sister-in-law get her pc back to working correctly again. One day she called me saying that there was a popup saying that she was infected and to buy their software. I told her not to touch a thing and she brought it over to me where I have been fighting with it for a few days now.

I installed the following and have been running scans 2-3 times a day: AVG Free, AdAware, SuperAntiSpyware & Malwarebytes.

They each will come up with scary results so I would have them fix, quarantine and/or delete. I would restart the pc, rescan with good results, play on the pc, (defrag etc) only to start having problems again, rescan to find more stuff! I've done both normal and safe mode.

One of the problems I can tell you about is the inability to open a browser. I tried uninstalling and reinstalling etc. I
found the only way I could was to do a Ctrl-Alt-Del and keeping it open do an 'end process' to a file called dwwin.exe. I
would do that and then try to open the browser. I would have to do that about 5-6 times before it would stop popping up and the browser would then open. I read that it was a good file so I didn't delete it. I was only doing the above because at the time I THOUGHT that was the only problem and everything else had been fixed. I can't get Firefox to open at all.

One of the first scans was showing that something was found in the system restore files, so I turned that off to delete those. Im wondering if that was such a good move now. I also deleted tmp files and folders, emptied recycle bin etc.

Below are things that are showing in the logs of the scanners above. Most logs are clean at the moment though.

Trojan.Hiloti
Trojan.Dropper
Trojan.Downloader
Trojan.Vundo
Trojan.Fraudpack
Trojan.FakeAlert.Gen
Trojan.Vundo.H
Spyware.Passwords
Malware.Packer.Gen
Hijack.Searchpage
Malware.Trace
Rogue.AntiVirusSoft
Rogue.Agent/Gen-Nullo [dll]

Needless to say I will let her know that it was not smart to have NO safeguards installed and will be showing her how to do weekly scans.

One of our problems is that she doesn't have the Win XP Pro cd or I would have done a reformat and could have maybe avoided all this work. I have my own XP Home but don't think that would do us much good.

wacko.gif
=================================================


DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 11:25:45.81 on Fri 03/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.391 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Vtecojagiqet] rundll32.exe "c:\windows\ohanaroh.dll",Startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [uqsrsfrp] c:\documents and settings\networkservice\local settings\application data\mauvrs\hegxsftav.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
Trusted Zone: google.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\at39imk6.default\
FF - HiddenExtension: XULRunner: {5703750E-CBD3-450E-B5A5-63D0BDE536B0} - c:\documents and settings\user\local settings\application data\{5703750E-CBD3-450E-B5A5-63D0BDE536B0}
FF - HiddenExtension: XULRunner: {80144406-7A1C-4A97-A7AE-A5138312FE7E} - c:\documents and settings\administrator\local settings\application data\{80144406-7a1c-4a97-a7ae-a5138312fe7e}\
FF - HiddenExtension: XULRunner: {D3007C48-0EC4-4F4F-A327-FFFB7880291B} - c:\windows\system32\config\systemprofile\local settings\application data\{d3007c48-0ec4-4f4f-a327-fffb7880291b}\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-3 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-3 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-3 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-3 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-3-4 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-3-4 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2006-9-14 174336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-3-4 27064]

=============== Created Last 30 ================

2010-03-05 16:54:27 0 d-----w- c:\program files\Trend Micro
2010-03-05 00:16:30 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-04 22:21:21 0 d-----w- c:\program files\Lavasoft
2010-03-04 22:17:44 0 d-----w- c:\program files\Windows Installer Clean Up
2010-03-04 22:17:27 0 d-----w- c:\program files\MSECACHE
2010-03-04 19:38:52 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-03-04 19:38:39 0 d-----w- c:\program files\VS Revo Group
2010-03-04 19:30:14 0 d-----w- c:\windows\system32\XPSViewer
2010-03-04 19:26:14 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-04 19:26:14 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-04 19:26:13 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-04 19:26:12 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-04 19:26:12 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-04 19:26:11 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-04 19:26:11 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-04 19:26:10 0 d-----w- C:\8260c20ca0042844a64793
2010-03-04 01:59:16 0 d--h--w- C:\$AVG8.VAULT$
2010-03-04 01:48:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-04 01:43:38 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-04 01:16:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-04 01:16:17 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-04 01:16:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-04 01:16:06 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-04 01:15:48 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2010-03-04 00:44:05 0 d-----w- c:\program files\Wise Registry Cleaner
2010-03-04 00:31:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-04 00:31:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 00:31:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 00:28:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-26 00:29:47 0 dc-h--w- c:\windows\ie8
2010-02-25 17:15:05 0 d-----w- c:\windows\pss
2010-02-25 15:42:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-25 15:42:51 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-24 14:49:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-24 04:18:21 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-02-24 04:18:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-24 04:15:37 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-24 04:15:27 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 04:15:27 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-02-24 04:11:53 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 03:36:38 0 d-sh--w- c:\documents and settings\user\PrivacIE
2010-02-24 03:36:34 0 d-sh--w- c:\documents and settings\user\IECompatCache
2010-02-24 03:01:04 0 d-sh--w- c:\documents and settings\user\IETldCache
2010-02-24 02:56:40 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-24 02:56:14 0 d-----w- c:\windows\ie8updates
2010-02-24 02:55:15 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-24 02:55:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-24 02:01:31 0 d-----w- c:\program files\AVG
2010-02-24 02:01:30 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-24 01:34:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-23 03:55:15 120 ----a-w- c:\windows\Vjedijir.dat
2010-02-23 03:55:15 0 ----a-w- c:\windows\Rzedadolequfiraw.bin

==================== Find3M ====================

2010-03-04 12:59:11 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 11:27:06.77 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:34 PM

Posted 05 March 2010 - 02:39 PM

Hello, figueroa4.
My name is aommaster and I will be helping you with your log.


If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 figueroa4

figueroa4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 March 2010 - 03:51 PM

LOG.TXT

Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2010-03-05 14:40:36
Microsoft Windows XP Professional Service Pack 3
System drive C: has 22 GB (72%) free of 31 GB
Total RAM: 1023 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:04 PM, on 3/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 94.228.209.244 www.google.com
O1 - Hosts: 94.228.209.244 google.com
O1 - Hosts: 94.228.209.244 google.com.au
O1 - Hosts: 94.228.209.244 www.google.com.au
O1 - Hosts: 94.228.209.244 google.be
O1 - Hosts: 94.228.209.244 www.google.be
O1 - Hosts: 94.228.209.244 google.com.br
O1 - Hosts: 94.228.209.244 www.google.com.br
O1 - Hosts: 94.228.209.244 google.ca
O1 - Hosts: 94.228.209.244 www.google.ca
O1 - Hosts: 94.228.209.244 google.ch
O1 - Hosts: 94.228.209.244 www.google.ch
O1 - Hosts: 94.228.209.244 google.de
O1 - Hosts: 94.228.209.244 www.google.de
O1 - Hosts: 94.228.209.244 google.dk
O1 - Hosts: 94.228.209.244 www.google.dk
O1 - Hosts: 94.228.209.244 google.fr
O1 - Hosts: 94.228.209.244 www.google.fr
O1 - Hosts: 94.228.209.244 google.ie
O1 - Hosts: 94.228.209.244 www.google.ie
O1 - Hosts: 94.228.209.244 google.it
O1 - Hosts: 94.228.209.244 www.google.it
O1 - Hosts: 94.228.209.244 google.co.jp
O1 - Hosts: 94.228.209.244 www.google.co.jp
O1 - Hosts: 94.228.209.244 google.nl
O1 - Hosts: 94.228.209.244 www.google.nl
O1 - Hosts: 94.228.209.244 google.no
O1 - Hosts: 94.228.209.244 www.google.no
O1 - Hosts: 94.228.209.244 google.co.nz
O1 - Hosts: 94.228.209.244 www.google.co.nz
O1 - Hosts: 94.228.209.244 google.pl
O1 - Hosts: 94.228.209.244 www.google.pl
O1 - Hosts: 94.228.209.244 google.se
O1 - Hosts: 94.228.209.244 www.google.se
O1 - Hosts: 94.228.209.244 google.co.uk
O1 - Hosts: 94.228.209.244 www.google.co.uk
O1 - Hosts: 94.228.209.244 google.co.za
O1 - Hosts: 94.228.209.244 www.google.co.za
O1 - Hosts: 94.228.209.244 www.google-analytics.com
O1 - Hosts: 94.228.209.244 www.bing.com
O1 - Hosts: 94.228.209.244 search.yahoo.com
O1 - Hosts: 94.228.209.244 www.search.yahoo.com
O1 - Hosts: 94.228.209.244 uk.search.yahoo.com
O1 - Hosts: 94.228.209.244 ca.search.yahoo.com
O1 - Hosts: 94.228.209.244 de.search.yahoo.com
O1 - Hosts: 94.228.209.244 fr.search.yahoo.com
O1 - Hosts: 94.228.209.244 au.search.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Vtecojagiqet] rundll32.exe "C:\WINDOWS\ohanaroh.dll",Startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uqsrsfrp] C:\Documents and Settings\NetworkService\Local Settings\Application Data\mauvrs\hegxsftav.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

--
End of file - 7207 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-14 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2010-03-04 1111320]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2010-03-04 2043160]
"Vtecojagiqet"=C:\WINDOWS\ohanaroh.dll [2008-04-13 159744]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-11-19 233534]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-03 122939]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2004-12-08 790528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0\bin\jusched.exe [2008-08-10 36972]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
C:\Program Files\USB Disk Win98 Driver\Res.EXE [2005-09-14 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vtecojagiqet]
C:\WINDOWS\ohanaroh.dll [2008-04-13 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2004-12-08 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
C:\PROGRA~1\INTERV~1\DVDCHE~1\DVDCheck.exe [2004-12-08 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^VZAccess Manager.lnk]
C:\PROGRA~1\VERIZO~1\VZACCE~1\VZACCE~1.EXE [2008-09-07 1774896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg9wd"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-03-04 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=4294967295

