Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help with redirect hijack!


  • This topic is locked This topic is locked
21 replies to this topic

#1 mothydog

mothydog

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 23 July 2010 - 04:05 AM

Hello,

After searching for a solution to my problem for the last 24 hours I have finally decided to consult the professionals smile.gif ...

It all started yesterday when I discovered I picked up the result5 google bug. I run several antivirus programs to no avail and then finally found (on this board) that the problem lie (or so I thought) in the DNS. So I changed the DNS setting from static to automatic and this seemed to fix the problem. However, this morning I discovered that whilst the redirect problem had gone, I now had a google analytic one that was doing a similar thing - making my browser pages go backwards and forwards and closing them automatically. It has also been scrolling automatically and highlighting test on web pages automatically.

I have run the diagnostics you advised and the results are as follows



DDS (Ver_10-03-17.01) - FAT32x86
Run by Kim Holian at 18:22:30.42 on Fri 23/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.302 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
SVCHOST.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kim Holian\My Documents\Downloads\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kim Holian\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.asus.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.nchsoftware.com/software/thanks.html?software=Express&appname=Express%20Dictate&version=5.12&buyoffer=express
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - BrowserHelper Class
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [JDK5SWFMZY] c:\docume~1\kimhol~1\locals~1\temp\Plh.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [PowerForPhone] c:\program files\asus\powerforphone\PowerForPhone.exe
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
StartupFolder: c:\docume~1\kimhol~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multif~1.lnk - c:\program files\asus\asus multiframe\MultiFrame.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kimhol~1\applic~1\mozilla\firefox\profiles\zka2q4vt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - theage.com.au
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\kim holian\application data\mozilla\firefox\profiles\zka2q4vt.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-2 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-2 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-11-1 36352]
R3 NDISKIO;NDISKIO;\??\c:\docume~1\kimhol~1\locals~1\temp\000011e1.nmc\nse\bin\ndiskio.sys --> c:\docume~1\kimhol~1\locals~1\temp\000011e1.nmc\nse\bin\ndiskio.sys [?]
R3 nsak;nsak;c:\docume~1\kimhol~1\locals~1\temp\00000ff1.nmc\nse\bin\nsak.sys [2010-7-23 18120]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2009-11-1 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2009-11-1 7808]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2009-11-1 34944]

=============== Created Last 30 ================

2010-07-23 08:21:09 0 ----a-w- c:\documents and settings\kim holian\defogger_reenable
2010-07-23 03:34:44 116736 ----a-w- c:\documents and settings\kim holian\mediaset.doc
2010-07-23 00:26:41 0 d-sh--w- c:\documents and settings\kim holian\PrivacIE
2010-07-22 23:36:27 0 d-----w- c:\docume~1\kimhol~1\applic~1\Office Genuine Advantage
2010-07-22 15:42:14 0 d-sh--w- c:\documents and settings\kim holian\IETldCache
2010-07-22 15:35:28 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-22 15:35:28 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-22 15:35:28 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-22 15:35:27 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-22 15:35:27 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-22 15:35:27 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-22 15:35:25 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-22 15:35:18 0 d-----w- c:\windows\ie8updates
2010-07-22 15:35:10 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-07-22 15:32:47 0 d--h--w- c:\windows\ie8
2010-07-22 12:56:06 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-22 12:15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 12:15:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 12:15:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 12:15:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-22 11:47:53 0 d-----w- c:\program files\IObit
2010-07-22 11:47:53 0 d-----w- c:\docume~1\kimhol~1\applic~1\IObit
2010-07-22 10:24:44 0 d-sh--w- C:\FOUND.002
2010-07-22 03:52:53 1224 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-22 03:47:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-22 03:46:53 0 d-----w- c:\program files\common files\iS3
2010-07-22 03:46:52 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-22 01:08:41 54272 --sha-r- c:\windows\system32\msh263K.dll
2010-07-20 07:22:33 8192 --sha-w- c:\windows\Thumbs.db
2010-07-15 22:40:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-13 07:25:10 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-07-13 07:25:10 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-13 07:25:10 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-07-13 07:25:06 0 d-----w- c:\program files\QT Lite
2010-07-13 05:54:27 0 d-----w- c:\program files\QuickTime Alternative
2010-07-05 23:02:56 0 d-----w- c:\docume~1\kimhol~1\applic~1\NCH Software

==================== Find3M ====================

2010-07-15 22:40:06 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:39:22 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-06 10:41:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-06 10:41:54 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-05-06 10:41:52 611840 ------w- c:\windows\system32\dllcache\mstime.dll
2010-05-06 10:41:52 5950976 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-05-06 10:41:52 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-05-06 10:41:52 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-05-06 10:41:52 1209344 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-05-06 10:41:50 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-05-06 10:41:48 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-05-05 13:30:58 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 18:23:02.15 ===============



Please let me know if you need any further info.

I look forward to your help before I go crazy!!!!!

Thanks so much!!

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 31 July 2010 - 03:25 AM

Hello, mothydog.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  1. Please download DeFogger to your desktop.
  2. Double click DeFogger to run the tool.
  3. The application window will appear
  4. Click the Disable button to disable your CD Emulation drivers
  5. Click Yes to continue
  6. A 'Finished!' message will appear
  7. Click OK
  8. DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  1. Please Download Rootkit Unhooker Save it to your desktop.
  2. Now double-click on RKUnhookerLE.exe to run it.
  3. Click the Report tab, then click Scan.
  4. Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  5. Wait till the scanner has finished and then click File, Save Report.
  6. Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 mothydog

mothydog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 02 August 2010 - 08:31 PM

Thanks so much aonmaster! Unfortunately the problem is still there.