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-03-05 14:40:36 ----D---- C:\rsit
2010-03-05 10:54:27 ----D---- C:\Program Files\Trend Micro
2010-03-05 09:20:07 ----D---- C:\WINDOWS\LastGood
2010-03-04 18:16:30 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-03-04 16:21:21 ----D---- C:\Program Files\Lavasoft
2010-03-04 16:21:20 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-03-04 16:17:44 ----D---- C:\Program Files\Windows Installer Clean Up
2010-03-04 16:17:27 ----D---- C:\Program Files\MSECACHE
2010-03-04 13:38:39 ----D---- C:\Program Files\VS Revo Group
2010-03-04 13:30:14 ----D---- C:\WINDOWS\system32\XPSViewer
2010-03-04 13:29:40 ----D---- C:\Program Files\MSBuild
2010-03-04 13:29:00 ----D---- C:\Program Files\Reference Assemblies
2010-03-04 13:26:14 ----N---- C:\WINDOWS\system32\prntvpt.dll
2010-03-04 13:26:12 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2010-03-04 13:26:11 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2010-03-04 13:26:10 ----D---- C:\8260c20ca0042844a64793
2010-03-03 19:59:16 ----HD---- C:\$AVG8.VAULT$
2010-03-03 19:43:38 ----HDC---- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-03 19:16:17 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2010-03-03 19:15:48 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2010-03-03 18:44:05 ----D---- C:\Program Files\Wise Registry Cleaner
2010-03-03 18:31:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-03 18:28:43 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-02-25 19:19:12 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-25 19:18:48 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-25 18:39:46 ----D---- C:\Documents and Settings\user\Application Data\Mozilla
2010-02-25 18:39:35 ----D---- C:\Program Files\Mozilla Firefox
2010-02-25 18:29:47 ----HDC---- C:\WINDOWS\ie8
2010-02-25 18:03:54 ----D---- C:\Documents and Settings\user\Application Data\Leadertech
2010-02-25 11:15:05 ----D---- C:\WINDOWS\pss
2010-02-25 09:42:51 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2010-02-25 09:42:51 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2010-02-23 22:18:21 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2010-02-23 22:18:11 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-23 22:15:37 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 22:15:27 ----D---- C:\Program Files\SUPERAntiSpyware
2010-02-23 22:15:27 ----D---- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2010-02-23 20:56:14 ----D---- C:\WINDOWS\ie8updates
2010-02-23 20:01:31 ----D---- C:\Program Files\AVG
2010-02-23 20:01:30 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2010-02-23 19:30:39 ----SHD---- C:\WINDOWS\CSC
2010-02-23 19:30:23 ----A---- C:\WINDOWS\ntbtlog.txt
2010-02-15 10:32:17 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-15 10:32:07 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-15 10:28:57 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-15 10:28:44 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-15 10:28:30 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-15 10:28:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-15 10:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-15 10:27:06 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$

======List of files/folders modified in the last 1 months======

2010-03-05 13:28:39 ----D---- C:\WINDOWS\Temp
2010-03-05 12:11:55 ----D---- C:\WINDOWS\Prefetch
2010-03-05 11:10:15 ----SHD---- C:\WINDOWS\Installer
2010-03-05 11:10:15 ----HD---- C:\Config.Msi
2010-03-05 11:10:06 ----SD---- C:\Documents and Settings\user\Application Data\Microsoft
2010-03-05 11:02:13 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-05 10:54:27 ----RD---- C:\Program Files
2010-03-05 09:23:19 ----HD---- C:\WINDOWS\inf
2010-03-05 09:20:07 ----D---- C:\WINDOWS
2010-03-05 09:19:51 ----D---- C:\SWSetup
2010-03-05 09:16:26 ----D---- C:\Documents and Settings
2010-03-05 09:12:12 ----SD---- C:\WINDOWS\Tasks
2010-03-05 06:47:05 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-04 18:16:30 ----D---- C:\WINDOWS\system32
2010-03-04 16:24:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-04 16:23:12 ----D---- C:\WINDOWS\system32\drivers
2010-03-04 16:23:02 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-03-04 16:21:50 ----D---- C:\WINDOWS\WinSxS
2010-03-04 14:46:22 ----D---- C:\WINDOWS\Microsoft.NET
2010-03-04 14:44:47 ----RSD---- C:\WINDOWS\assembly
2010-03-04 13:33:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-04 13:29:54 ----D---- C:\WINDOWS\system32\en-us
2010-03-04 13:29:14 ----RSD---- C:\WINDOWS\Fonts
2010-03-04 13:27:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-04 13:19:09 ----D---- C:\WINDOWS\system32\mui
2010-03-04 13:19:09 ----D---- C:\Program Files\Internet Explorer
2010-03-04 13:08:35 ----D---- C:\WINDOWS\system32\URTTemp
2010-03-04 13:08:35 ----D---- C:\WINDOWS\Registration
2010-03-03 22:20:46 ----SHD---- C:\RECYCLER
2010-03-03 19:32:30 ----D---- C:\WINDOWS\system32\config
2010-03-03 19:12:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-03-03 18:28:43 ----D---- C:\Program Files\Common Files
2010-03-03 16:19:36 ----D---- C:\WINDOWS\system32\CatRoot
2010-03-03 16:18:40 ----A---- C:\WINDOWS\imsins.BAK
2010-03-03 16:18:21 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-25 18:53:43 ----A---- C:\WINDOWS\ODBC.INI
2010-02-25 18:47:06 ----AC---- C:\WINDOWS\OEWABLog.txt
2010-02-25 18:33:15 ----D---- C:\WINDOWS\Help
2010-02-25 18:31:18 ----D---- C:\WINDOWS\WBEM
2010-02-25 18:31:10 ----D---- C:\WINDOWS\Media
2010-02-25 18:17:13 ----D---- C:\WINDOWS\ie7updates
2010-02-25 14:38:07 ----SH---- C:\boot.ini
2010-02-25 14:38:06 ----A---- C:\WINDOWS\win.ini
2010-02-25 14:38:06 ----A---- C:\WINDOWS\system.ini
2010-02-24 13:50:49 ----D---- C:\WINDOWS\system32\Restore
2010-02-24 06:01:40 ----D---- C:\WINDOWS\Downloaded Installations
2010-02-23 20:47:21 ----D---- C:\Program Files\HPQ
2010-02-23 20:01:15 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-23 19:47:58 ----D---- C:\WINDOWS\system32\appmgmt
2010-02-23 19:45:07 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2010-02-23 19:35:00 ----D---- C:\WINDOWS\system32\wbem
2010-02-08 15:03:00 ----D---- C:\WINDOWS\network diagnostic
2010-02-08 11:56:58 ----D---- C:\Program Files\MySpace

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-03-04 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-03-04 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-03-04 108552]
R1 ClntMgmt.sys;ClntMgmt.sys; C:\WINDOWS\System32\Drivers\ClntMgmt.sys [2004-02-20 59044]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-07-14 40448]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 LxrJD31d;LxrJD31d; \??\C:\WINDOWS\system32\Drivers\LxrJD31d.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-03 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-03 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-03 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-03 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-03 86138]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-03 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-03 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-03 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-03 100603]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-11-16 190592]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 NWADI;NWADI Bus Enumerator; C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2008-06-09 222720]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-02 191456]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-11-16 3222784]
S1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 kggoqkob;kggoqkob; \??\C:\DOCUME~1\user\LOCALS~1\Temp\kggoqkob.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NWUSBModem;Novatel Wireless USB Modem Driver; C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys [2008-05-27 174336]
S3 NWUSBPort;Novatel Wireless USB Status Port Driver; C:\WINDOWS\system32\DRIVERS\nwusbser.sys [2008-05-27 174336]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver; C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2008-05-27 174336]
S3 Revoflt;Revoflt; C:\WINDOWS\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2010-03-04 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2010-03-04 297752]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 LxrJD31s;Lexar JD31; C:\WINDOWS\system32\LxrJD31s.exe [2008-09-04 71168]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-04 1229232]
S2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE []
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\Shared\hpqwmi.exe [2004-11-17 98304]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-10 483328]
S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 28160]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 OSCM Utility Service;OSCM Utility Service; C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe [2006-10-13 155648]

-----------------EOF-----------------










=======================================================
INFO.TXT

info.txt logfile of random's system

information tool 1.06 2010-03-05

14:42:05

======Uninstall list======

-->C:\WINDOWS\system32\\MSIEXEC.EXE /I

{09DA4F91-2A09-4232-AB8C-6BC740096DE3}

REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x

{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x

{9541FED0-327F-4df0-8B96-EF57EF622F19}
-->rundll32.exe

setupapi.dll,InstallHinfSection

DefaultUninstall 132

C:\WINDOWS\INF\PCHealth.inf
Ad-Aware Email Scanner for

Outlook-->MsiExec.exe

/I{338F08AB-C262-42C7-B000-34DE1A475273

}
Ad-Aware-->"C:\Documents and

Settings\All Users\Application

Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031

AC6}\Ad-AwareInstaller.exe" REMOVE=TRUE

MODIFY=FALSE
Ad-Aware-->C:\Documents and

Settings\All Users\Application

Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031

AC6}\Ad-AwareInstaller.exe
Adobe Flash Player 10

ActiveX-->C:\WINDOWS\system32\Macromed\

Flash\uninstall_activeX.exe
Adobe Reader 6.0-->MsiExec.exe

/I{AC76BA86-7AD7-1033-7B44-000000000001

}
AVG Free 8.5-->C:\Program

Files\AVG\AVG8\setup.exe /UNINSTALL
Broadcom NetXtreme Ethernet

Controller-->C:\Program Files\Common

Files\InstallShield\Driver\8\Intel

32\IDriver.exe

/M{BE6890C7-31EF-478C-812E-1E2899ABFCA9

} /l1033
Dell Photo Printer

720-->C:\WINDOWS\system32\spool\drivers

\w32x86\3\DLBCUN5C.EXE -dDell Photo

Printer 720
HijackThis 2.0.2-->"C:\Program

Files\Trend

Micro\HijackThis\HijackThis.exe"

/uninstall
Hotfix for Microsoft .NET Framework 3.5

SP1

(KB953595)-->C:\WINDOWS\system32\msiexe

c.exe /package

{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

/uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows XP

(KB952287)-->"C:\WINDOWS\$NtUninstallKB

952287$\spuninst\spuninst.exe"
Hotfix for Windows XP

(KB976098-v2)-->"C:\WINDOWS\$NtUninstal

lKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP

(KB979306)-->"C:\WINDOWS\$NtUninstallKB

979306$\spuninst\spuninst.exe"
HP Accessories Product

Tour-->MsiExec.exe

/I{D0572854-191F-45DB-B959-641F8E5C8409

}
HP BIOS Configuration for ProtectTools

1.00 C1-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\

RunTime\0701\Intel32\Ctor.dll,LaunchSet

up "C:\Program Files\InstallShield

Installation

Information\{AE052EF7-2640-48D7-8915-69

B810D975CB}\setup.exe" -l0x9

biosuninst
HP Customer Participation Program

8.0-->C:\Program Files\HP\Digital

Imaging\ExtCapUninstall\hpzscr01.exe

-datfile hpqhsc01.dat
HP Deskjet 8.0 Software-->C:\Program

Files\HP\Digital

Imaging\{58535A90-1788-44f5-80BB-CFF62D

9CE6D5}\setup\hpzscr01.exe -datfile

hphscr13.dat -showdisconnect

-forcereboot
HP Help and Support-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\

RunTime\10\50\Intel32\Ctor.dll,LaunchSe

tup "C:\Program Files\InstallShield

Installation

Information\{A93C4E94-1005-489D-BEAA-B8

73C1AA6CFC}\setup.exe" -l0x9

-removeonly
HP Imaging Device Functions

8.0-->C:\Program Files\HP\Digital

Imaging\DeviceManagement\hpzscr01.exe

-datfile hpqbud01.dat
HP Photosmart Essential-->MsiExec.exe

/X{EB21A812-671B-4D08-B974-2A347F0D8F70

}
HP ProtectTools Security Manager 1.00

C3-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\

RunTime\0701\Intel32\Ctor.dll,LaunchSet

up "C:\Program Files\InstallShield

Installation

Information\{914E1AB1-DCA0-4A7D-935F-B5

8C4B887A2B}\setup.exe" -l0x9 hpquninst
HP Solution Center 8.0-->C:\Program

Files\HP\Digital

Imaging\eSupport\hpzscr01.exe -datfile

hpqbud05.dat
HP Update-->MsiExec.exe

/X{7059BDA7-E1DB-442C-B7A1-6144596720A4

}
HP Wireless Assistant-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\

RunTime\0701\Intel32\Ctor.dll,LaunchSet

up "C:\Program Files\InstallShield

Installation

Information\{4302B2DD-D958-40E3-BAF3-B0

7FFE1978CE}\setup.exe" -l0x9
HPSSupply-->MsiExec.exe

/X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3

}
InterVideo DVD Check-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\

INTEL3~1\ctor.dll,LaunchSetup

"C:\Program Files\InstallShield

Installation

Information\{5D97A4A7-C274-4B63-86D9-07

A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD-->"C:\Program

Files\InstallShield Installation

Information\{91810AFC-A4F8-4EBA-A5AA-B1

98BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment

5.0-->MsiExec.exe

/I{3248F0A8-6813-11D6-A77B-00B0D0150000

}
JD Secure

3.1-->C:\WINDOWS\System32\JDSecure31.ex

e /u
Malwarebytes'

Anti-Malware-->"C:\Program

Files\Malwarebytes'

Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service

Pack 2-->MsiExec.exe

/I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F

}
Microsoft .NET Framework 3.0 Service

Pack 2-->MsiExec.exe

/I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7

}
Microsoft .NET Framework 3.5

SP1-->C:\WINDOWS\Microsoft.NET\Framewor

k\v3.5\Microsoft .NET Framework 3.5

SP1\setup.exe
Microsoft .NET Framework 3.5

SP1-->MsiExec.exe

/I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9

}
Microsoft Internationalized Domain

Names Mitigation

APIs-->"C:\WINDOWS\$NtServicePackUninst

allIDNMitigationAPIs$\spuninst\spuninst

.exe"
Microsoft National Language Support

Downlevel

APIs-->"C:\WINDOWS\$NtServicePackUninst

allNLSDownlevelMapping$\spuninst\spunin

st.exe"
Microsoft Office 2000

Standard-->MsiExec.exe

/I{00020409-78E1-11D2-B60F-006097C998E7

}
Microsoft Visual C++ 2005

Redistributable-->MsiExec.exe

/X{7299052b-02a4-4627-81f2-1818da5d550d

}
Microsoft Visual C++ 2005

Redistributable-->MsiExec.exe

/X{837b34e3-7c30-493c-8f6a-2b0f04e2912c

}
Mobile Broadband Generic

Drivers-->MsiExec.exe

/X{DDE34257-E4E5-49CB-BE92-337DE7C90345

}
Mozilla Firefox (3.6)-->C:\Program

Files\Mozilla

Firefox\uninstall\helper.exe
MSN-->C:\Program

Files\MSN\MsnInstaller\msninst.exe

/Action:ARP
Revo Uninstaller Pro

2.1.1-->"C:\Program Files\VS Revo

Group\Revo Uninstaller

Pro\unins000.exe"
Security Update for Windows Internet

Explorer 8

(KB971961)-->"C:\WINDOWS\ie8updates\KB9

71961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet

Explorer 8

(KB978207)-->"C:\WINDOWS\ie8updates\KB9

78207-IE8\spuninst\spuninst.exe"
Security Update for Windows Media

Player

(KB952069)-->"C:\WINDOWS\$NtUninstallKB

952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media

Player

(KB954155)-->"C:\WINDOWS\$NtUninstallKB

954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media

Player

(KB968816)-->"C:\WINDOWS\$NtUninstallKB

968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media

Player

(KB973540)-->"C:\WINDOWS\$NtUninstallKB

973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media

Player 10

(KB936782)-->"C:\WINDOWS\$NtUninstallKB

936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB923561)-->"C:\WINDOWS\$NtUninstallKB

923561$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB923789)-->C:\WINDOWS\system32\MacroM

ed\Flash\genuinst.exe

C:\WINDOWS\system32\MacroMed\Flash\KB92

3789.inf
Security Update for Windows XP

(KB938464)-->"C:\WINDOWS\$NtUninstallKB

938464$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB941569)-->"C:\WINDOWS\$NtUninstallKB

941569$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB946648)-->"C:\WINDOWS\$NtUninstallKB

946648$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB950759)-->"C:\WINDOWS\$NtUninstallKB

950759$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB950760)-->"C:\WINDOWS\$NtUninstallKB

950760$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB950762)-->"C:\WINDOWS\$NtUninstallKB

950762$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB950974)-->"C:\WINDOWS\$NtUninstallKB

950974$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB951066)-->"C:\WINDOWS\$NtUninstallKB

951066$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB951376-v2)-->"C:\WINDOWS\$NtUninstal

lKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB951698)-->"C:\WINDOWS\$NtUninstallKB

951698$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB951748)-->"C:\WINDOWS\$NtUninstallKB

951748$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB952004)-->"C:\WINDOWS\$NtUninstallKB

952004$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB952954)-->"C:\WINDOWS\$NtUninstallKB

952954$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB953839)-->"C:\WINDOWS\$NtUninstallKB

953839$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB954211)-->"C:\WINDOWS\$NtUninstallKB

954211$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB954459)-->"C:\WINDOWS\$NtUninstallKB

954459$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB954600)-->"C:\WINDOWS\$NtUninstallKB

954600$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB955069)-->"C:\WINDOWS\$NtUninstallKB

955069$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB956391)-->"C:\WINDOWS\$NtUninstallKB

956391$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB956572)-->"C:\WINDOWS\$NtUninstallKB

956572$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB956744)-->"C:\WINDOWS\$NtUninstallKB

956744$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB956802)-->"C:\WINDOWS\$NtUninstallKB

956802$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB956803)-->"C:\WINDOWS\$NtUninstallKB

956803$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB956841)-->"C:\WINDOWS\$NtUninstallKB

956841$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB956844)-->"C:\WINDOWS\$NtUninstallKB

956844$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB957095)-->"C:\WINDOWS\$NtUninstallKB

957095$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB957097)-->"C:\WINDOWS\$NtUninstallKB

957097$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB958644)-->"C:\WINDOWS\$NtUninstallKB

958644$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB958687)-->"C:\WINDOWS\$NtUninstallKB

958687$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB958690)-->"C:\WINDOWS\$NtUninstallKB

958690$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB958869)-->"C:\WINDOWS\$NtUninstallKB

958869$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB959426)-->"C:\WINDOWS\$NtUninstallKB

959426$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB960225)-->"C:\WINDOWS\$NtUninstallKB

960225$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB960715)-->"C:\WINDOWS\$NtUninstallKB

960715$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB960803)-->"C:\WINDOWS\$NtUninstallKB

960803$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB960859)-->"C:\WINDOWS\$NtUninstallKB

960859$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB961371-v2)-->"C:\WINDOWS\$NtUninstal

lKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB961373)-->"C:\WINDOWS\$NtUninstallKB

961373$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB961501)-->"C:\WINDOWS\$NtUninstallKB

961501$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB969059)-->"C:\WINDOWS\$NtUninstallKB

969059$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB969947)-->"C:\WINDOWS\$NtUninstallKB

969947$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB970238)-->"C:\WINDOWS\$NtUninstallKB

970238$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB970430)-->"C:\WINDOWS\$NtUninstallKB

970430$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB971468)-->"C:\WINDOWS\$NtUninstallKB

971468$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB971486)-->"C:\WINDOWS\$NtUninstallKB

971486$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB971557)-->"C:\WINDOWS\$NtUninstallKB

971557$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB971633)-->"C:\WINDOWS\$NtUninstallKB

971633$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB971657)-->"C:\WINDOWS\$NtUninstallKB

971657$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB971961)-->"C:\WINDOWS\$NtUninstallKB

971961$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB972270)-->"C:\WINDOWS\$NtUninstallKB

972270$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB973354)-->"C:\WINDOWS\$NtUninstallKB

973354$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB973507)-->"C:\WINDOWS\$NtUninstallKB

973507$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB973525)-->"C:\WINDOWS\$NtUninstallKB

973525$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB973869)-->"C:\WINDOWS\$NtUninstallKB

973869$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB973904)-->"C:\WINDOWS\$NtUninstallKB

973904$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB974112)-->"C:\WINDOWS\$NtUninstallKB

974112$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB974318)-->"C:\WINDOWS\$NtUninstallKB

974318$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB974392)-->"C:\WINDOWS\$NtUninstallKB

974392$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB974571)-->"C:\WINDOWS\$NtUninstallKB

974571$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB975025)-->"C:\WINDOWS\$NtUninstallKB

975025$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB975467)-->"C:\WINDOWS\$NtUninstallKB

975467$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB975560)-->"C:\WINDOWS\$NtUninstallKB

975560$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB975713)-->"C:\WINDOWS\$NtUninstallKB

975713$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB977165)-->"C:\WINDOWS\$NtUninstallKB

977165$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB977914)-->"C:\WINDOWS\$NtUninstallKB

977914$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB978037)-->"C:\WINDOWS\$NtUninstallKB

978037$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB978251)-->"C:\WINDOWS\$NtUninstallKB

978251$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB978262)-->"C:\WINDOWS\$NtUninstallKB

978262$\spuninst\spuninst.exe"
Security Update for Windows XP

(KB978706)-->"C:\WINDOWS\$NtUninstallKB

978706$\spuninst\spuninst.exe"
Sonic DLA-->MsiExec.exe

/I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6

}
Sonic RecordNow!-->MsiExec.exe

/I{9541FED0-327F-4DF0-8B96-EF57EF622F19

}
Sonic Update Manager-->MsiExec.exe

/I{09DA4F91-2A09-4232-AB8C-6BC740096DE3

}
Sprint Mobile Broadband (Novatel

Wireless)-->MsiExec.exe

/X{C5826071-79CE-444F-B983-09D2C838AACF

}
Synaptics Pointing Device

Driver-->rundll32.exe "C:\Program

Files\Synaptics\SynTP\SynISDLL.dll",sta

ndAloneUninstall
Texas Instruments PCIxx21/x515

drivers.-->C:\PROGRA~1\COMMON~1\INSTAL~

1\Driver\7\INTEL3~1\IDriver.exe

/M{612DC38A-B36A-4699-88EB-12C7394DE2FC

} /l1033
Update for Windows Internet Explorer 8

(KB976662)-->"C:\WINDOWS\ie8updates\KB9

76662-IE8\spuninst\spuninst.exe"
Update for Windows XP

(KB942763)-->"C:\WINDOWS\$NtUninstallKB

942763$\spuninst\spuninst.exe"
Update for Windows XP

(KB951072-v2)-->"C:\WINDOWS\$NtUninstal

lKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP

(KB951978)-->"C:\WINDOWS\$NtUninstallKB

951978$\spuninst\spuninst.exe"
Update for Windows XP

(KB955759)-->"C:\WINDOWS\$NtUninstallKB

955759$\spuninst\spuninst.exe"
Update for Windows XP

(KB955839)-->"C:\WINDOWS\$NtUninstallKB

955839$\spuninst\spuninst.exe"
Update for Windows XP

(KB967715)-->"C:\WINDOWS\$NtUninstallKB

967715$\spuninst\spuninst.exe"
Update for Windows XP

(KB968389)-->"C:\WINDOWS\$NtUninstallKB

968389$\spuninst\spuninst.exe"
Update for Windows XP

(KB971737)-->"C:\WINDOWS\$NtUninstallKB

971737$\spuninst\spuninst.exe"
Update for Windows XP

(KB973687)-->"C:\WINDOWS\$NtUninstallKB

973687$\spuninst\spuninst.exe"
Update for Windows XP

(KB973815)-->"C:\WINDOWS\$NtUninstallKB

973815$\spuninst\spuninst.exe"
USB Disk Win98 Driver-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\

INTEL3~1\Ctor.dll,LaunchSetup

"C:\Program Files\InstallShield

Installation

Information\{4E79A62F-7A2D-4058-BCE0-94

E6B9E2F162}\setup.exe"
Visual C++ 2008 x86 Runtime -

(v9.0.30729)-->MsiExec.exe

/X{F333A33D-125C-32A2-8DCE-5C5D14231E27

}
Visual C++ 2008 x86 Runtime -

v9.0.30729.01-->C:\WINDOWS\system32\msi

exec.exe /x

{F333A33D-125C-32A2-8DCE-5C5D14231E27}

/qb+ REBOOTPROMPT=""
VZAccess

Manager-->C:\PROGRA~1\VERIZO~1\VZACCE~1

\UNWISE.EXE

C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.L

OG
Windows Defender-->MsiExec.exe

/I{A06275F4-324B-4E85-95E6-87B2CD729401

}
Windows Installer Clean

Up-->MsiExec.exe

/X{121634B0-2F4B-11D3-ADA3-00C04F52DD52

}
Windows Internet Explorer

8-->"C:\WINDOWS\ie8\spuninst\spuninst.e

xe"
Windows Media Connect-->msiexec.exe /I

{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect-->MsiExec.exe

/I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B

}
Windows Media Format

Runtime-->"C:\Program Files\Windows

Media Player\wmsetsdk.exe"

/UninstallAll
Windows Media Player 10-->"C:\Program

Files\Windows Media

Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack

3-->"C:\WINDOWS\$NtServicePackUninstall

$\spuninst\spuninst.exe"
Wise Registry Cleaner Free

5.04-->"C:\Program Files\Wise Registry

Cleaner\unins000.exe"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [Vtecojagiqet]

rundll32.exe

"C:\WINDOWS\ohanaroh.dll",Startup

[2010-03-05]
O1 - Hosts: 74.125.45.100

www.secure-plus-payments.com

[2010-03-05]
O1 - Hosts: 74.125.45.100

4-open-davinci.com [2010-03-05]
O1 - Hosts: 94.228.209.244

www.google-analytics.com [2010-03-05]
O1 - Hosts: 74.125.45.100

paysoftbillsolution.com [2010-03-05]
O16 - DPF:

{9C23D886-43CB-43DE-B2DB-112A68D7E10A}

(MySpace Uploader Control) -

http://lads.myspace.com/upload/MySpaceU

ploader2.cab [2010-03-05]
O1 - Hosts: 74.125.45.100

privatesecuredpayments.com [2010-03-05]
O4 - HKLM\..\Run: [UIUCU]

C:\DOCUME~1\user\LOCALS~1\Temp\UIUCU.EX

E -CLEAN_UP [2010-03-05]
O1 - Hosts: 74.125.45.100

secure-plus-payments.com [2010-03-05]
O1 - Hosts: 74.125.45.100

getantivirusplusnow.com [2010-03-05]
O1 - Hosts: 74.125.45.100

secure.paysecuresystem.com [2010-03-05]
O1 - Hosts: 74.125.45.100

securitysoftwarepayments.com

[2010-03-05]
O1 - Hosts: 74.125.45.100

www.getantivirusplusnow.com

[2010-03-05]
O1 - Hosts: 74.125.45.100

secure.privatesecuredpayments.com

[2010-03-05]
O1 - Hosts: 74.125.45.100

www.securesoftwarebill.com [2010-03-05]
O1 - Hosts: 74.125.45.100

www.getavplusnow.com [2010-03-05]
O1 - Hosts: 74.125.45.100

protected.maxisoftwaremart.com

[2010-03-05]

======Hosts File======

74.125.45.100 4-open-davinci.com
74.125.45.100

securitysoftwarepayments.com
74.125.45.100

privatesecuredpayments.com
74.125.45.100

secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100

www.getantivirusplusnow.com
74.125.45.100

www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100

safebrowsing-cache.google.com

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: USER-4118A19DB8
Event Code: 4
Message: Broadcom NetXtreme Gigabit

Ethernet: The network link is down.

Check to make sure the network cable is

properly connected.

Record Number: 30402
Source Name: b57w2k
Time Written: 20100221134006.000000-360
Event Type: warning
User:

Computer Name: USER-4118A19DB8
Event Code: 1003
Message: Your computer was not able to

renew its address from the network

(from the
DHCP Server) for the Network Card with

network address 0012F079DB43. The

following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and

obtain an address on its own from
the network address (DHCP) server.

Record Number: 30357
Source Name: Dhcp
Time Written: 20100221122610.000000-360
Event Type: warning
User:

Computer Name: USER-4118A19DB8
Event Code: 1003
Message: Your computer was not able to

renew its address from the network

(from the
DHCP Server) for the Network Card with

network address 0012F079DB43. The

following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and

obtain an address on its own from
the network address (DHCP) server.

Record Number: 30354
Source Name: Dhcp
Time Written: 20100221122315.000000-360
Event Type: warning
User:

Computer Name: USER-4118A19DB8
Event Code: 1003
Message: Your computer was not able to

renew its address from the network

(from the
DHCP Server) for the Network Card with

network address 0012F079DB43. The

following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and

obtain an address on its own from
the network address (DHCP) server.

Record Number: 30351
Source Name: Dhcp
Time Written: 20100221122240.000000-360
Event Type: warning
User:

Computer Name: USER-4118A19DB8
Event Code: 1003
Message: Your computer was not able to

renew its address from the network

(from the
DHCP Server) for the Network Card with

network address 0012F079DB43. The

following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and

obtain an address on its own from
the network address (DHCP) server.

Record Number: 30348
Source Name: Dhcp
Time Written: 20100221122230.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: USER-4118A19DB8
Event Code: 0
Message:
Record Number: 16
Source Name: Lavasoft Ad-Aware Service
Time Written: 20100303194657.000000-360
Event Type: error
User:

Computer Name: USER-4118A19DB8
Event Code: 1517
Message: Windows saved user

USER-4118A19DB8\user registry while an

application or service was still using

the registry during log off. The memory

used by the user's registry has not

been freed. The registry will be

unloaded when it is no longer in use.


This is often caused by services

running as a user account, try

configuring the services to run in

either the LocalService or

NetworkService account.

Record Number: 4
Source Name: Userenv
Time Written: 20100303191156.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: USER-4118A19DB8
Event Code: 1015
Message: Failed to connect to server.

Error: 0x8007043C

Record Number: 3
Source Name: MsiInstaller
Time Written: 20100303183454.000000-360
Event Type: warning
User: USER-4118A19DB8\user

Computer Name: USER-4118A19DB8
Event Code: 1000
Message: Faulting application

msiexec.exe, version 3.1.4001.5512,

faulting module unknown, version

0.0.0.0, fault address 0x715b9e59.

Record Number: 2
Source Name: Application Error
Time Written: 20100303182844.000000-360
Event Type: error
User:

Computer Name: USER-4118A19DB8
Event Code: 1008
Message: The installation of C:\Program

Files\Common Files\Wise Installation

Wizard\WISCDDCBBF1270346BC938BBCC81A1EE

AAA_4_34_0_1000.MSI is not permitted

due to an error in software restriction

policy processing. The object cannot be

trusted.

Record Number: 1
Source Name: MsiInstaller
Time Written: 20100303182844.000000-360
Event Type: error
User: USER-4118A19DB8\user

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoo

t%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6

Model 9 Stepping 5, GenuineIntel
"PROCESSOR_REVISION"=0905
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE

;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------






==================================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-05 12:35:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kggoqkob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF763D87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF763DBFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF0585320]

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI \Device\0000008e 86BAF300

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\ACPI \Device\00000050 86BAF300
Device \Driver\ACPI \Device\00000051 86BAF300
Device \Driver\ACPI \Device\00000045 86BAF300
Device \Driver\ACPI \Device\00000052 86BAF300
Device \Driver\ACPI \Device\00000046 86BAF300
Device \Driver\ACPI \Device\00000053 86BAF300
Device \Driver\ACPI \Device\00000060 86BAF300
Device \Driver\ACPI \Device\00000047 86BAF300
Device \Driver\ACPI \Device\00000048 86BAF300

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\ACPI \Device\00000049 86BAF300
Device \Driver\ACPI \Device\00000070 86BAF300
Device \Driver\ACPI \Device\00000063 86BAF300
Device \Driver\ACPI \Device\00000057 86BAF300
Device \Driver\ACPI \Device\00000071 86BAF300
Device \Driver\ACPI \Device\00000072 86BAF300
Device \Driver\ACPI \Device\00000073 86BAF300
Device \Driver\ACPI \Device\00000069 86BAF300
Device \Driver\ACPI \Device\00000085 86BAF300
Device \Driver\ACPI \Device\0000004c 86BAF300
Device \Driver\ACPI \Device\00000086 86BAF300
Device \Driver\ACPI \Device\0000005a 86BAF300
Device \Driver\ACPI \Device\0000004d 86BAF300
Device \Driver\ACPI \Device\0000005b 86BAF300
Device \Driver\ACPI \Device\0000004e 86BAF300
Device \Driver\ACPI \Device\00000088 86BAF300
Device \Driver\ACPI \Device\0000005c 86BAF300
Device \Driver\ACPI \Device\0000004f 86BAF300

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\ACPI \Device\0000005d 86BAF300

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\ACPI \Device\0000006a 86BAF300
Device \Driver\ACPI \Device\0000005e 86BAF300
Device \Driver\ACPI \Device\0000006b 86BAF300
Device \Driver\ACPI \Device\0000005f 86BAF300
Device \Driver\ACPI \Device\0000006e 86BAF300
Device \Driver\ACPI \Device\0000006f 86BAF300
Device \Driver\ACPI \Device\0000008a 86BAF300
Device \Driver\ACPI \Device\0000008c 86BAF300
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86EC4A9A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:34 PM

Posted 05 March 2010 - 04:27 PM

Hello, figueroa4.
Before we proceed, please disable word-wrap. This can be done by clicking Format and un-ticking the word-wrap feature in notepad. (I noticed your word-wrap was only enabled on your info.txt).

Let's begin smile.gif
We need to run HostXpert
  1. Download HostsXpert.zip
  2. Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  3. Double-click HostsXpert.exe to run the program.
  4. Click "Make Hosts Writable?" in the upper right corner (If available).
  5. Click "Restore Microsoft's Hosts file" and then click "OK".
  6. Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

NEXT:

We need to use HijackThis to carry out a fix
  1. Run HijackThis
  2. Click on Do a system scan only.
  3. Place a checkmark next to these lines (if still present).

    O4 - HKUS\S-1-5-18\..\Run: [uqsrsfrp] C:\Documents and Settings\NetworkService\Local Settings\Application Data\mauvrs\hegxsftav.exe (User 'SYSTEM')
    O4 - HKLM\..\Run: [Vtecojagiqet] rundll32.exe "C:\WINDOWS\ohanaroh.dll",Startup


  4. Close all windows except HijackThis and click Fix Checked.
  5. Restart


NEXT:

We need to run an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the OTM icon on your desktop.
  3. Paste the following code under the Paste Instructions for Items to be Moved area. Do not include the word "Code".
    CODE
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Vtecojagiqet"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vtecojagiqet]

    :Files
    C:\WINDOWS\ohanaroh.dll
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\mauvrs
    C:\DOCUME~1\user\LOCALS~1\Temp\kggoqkob.sys

    :Services
    kggoqkob


    :Commands
    [EmptyTemp]
  4. Push the large MoveIt! button.
    **OTM may ask to reboot the machine. Please do so if asked.
  5. Copy/Paste the contents under the Results line here in your next reply.
  6. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


NEXT:

We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

In your next reply, please include the following:
  • RSIT Log
  • OTM Log
  • TDSSKiller.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 figueroa4

figueroa4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 March 2010 - 05:08 PM

I got as far as the HostsXpert huh.gif When I open it I get a msg that says "Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute or CANCEL to quit. After pressing OK it says the samething about it being a hidden file. Then when I OK that the Make Writeable is in red and does nothing when clicked. Should I continue on?

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:34 PM

Posted 05 March 2010 - 05:10 PM

Hi!

Yes, please continue on, and reset your hosts file, and then follow the rest of the instructions.

If it doesn't work, we'll see it when you post your next RSIT log (please make sure you run RSIT once you're done with all the steps, ie, after the TDSSKiller).

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 figueroa4

figueroa4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 March 2010 - 06:36 PM

HostXpert: Wouldn't let me click Make Writeable and when I clicked to restore Microsoft Host File it gave me an error
- Cannot create file C:\Windows\System32\Drivers\Etc\Hosts







OTM LOG:

All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Vtecojagiqet deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vtecojagiqet\ deleted successfully.
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\ohanaroh.dll
C:\WINDOWS\ohanaroh.dll moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\mauvrs folder moved successfully.
File/Folder C:\DOCUME~1\user\LOCALS~1\Temp\kggoqkob.sys not found.
========== SERVICES/DRIVERS ==========
Error: No service named kggoqkob was found to stop!
Service\Driver key kggoqkob not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2943755 bytes
->Flash cache emptied: 434 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: HelpAssistant
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 32597465 bytes
->Flash cache emptied: 340073 bytes

User: HelpAssistant.USER-4118A19DB8
->Temp folder emptied: 21241850 bytes
->Temporary Internet Files folder emptied: 35302505 bytes
->Java cache emptied: 32597465 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 340320 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 243914 bytes
->Flash cache emptied: 434 bytes

User: NetworkService
->Temp folder emptied: 617064 bytes
->Temporary Internet Files folder emptied: 56860950 bytes
->Java cache emptied: 13565 bytes
->Flash cache emptied: 9806 bytes

User: user
->Temp folder emptied: 623947536 bytes
->Temporary Internet Files folder emptied: 55873928 bytes
->Java cache emptied: 32597465 bytes
->FireFox cache emptied: 2236112 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 8461312 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1046390 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 101496158 bytes

Total Files Cleaned = 962.00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03052010_165953

Files moved on Reboot...
File C:\Documents and Settings\user\Local Settings\Temp\~DF6CB8.tmp not found!
File C:\Documents and Settings\user\Local Settings\Temp\~DF6CC3.tmp not found!
File C:\Documents and Settings\user\Local Settings\Temp\~DF6D6A.tmp not found!
File C:\Documents and Settings\user\Local Settings\Temp\~DF6D75.tmp not found!
File C:\Documents and Settings\user\Local Settings\Temp\~DF6F9E.tmp not found!
File C:\Documents and Settings\user\Local Settings\Temp\~DF6FC5.tmp not found!
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Z11OA10A\ads[11].htm moved successfully.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\1UYW4ILC\ads[10].htm moved successfully.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\1UYW4ILC\iframe[1].htm moved successfully.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\1UYW4ILC\topic300538[2].htm moved successfully.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.

Registry entries deleted on Reboot...











TDSSKILLER LOG:

17:21:52:137 2812 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
17:21:52:137 2812 ================================================================================
17:21:52:137 2812 SystemInfo:

17:21:52:137 2812 OS Version: 5.1.2600 ServicePack: 3.0
17:21:52:137 2812 Product type: Workstation
17:21:52:137 2812 ComputerName: USER-4118A19DB8
17:21:52:137 2812 UserName: user
17:21:52:137 2812 Windows directory: C:\WINDOWS
17:21:52:137 2812 Processor architecture: Intel x86
17:21:52:137 2812 Number of processors: 1
17:21:52:137 2812 Page size: 0x1000
17:21:52:137 2812 Boot type: Normal boot
17:21:52:137 2812 ================================================================================
17:21:52:147 2812 UnloadDriverW: NtUnloadDriver error 2
17:21:52:147 2812 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:21:52:177 2812 Initialize success
17:21:52:177 2812
17:21:52:177 2812 Scanning Services ...
17:21:52:177 2812 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:21:52:177 2812 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:21:52:177 2812 wfopen_ex: Trying to KLMD file open
17:21:52:177 2812 wfopen_ex: File opened ok (Flags 2)
17:21:52:177 2812 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:21:52:187 2812 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:21:52:187 2812 wfopen_ex: Trying to KLMD file open
17:21:52:187 2812 wfopen_ex: File opened ok (Flags 2)
17:21:52:677 2812 GetAdvancedServicesInfo: Raw services enum returned 334 services
17:21:52:687 2812 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:21:52:687 2812 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:21:52:687 2812
17:21:52:687 2812 Scanning Kernel memory ...
17:21:52:697 2812 Devices to scan: 3
17:21:52:697 2812
17:21:52:697 2812 Driver Name: Disk
17:21:52:697 2812 IRP_MJ_CREATE : F7633BB0
17:21:52:697 2812 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:21:52:697 2812 IRP_MJ_CLOSE : F7633BB0
17:21:52:697 2812 IRP_MJ_READ : F762DD1F
17:21:52:697 2812 IRP_MJ_WRITE : F762DD1F
17:21:52:697 2812 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:21:52:697 2812 IRP_MJ_SET_INFORMATION : 804FA88E
17:21:52:697 2812 IRP_MJ_QUERY_EA : 804FA88E
17:21:52:697 2812 IRP_MJ_SET_EA : 804FA88E
17:21:52:697 2812 IRP_MJ_FLUSH_BUFFERS : F762E2E2
17:21:52:697 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:21:52:697 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:21:52:697 2812 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:21:52:697 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:21:52:697 2812 IRP_MJ_DEVICE_CONTROL : F762E3BB
17:21:52:697 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7631F28
17:21:52:697 2812 IRP_MJ_SHUTDOWN : F762E2E2
17:21:52:697 2812 IRP_MJ_LOCK_CONTROL : 804FA88E
17:21:52:697 2812 IRP_MJ_CLEANUP : 804FA88E
17:21:52:697 2812 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:21:52:697 2812 IRP_MJ_QUERY_SECURITY : 804FA88E
17:21:52:697 2812 IRP_MJ_SET_SECURITY : 804FA88E
17:21:52:697 2812 IRP_MJ_POWER : F762FC82
17:21:52:697 2812 IRP_MJ_SYSTEM_CONTROL : F763499E
17:21:52:697 2812 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:21:52:697 2812 IRP_MJ_QUERY_QUOTA : 804FA88E
17:21:52:697 2812 IRP_MJ_SET_QUOTA : 804FA88E
17:21:52:697 2812 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:21:52:697 2812 sion
17:21:52:727 2812 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:21:52:727 2812
17:21:52:727 2812 Driver Name: Disk
17:21:52:727 2812 IRP_MJ_CREATE : F7633BB0
17:21:52:727 2812 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
17:21:52:727 2812 IRP_MJ_CLOSE : F7633BB0
17:21:52:727 2812 IRP_MJ_READ : F762DD1F
17:21:52:727 2812 IRP_MJ_WRITE : F762DD1F
17:21:52:727 2812 IRP_MJ_QUERY_INFORMATION : 804FA88E
17:21:52:727 2812 IRP_MJ_SET_INFORMATION : 804FA88E
17:21:52:727 2812 IRP_MJ_QUERY_EA : 804FA88E
17:21:52:727 2812 IRP_MJ_SET_EA : 804FA88E
17:21:52:727 2812 IRP_MJ_FLUSH_BUFFERS : F762E2E2
17:21:52:727 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
17:21:52:727 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
17:21:52:727 2812 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
17:21:52:727 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
17:21:52:727 2812 IRP_MJ_DEVICE_CONTROL : F762E3BB
17:21:52:727 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7631F28
17:21:52:727 2812 IRP_MJ_SHUTDOWN : F762E2E2
17:21:52:727 2812 IRP_MJ_LOCK_CONTROL : 804FA88E
17:21:52:727 2812 IRP_MJ_CLEANUP : 804FA88E
17:21:52:727 2812 IRP_MJ_CREATE_MAILSLOT : 804FA88E
17:21:52:727 2812 IRP_MJ_QUERY_SECURITY : 804FA88E
17:21:52:727 2812 IRP_MJ_SET_SECURITY : 804FA88E
17:21:52:727 2812 IRP_MJ_POWER : F762FC82
17:21:52:727 2812 IRP_MJ_SYSTEM_CONTROL : F763499E
17:21:52:727 2812 IRP_MJ_DEVICE_CHANGE : 804FA88E
17:21:52:727 2812 IRP_MJ_QUERY_QUOTA : 804FA88E
17:21:52:727 2812 IRP_MJ_SET_QUOTA : 804FA88E
17:21:52:727 2812 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:21:52:727 2812 sion
17:21:52:737 2812 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:21:52:737 2812
17:21:52:737 2812 Driver Name: atapi
17:21:52:737 2812 IRP_MJ_CREATE : 86EC4A9A
17:21:52:737 2812 IRP_MJ_CREATE_NAMED_PIPE : 86EC4A9A
17:21:52:737 2812 IRP_MJ_CLOSE : 86EC4A9A
17:21:52:737 2812 IRP_MJ_READ : 86EC4A9A
17:21:52:737 2812 IRP_MJ_WRITE : 86EC4A9A
17:21:52:737 2812 IRP_MJ_QUERY_INFORMATION : 86EC4A9A
17:21:52:737 2812 IRP_MJ_SET_INFORMATION : 86EC4A9A
17:21:52:737 2812 IRP_MJ_QUERY_EA : 86EC4A9A
17:21:52:737 2812 IRP_MJ_SET_EA : 86EC4A9A
17:21:52:737 2812 IRP_MJ_FLUSH_BUFFERS : 86EC4A9A
17:21:52:737 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 86EC4A9A
17:21:52:737 2812 IRP_MJ_SET_VOLUME_INFORMATION : 86EC4A9A
17:21:52:737 2812 IRP_MJ_DIRECTORY_CONTROL : 86EC4A9A
17:21:52:737 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 86EC4A9A
17:21:52:737 2812 IRP_MJ_DEVICE_CONTROL : 86EC4A9A
17:21:52:737 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86EC4A9A
17:21:52:737 2812 IRP_MJ_SHUTDOWN : 86EC4A9A
17:21:52:737 2812 IRP_MJ_LOCK_CONTROL : 86EC4A9A
17:21:52:737 2812 IRP_MJ_CLEANUP : 86EC4A9A
17:21:52:737 2812 IRP_MJ_CREATE_MAILSLOT : 86EC4A9A
17:21:52:737 2812 IRP_MJ_QUERY_SECURITY : 86EC4A9A
17:21:52:737 2812 IRP_MJ_SET_SECURITY : 86EC4A9A
17:21:52:737 2812 IRP_MJ_POWER : 86EC4A9A
17:21:52:737 2812 IRP_MJ_SYSTEM_CONTROL : 86EC4A9A
17:21:52:737 2812 IRP_MJ_DEVICE_CHANGE : 86EC4A9A
17:21:52:737 2812 IRP_MJ_QUERY_QUOTA : 86EC4A9A
17:21:52:737 2812 IRP_MJ_SET_QUOTA : 86EC4A9A
17:21:52:737 2812 ihd: 0, 0, 607, 138, 3, 120, 1
17:21:52:737 2812 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:21:52:737 2812 cured
17:21:52:747 2812 Driver "atapi" StartIo handler infected by TDSS rootkit ... 17:21:52:747 2812 cured
17:21:52:747 2812 siohd: 1
17:21:52:747 2812 Driver "atapi" StartIo handler infected by TDSS rootkit ... 17:21:52:757 2812 cured
17:21:52:787 2812 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
17:21:52:787 2812 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:21:52:787 2812 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:21:52:878 2812 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:21:53:108 2812 vfvi6
17:21:53:178 2812 !dsvbh1
17:21:53:629 2812 dsvbh2
17:21:53:629 2812 fdfb2
17:21:53:629 2812 Backup copy found, using it..
17:21:53:689 2812 will be cured on next reboot
17:21:53:689 2812 Reboot required for cure complete..
17:21:53:699 2812 Cure on reboot scheduled successfully
17:21:53:699 2812
17:21:53:699 2812 Completed
17:21:53:699 2812
17:21:53:699 2812 Results:
17:21:53:709 2812 Memory objects infected / cured / cured on reboot: 3 / 3 / 0
17:21:53:709 2812 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:21:53:709 2812 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:21:53:719 2812
17:21:53:719 2812 UnloadDriverW: NtUnloadDriver error 1
17:21:53:719 2812 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:21:53:719 2812 KLMD(ARK) unloaded successfully







RSIT LOG:

Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2010-03-05 17:32:42
Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (75%) free of 31 GB
Total RAM: 1023 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:49 PM, on 3/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 94.228.209.244 www.google.com
O1 - Hosts: 94.228.209.244 google.com
O1 - Hosts: 94.228.209.244 google.com.au
O1 - Hosts: 94.228.209.244 www.google.com.au
O1 - Hosts: 94.228.209.244 google.be
O1 - Hosts: 94.228.209.244 www.google.be
O1 - Hosts: 94.228.209.244 google.com.br
O1 - Hosts: 94.228.209.244 www.google.com.br
O1 - Hosts: 94.228.209.244 google.ca
O1 - Hosts: 94.228.209.244 www.google.ca
O1 - Hosts: 94.228.209.244 google.ch
O1 - Hosts: 94.228.209.244 www.google.ch
O1 - Hosts: 94.228.209.244 google.de
O1 - Hosts: 94.228.209.244 www.google.de
O1 - Hosts: 94.228.209.244 google.dk
O1 - Hosts: 94.228.209.244 www.google.dk
O1 - Hosts: 94.228.209.244 google.fr
O1 - Hosts: 94.228.209.244 www.google.fr
O1 - Hosts: 94.228.209.244 google.ie
O1 - Hosts: 94.228.209.244 www.google.ie
O1 - Hosts: 94.228.209.244 google.it
O1 - Hosts: 94.228.209.244 www.google.it
O1 - Hosts: 94.228.209.244 google.co.jp
O1 - Hosts: 94.228.209.244 www.google.co.jp
O1 - Hosts: 94.228.209.244 google.nl
O1 - Hosts: 94.228.209.244 www.google.nl
O1 - Hosts: 94.228.209.244 google.no
O1 - Hosts: 94.228.209.244 www.google.no
O1 - Hosts: 94.228.209.244 google.co.nz
O1 - Hosts: 94.228.209.244 www.google.co.nz
O1 - Hosts: 94.228.209.244 google.pl
O1 - Hosts: 94.228.209.244 www.google.pl
O1 - Hosts: 94.228.209.244 google.se
O1 - Hosts: 94.228.209.244 www.google.se
O1 - Hosts: 94.228.209.244 google.co.uk
O1 - Hosts: 94.228.209.244 www.google.co.uk
O1 - Hosts: 94.228.209.244 google.co.za
O1 - Hosts: 94.228.209.244 www.google.co.za
O1 - Hosts: 94.228.209.244 www.google-analytics.com
O1 - Hosts: 94.228.209.244 www.bing.com
O1 - Hosts: 94.228.209.244 search.yahoo.com
O1 - Hosts: 94.228.209.244 www.search.yahoo.com
O1 - Hosts: 94.228.209.244 uk.search.yahoo.com
O1 - Hosts: 94.228.209.244 ca.search.yahoo.com
O1 - Hosts: 94.228.209.244 de.search.yahoo.com
O1 - Hosts: 94.228.209.244 fr.search.yahoo.com
O1 - Hosts: 94.228.209.244 au.search.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

--
End of file - 7006 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-14 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2010-03-04 1111320]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2010-03-04 2043160]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-11-19 233534]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-03 122939]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2004-12-08 790528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0\bin\jusched.exe [2008-08-10 36972]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
C:\Program Files\USB Disk Win98 Driver\Res.EXE [2005-09-14 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2004-12-08 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
C:\PROGRA~1\INTERV~1\DVDCHE~1\DVDCheck.exe [2004-12-08 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^VZAccess Manager.lnk]
C:\PROGRA~1\VERIZO~1\VZACCE~1\VZACCE~1.EXE [2008-09-07 1774896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg9wd"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-03-04 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=4294967295

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-03-05 16:59:53 ----D---- C:\_OTM
2010-03-05 14:40:36 ----D---- C:\rsit
2010-03-05 10:54:27 ----D---- C:\Program Files\Trend Micro
2010-03-04 18:16:30 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-03-04 16:21:21 ----D---- C:\Program Files\Lavasoft
2010-03-04 16:21:20 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-03-04 16:17:44 ----D---- C:\Program Files\Windows Installer Clean Up
2010-03-04 16:17:27 ----D---- C:\Program Files\MSECACHE
2010-03-04 13:38:39 ----D---- C:\Program Files\VS Revo Group
2010-03-04 13:30:14 ----D---- C:\WINDOWS\system32\XPSViewer
2010-03-04 13:29:40 ----D---- C:\Program Files\MSBuild
2010-03-04 13:29:00 ----D---- C:\Program Files\Reference Assemblies
2010-03-04 13:26:14 ----N---- C:\WINDOWS\system32\prntvpt.dll
2010-03-04 13:26:12 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2010-03-04 13:26:11 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2010-03-04 13:26:10 ----D---- C:\8260c20ca0042844a64793
2010-03-03 19:59:16 ----HD---- C:\$AVG8.VAULT$
2010-03-03 19:43:38 ----HDC---- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-03 19:16:17 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2010-03-03 19:15:48 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2010-03-03 18:44:05 ----D---- C:\Program Files\Wise Registry Cleaner
2010-03-03 18:31:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-03 18:28:43 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-02-25 19:19:12 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-25 19:18:48 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-25 18:39:46 ----D---- C:\Documents and Settings\user\Application Data\Mozilla
2010-02-25 18:39:35 ----D---- C:\Program Files\Mozilla Firefox
2010-02-25 18:29:47 ----HDC---- C:\WINDOWS\ie8
2010-02-25 18:03:54 ----D---- C:\Documents and Settings\user\Application Data\Leadertech
2010-02-25 11:15:05 ----D---- C:\WINDOWS\pss
2010-02-25 09:42:51 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2010-02-25 09:42:51 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2010-02-23 22:18:21 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2010-02-23 22:18:11 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-23 22:15:37 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 22:15:27 ----D---- C:\Program Files\SUPERAntiSpyware
2010-02-23 22:15:27 ----D---- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2010-02-23 20:56:14 ----D---- C:\WINDOWS\ie8updates
2010-02-23 20:01:31 ----D---- C:\Program Files\AVG
2010-02-23 20:01:30 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2010-02-23 19:30:39 ----SHD---- C:\WINDOWS\CSC
2010-02-23 19:30:23 ----A---- C:\WINDOWS\ntbtlog.txt
2010-02-15 10:32:17 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-15 10:32:07 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-15 10:28:57 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-15 10:28:44 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-15 10:28:30 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-15 10:28:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-15 10:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-15 10:27:06 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$

======List of files/folders modified in the last 1 months======

2010-03-05 17:28:53 ----SD---- C:\WINDOWS\Tasks
2010-03-05 17:25:37 ----D---- C:\WINDOWS\Temp
2010-03-05 17:25:03 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-05 17:23:00 ----D---- C:\WINDOWS\system32\drivers
2010-03-05 17:22:08 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-05 17:02:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-05 16:59:55 ----D---- C:\WINDOWS
2010-03-05 15:07:37 ----D---- C:\WINDOWS\Prefetch
2010-03-05 11:10:15 ----SHD---- C:\WINDOWS\Installer
2010-03-05 11:10:15 ----HD---- C:\Config.Msi
2010-03-05 11:10:06 ----SD---- C:\Documents and Settings\user\Application Data\Microsoft
2010-03-05 11:02:13 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-05 10:54:27 ----RD---- C:\Program Files
2010-03-05 09:23:19 ----HD---- C:\WINDOWS\inf
2010-03-05 09:19:51 ----D---- C:\SWSetup
2010-03-05 09:16:26 ----D---- C:\Documents and Settings
2010-03-04 18:16:30 ----D---- C:\WINDOWS\system32
2010-03-04 16:23:02 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-03-04 16:21:50 ----D---- C:\WINDOWS\WinSxS
2010-03-04 14:46:22 ----D---- C:\WINDOWS\Microsoft.NET
2010-03-04 14:44:47 ----RSD---- C:\WINDOWS\assembly
2010-03-04 13:33:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-04 13:29:54 ----D---- C:\WINDOWS\system32\en-us
2010-03-04 13:29:14 ----RSD---- C:\WINDOWS\Fonts
2010-03-04 13:19:09 ----D---- C:\WINDOWS\system32\mui
2010-03-04 13:19:09 ----D---- C:\Program Files\Internet Explorer
2010-03-04 13:08:35 ----D---- C:\WINDOWS\system32\URTTemp
2010-03-04 13:08:35 ----D---- C:\WINDOWS\Registration
2010-03-03 22:20:46 ----SHD---- C:\RECYCLER
2010-03-03 19:32:30 ----D---- C:\WINDOWS\system32\config
2010-03-03 19:12:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-03-03 18:28:43 ----D---- C:\Program Files\Common Files
2010-03-03 16:19:36 ----D---- C:\WINDOWS\system32\CatRoot
2010-03-03 16:18:40 ----A---- C:\WINDOWS\imsins.BAK
2010-03-03 16:18:21 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-25 18:53:43 ----A---- C:\WINDOWS\ODBC.INI
2010-02-25 18:47:06 ----AC---- C:\WINDOWS\OEWABLog.txt
2010-02-25 18:33:15 ----D---- C:\WINDOWS\Help
2010-02-25 18:31:18 ----D---- C:\WINDOWS\WBEM
2010-02-25 18:31:10 ----D---- C:\WINDOWS\Media
2010-02-25 18:17:13 ----D---- C:\WINDOWS\ie7updates
2010-02-25 14:38:07 ----SH---- C:\boot.ini
2010-02-25 14:38:06 ----A---- C:\WINDOWS\win.ini
2010-02-25 14:38:06 ----A---- C:\WINDOWS\system.ini
2010-02-24 13:50:49 ----D---- C:\WINDOWS\system32\Restore
2010-02-24 06:01:40 ----D---- C:\WINDOWS\Downloaded Installations
2010-02-23 20:47:21 ----D---- C:\Program Files\HPQ
2010-02-23 20:01:15 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-23 19:47:58 ----D---- C:\WINDOWS\system32\appmgmt
2010-02-23 19:45:07 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2010-02-23 19:35:00 ----D---- C:\WINDOWS\system32\wbem
2010-02-08 15:03:00 ----D---- C:\WINDOWS\network diagnostic
2010-02-08 11:56:58 ----D---- C:\Program Files\MySpace

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-03-04 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-03-04 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-03-04 108552]
R1 ClntMgmt.sys;ClntMgmt.sys; C:\WINDOWS\System32\Drivers\ClntMgmt.sys [2004-02-20 59044]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-07-14 40448]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 LxrJD31d;LxrJD31d; \??\C:\WINDOWS\system32\Drivers\LxrJD31d.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-03 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-03 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-03 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-03 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-03 86138]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-03 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-03 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-03 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-03 100603]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-11-16 190592]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 NWADI;NWADI Bus Enumerator; C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2008-06-09 222720]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-02 191456]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-11-16 3222784]
S1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NWUSBModem;Novatel Wireless USB Modem Driver; C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys [2008-05-27 174336]
S3 NWUSBPort;Novatel Wireless USB Status Port Driver; C:\WINDOWS\system32\DRIVERS\nwusbser.sys [2008-05-27 174336]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver; C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2008-05-27 174336]
S3 Revoflt;Revoflt; C:\WINDOWS\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2010-03-04 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2010-03-04 297752]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 LxrJD31s;Lexar JD31; C:\WINDOWS\system32\LxrJD31s.exe [2008-09-04 71168]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-04 1229232]
S2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE []
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\Shared\hpqwmi.exe [2004-11-17 98304]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-10 483328]
S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 28160]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 OSCM Utility Service;OSCM Utility Service; C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe [2006-10-13 155648]

-----------------EOF-----------------


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:34 PM

Posted 05 March 2010 - 06:49 PM

Hello, figueroa4.
We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 figueroa4

figueroa4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 March 2010 - 07:33 PM


COMBOFIX LOG:

ComboFix 10-03-05.01 - user 03/05/2010 18:18:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.568 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{80144406-7A1C-4A97-A7AE-A5138312FE7E}
c:\documents and settings\Administrator\Local Settings\Application Data\{80144406-7A1C-4A97-A7AE-A5138312FE7E}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{80144406-7A1C-4A97-A7AE-A5138312FE7E}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{80144406-7A1C-4A97-A7AE-A5138312FE7E}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{80144406-7A1C-4A97-A7AE-A5138312FE7E}\install.rdf
c:\documents and settings\user\Local Settings\Application Data\{5703750E-CBD3-450E-B5A5-63D0BDE536B0}
c:\documents and settings\user\Local Settings\Application Data\{5703750E-CBD3-450E-B5A5-63D0BDE536B0}\chrome.manifest
c:\documents and settings\user\Local Settings\Application Data\{5703750E-CBD3-450E-B5A5-63D0BDE536B0}\chrome\content\_cfg.js
c:\documents and settings\user\Local Settings\Application Data\{5703750E-CBD3-450E-B5A5-63D0BDE536B0}\chrome\content\overlay.xul
c:\documents and settings\user\Local Settings\Application Data\{5703750E-CBD3-450E-B5A5-63D0BDE536B0}\install.rdf
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\EventSystem.log

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-05 22:59 . 2010-03-05 22:59 -------- d-----w- C:\_OTM
2010-03-05 20:40 . 2010-03-05 20:42 -------- d-----w- C:\rsit
2010-03-05 16:54 . 2010-03-05 16:54 -------- d-----w- c:\program files\Trend Micro
2010-03-05 00:16 . 2010-03-04 22:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-04 22:21 . 2010-03-04 22:21 -------- d-----w- c:\program files\Lavasoft
2010-03-04 22:21 . 2010-03-04 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-04 22:17 . 2010-03-04 22:17 3584 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-03-04 22:17 . 2010-03-04 22:17 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-03-04 22:17 . 2010-03-04 22:17 -------- d-----w- c:\program files\MSECACHE
2010-03-04 19:39 . 2010-03-04 19:39 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\VS Revo Group
2010-03-04 19:38 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-03-04 19:38 . 2010-03-04 19:38 -------- d-----w- c:\program files\VS Revo Group
2010-03-04 19:32 . 2010-03-04 19:32 73640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-04 19:30 . 2010-03-04 19:30 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-04 19:29 . 2010-03-04 19:29 -------- d-----w- c:\program files\MSBuild
2010-03-04 19:29 . 2010-03-04 19:29 -------- d-----w- c:\program files\Reference Assemblies
2010-03-04 19:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-04 19:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-04 19:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-04 19:26 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-04 19:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-04 19:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-04 19:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-04 19:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-04 19:26 . 2010-03-04 19:27 -------- d-----w- C:\8260c20ca0042844a64793
2010-03-04 14:42 . 2010-03-04 01:16 76040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys
2010-03-04 14:42 . 2010-03-04 01:16 97928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2010-03-04 14:42 . 2010-03-04 01:16 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2010-03-04 01:16 . 2010-03-05 14:09 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-04 01:15 . 2010-03-04 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-04 00:44 . 2010-03-04 01:32 -------- d-----w- c:\program files\Wise Registry Cleaner
2010-03-04 00:31 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-04 00:31 . 2010-03-04 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 00:31 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 00:28 . 2010-03-04 00:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-03 23:27 . 2010-03-03 23:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-03 23:27 . 2010-03-03 23:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-26 00:40 . 2010-02-26 00:40 0 ----a-w- c:\windows\nsreg.dat
2010-02-26 00:39 . 2010-02-26 00:39 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Mozilla
2010-02-26 00:29 . 2010-02-26 00:30 -------- dc-h--w- c:\windows\ie8
2010-02-26 00:03 . 2010-02-26 00:03 -------- d-----w- c:\documents and settings\user\Application Data\Leadertech
2010-02-25 16:58 . 2010-02-25 16:58 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-02-25 16:58 . 2010-02-25 16:58 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-25 16:56 . 2010-02-25 16:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-25 15:42 . 2009-12-08 19:27 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-25 15:42 . 2009-12-08 18:43 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-25 07:57 . 2010-02-25 07:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-25 03:26 . 2010-02-25 03:26 -------- d-----w- c:\documents and settings\HelpAssistant.USER-4118A19DB8\WINDOWS
2010-02-25 03:26 . 2010-02-25 03:26 -------- d-----w- c:\documents and settings\HelpAssistant.USER-4118A19DB8\UserData
2010-02-25 03:26 . 2010-02-25 03:26 -------- d-----w- c:\documents and settings\HelpAssistant.USER-4118A19DB8\PrivacIE
2010-02-25 03:24 . 2010-02-25 03:24 -------- d-----w- c:\documents and settings\HelpAssistant.USER-4118A19DB8\IETldCache
2010-02-25 03:24 . 2010-02-25 03:24 -------- d-----w- c:\documents and settings\HelpAssistant.USER-4118A19DB8\IECompatCache
2010-02-24 14:49 . 2010-02-24 14:49 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-24 04:18 . 2010-02-24 04:18 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-02-24 04:18 . 2010-02-24 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-24 04:15 . 2010-02-24 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-24 04:15 . 2010-03-04 01:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 04:15 . 2010-03-04 01:34 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2010-02-24 04:11 . 2010-02-24 04:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 03:36 . 2010-02-24 03:36 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2010-02-24 03:36 . 2010-02-24 03:36 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2010-02-24 03:15 . 2010-02-24 03:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-24 03:01 . 2010-02-24 03:01 -------- d-sh--w- c:\documents and settings\user\IETldCache
2010-02-24 02:56 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-24 02:56 . 2010-02-25 02:35 -------- d-----w- c:\windows\ie8updates
2010-02-24 02:55 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-24 02:55 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-24 02:01 . 2010-03-04 01:15 -------- d-----w- c:\program files\AVG
2010-02-24 02:01 . 2010-02-25 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-24 01:34 . 2010-02-24 01:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-23 22:52 . 2010-02-24 01:34 -------- d-s---w- c:\documents and settings\HelpAssistant
2010-02-23 03:55 . 2010-03-05 22:40 120 ----a-w- c:\windows\Vjedijir.dat
2010-02-23 03:55 . 2010-03-05 12:46 0 ----a-w- c:\windows\Rzedadolequfiraw.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 23:22 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-05 13:01 . 2010-03-04 01:35 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-04 22:00 . 2010-03-04 01:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-04 14:42 . 2010-03-04 01:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-04 14:42 . 2010-03-04 01:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-04 14:42 . 2010-03-04 01:16 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-04 14:42 . 2010-03-04 01:16 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-04 01:35 . 2010-03-04 01:35 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-04 01:17 . 2010-03-04 01:17 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2010-03-04 01:17 . 2010-03-04 01:17 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2010-03-04 01:17 . 2010-03-04 01:17 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2010-03-04 01:17 . 2010-03-04 01:17 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2010-03-04 01:16 . 2010-03-04 14:42 26824 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2010-03-04 01:15 . 2010-03-04 14:42 287000 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2010-03-03 23:27 . 2010-03-03 23:27 24 ----a-w- c:\documents and settings\NetworkService\Application Data\capmfe.dat
2010-02-24 02:47 . 2008-08-11 01:07 -------- d-----w- c:\program files\HPQ
2010-02-24 01:45 . 2008-08-11 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-23 20:36 . 2009-12-22 18:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-08 17:56 . 2008-11-08 18:09 -------- d-----w- c:\program files\MySpace
2010-02-04 15:53 . 2010-03-04 01:43 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2010-03-04 01:48 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-14 17:12 . 2009-12-03 15:13 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-06 14:27 . 2010-01-06 14:27 7631232 ----a-w- c:\documents and settings\user\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.823.0-static-A.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 16:35 . 2009-12-17 16:35 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.20.2.dll
2009-12-16 18:43 . 2008-08-11 00:19 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-04 2043160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-04 14:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^VZAccess Manager.lnk]
backup=c:\windows\pss\VZAccess Manager.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2004-11-19 14:14 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-08-03 06:05 122939 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2004-12-08 22:23 790528 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-08-11 01:23 36972 ----a-w- c:\program files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 12:11 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 12:12 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
2005-09-15 02:44 65536 ----a-w- c:\program files\USB Disk Win98 Driver\Res.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2004-12-08 23:44 184320 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg9wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dumpelog REG_SZ c:\windows\system32\calcplay.dll
ipseonce REG_SZ c:\windows\system32\asr_init.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"4211:TCP"= 4211:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"6099:TCP"= 6099:TCP:Services

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/3/2010 7:48 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/3/2010 7:16 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/3/2010 7:16 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/4/2010 8:41 AM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [9/14/2006 4:45 PM 174336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [3/4/2010 1:38 PM 27064]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/4/2010 8:42 AM 297752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: google.com\www
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\at39imk6.default\
FF - HiddenExtension: XULRunner: {D3007C48-0EC4-4F4F-A327-FFFB7880291B} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{D3007C48-0EC4-4F4F-A327-FFFB7880291B}\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
SafeBoot-klmdb.sys
MSConfigStartUp-ctfmon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D6D468]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7631f28
\Driver\ACPI -> 0x86d6d468
\Driver\atapi -> tsk8.tmp @ 0xf7518852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> 0x86263330
PacketIndicateHandler -> NDIS.sys @ 0xf7410a0d
SendHandler -> NDIS.sys @ 0xf7424b40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A817F0
malicious code @ sector 0x04A817F3 !
PE file found in sector at 0x04A81809 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-03-05 18:24:47
ComboFix-quarantined-files.txt 2010-03-06 00:24

Pre-Run: 23,994,187,776 bytes free
Post-Run: 23,966,347,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 356DE796DAB01DAC370543BDA38E2F0B










HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:27 PM, on 3/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 94.228.209.244 www.google.com
O1 - Hosts: 94.228.209.244 google.com
O1 - Hosts: 94.228.209.244 google.com.au
O1 - Hosts: 94.228.209.244 www.google.com.au
O1 - Hosts: 94.228.209.244 google.be
O1 - Hosts: 94.228.209.244 www.google.be
O1 - Hosts: 94.228.209.244 google.com.br
O1 - Hosts: 94.228.209.244 www.google.com.br
O1 - Hosts: 94.228.209.244 google.ca
O1 - Hosts: 94.228.209.244 www.google.ca
O1 - Hosts: 94.228.209.244 google.ch
O1 - Hosts: 94.228.209.244 www.google.ch
O1 - Hosts: 94.228.209.244 google.de
O1 - Hosts: 94.228.209.244 www.google.de
O1 - Hosts: 94.228.209.244 google.dk
O1 - Hosts: 94.228.209.244 www.google.dk
O1 - Hosts: 94.228.209.244 google.fr
O1 - Hosts: 94.228.209.244 www.google.fr
O1 - Hosts: 94.228.209.244 google.ie
O1 - Hosts: 94.228.209.244 www.google.ie
O1 - Hosts: 94.228.209.244 google.it
O1 - Hosts: 94.228.209.244 www.google.it
O1 - Hosts: 94.228.209.244 google.co.jp
O1 - Hosts: 94.228.209.244 www.google.co.jp
O1 - Hosts: 94.228.209.244 google.nl
O1 - Hosts: 94.228.209.244 www.google.nl
O1 - Hosts: 94.228.209.244 google.no
O1 - Hosts: 94.228.209.244 www.google.no
O1 - Hosts: 94.228.209.244 google.co.nz
O1 - Hosts: 94.228.209.244 www.google.co.nz
O1 - Hosts: 94.228.209.244 google.pl
O1 - Hosts: 94.228.209.244 www.google.pl
O1 - Hosts: 94.228.209.244 google.se
O1 - Hosts: 94.228.209.244 www.google.se
O1 - Hosts: 94.228.209.244 google.co.uk
O1 - Hosts: 94.228.209.244 www.google.co.uk
O1 - Hosts: 94.228.209.244 google.co.za
O1 - Hosts: 94.228.209.244 www.google.co.za
O1 - Hosts: 94.228.209.244 www.google-analytics.com
O1 - Hosts: 94.228.209.244 www.bing.com
O1 - Hosts: 94.228.209.244 search.yahoo.com
O1 - Hosts: 94.228.209.244 www.search.yahoo.com
O1 - Hosts: 94.228.209.244 uk.search.yahoo.com
O1 - Hosts: 94.228.209.244 ca.search.yahoo.com
O1 - Hosts: 94.228.209.244 de.search.yahoo.com
O1 - Hosts: 94.228.209.244 fr.search.yahoo.com
O1 - Hosts: 94.228.209.244 au.search.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

--
End of file - 6638 bytes



#10 figueroa4

figueroa4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 March 2010 - 07:35 PM

Also I think I forgot to let you know that I also get an error with HijackThis about the Hosts file being protected/not writeable.

#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:34 PM

Posted 05 March 2010 - 09:14 PM

Hello, figueroa4.
Looks like a really nasty infection. Also appears that you've gotten hit by a backdoor, so I'll give you a heads up about it.
Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.




We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/300538/infected-with-possibly-multiple-trojans-etc/

    Collect::
    c:\windows\Rzedadolequfiraw.bin
    c:\windows\Vjedijir.dat

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "2479:TCP"=-
    "4211:TCP"=-
    "3389:TCP"=-
    "6099:TCP"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:

We need to run an MBR scan
  1. Please download MBR.exe and save it to your root directory (usually C:\).
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    C:\mbr.exe -t
  3. Press enter.
  4. An mbr.log should be created in your root directory. Please post its contents in your next reply.

In your next reply, please include the following:
  • ComboFix.txt
  • mbr.exe log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 figueroa4

figueroa4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 March 2010 - 09:36 PM

Well with that being the case I will probably do a reformat and reinstall if possible. She doesn't have the XP Pro cd but I did come across a XP Home cd of mine and seeing as we are no longer using the pc that it went with could I just use the cd key that went with our old pc? We got a new pc with Win 7 and took parts from the old one so that key is not being used at all.



#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:34 PM

Posted 05 March 2010 - 10:28 PM

Hi!

This XP CD, is it a rebuild CD, or is it an actual Microsoft installation CD? There's a minor difference between the two. The rebuild CD normally comes with pre-built computers and are generally specific to the hardware within them. An original microsoft CD would come with its own key, and yes, you could use it to perform a resinstall of the OS.

Let me know if you have any more questions smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:34 PM

Posted 07 March 2010 - 02:56 AM

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users