Hopefully I have performed all the tasks required below:




Logfile of random's system information tool 1.08 (written by random/random)
Run by Kim Holian at 2010-08-03 11:14:47
Microsoft Windows XP Professional Service Pack 3
System drive C: has 40 GB (54%) free of 74 GB
Total RAM: 1023 MB (24% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:15:01 AM, on 3/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-03 11:26:39
Windows 5.1.2600 Service Pack 3
Running: f49n4njb.exe; Driver: C:\DOCUME~1\KIMHOL~1\LOCALS~1\Temp\pwdoakog.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE[1524] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605164 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE[1524] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 330B9D32 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00EEB833
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EEC549
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EEC25D
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EEC465
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00EEB779
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EEC300
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EEC3A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 00EEBBA6
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 00EEC7A9
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00EECCD1
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 00EEC6DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00EECBEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 00EED07C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 00EED143
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00EEBC7E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 00EECB0A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 00EEC94C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 00EEC5D4
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 00EEC873
.text C:\Program Files\Mozilla Firefox\firefox.exe[3004] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 00EECA25

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kim Holian\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Kim Holian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nchsoftware.com/software/thanks...uyoffer=express
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 9789 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\switchShakeIcon.job
C:\WINDOWS\tasks\Ddwsc.job
C:\WINDOWS\tasks\83d57d7d.job
C:\WINDOWS\tasks\OGALogon.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-07-21 1619296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2010-07-24 6042176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}]
BrowserHelper Class

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-03-09 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-03-09 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2010-07-24 6042176]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-22 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HControl"=C:\WINDOWS\ATK0100\HControl.exe [2006-04-17 110592]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-07-21 16261632]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"SMSERIAL"=C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2006-08-06 573440]
"PowerForPhone"=C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe [2006-06-29 774144]
"ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe [2006-02-21 180224]
"ACMON"=C:\Program Files\ASUS\Splendid\ACMON.exe [2006-05-30 811008]
"Wireless Console 2"=C:\Program Files\Wireless Console 2\wcourier.exe [2005-10-17 987136]
"ATKMEDIA"=C:\Program Files\ASUS\ATK Media\DMEDIA.EXE [2006-06-08 53248]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-05-25 786521]
"ABLKSR"=C:\WINDOWS\ABLKSR\ABLKSR.exe [2006-01-02 61440]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [2006-05-10 90112]
"Power_Gear"=C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe [2006-03-14 90112]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2006-08-02 802816]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2006-08-02 696320]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-07-16 2065760]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"HitmanPro35"=C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe [2010-08-03 6257984]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"RoboForm"=C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2010-07-24 160328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Documents and Settings\Kim Holian\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-08-02 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-07-16 12536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TPSvc]
TPSvc.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2009-01-30 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE"="C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE:*:Disabled:CLI Application (Command Line Interface)"
"C:\Program Files\Mozilla Firefox\FIREFOX.EXE"="C:\Program Files\Mozilla Firefox\FIREFOX.EXE:*:Disabled:Firefox"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\WINDOWS\System32\SPOOLSV.EXE"="C:\WINDOWS\System32\SPOOLSV.EXE:*:Enabled:spoolsv.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-08-03 09:44:29 ----D---- C:\Program Files\trend micro
2010-08-03 09:44:28 ----D---- C:\rsit
2010-08-03 09:26:01 ----A---- C:\WINDOWS\system32\LnkProtect.dll
2010-07-24 14:09:17 ----D---- C:\Documents and Settings\Kim Holian\Application Data\Malwarebytes
2010-07-24 13:56:11 ----A---- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2010-07-24 13:56:01 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2010-07-24 13:55:57 ----D---- C:\Program Files\Hitman Pro 3.5
2010-07-23 11:12:48 ----A---- C:\TDSSKiller.2.3.2.2_23.07.2010_11.12.48_log.txt
2010-07-23 10:47:16 ----A---- C:\TDSSKiller.2.3.2.2_23.07.2010_10.47.16_log.txt
2010-07-23 09:36:39 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2010-07-23 09:36:27 ----D---- C:\Documents and Settings\Kim Holian\Application Data\Office Genuine Advantage
2010-07-23 01:37:45 ----HD---- C:\WINDOWS\$NtUninstallKB980218$
2010-07-23 01:37:37 ----HD---- C:\WINDOWS\$NtUninstallKB980195$
2010-07-23 01:36:04 ----HD---- C:\WINDOWS\$NtUninstallKB2229593$
2010-07-23 01:35:18 ----D---- C:\WINDOWS\ie8updates
2010-07-23 01:34:40 ----D---- C:\WINDOWS\WBEM
2010-07-23 01:32:47 ----HD---- C:\WINDOWS\ie8
2010-07-23 01:28:02 ----SHD---- C:\Config.Msi
2010-07-23 01:26:57 ----D---- C:\WINDOWS\system32\zh-TW
2010-07-23 01:26:57 ----D---- C:\WINDOWS\system32\zh-HK
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\tr-TR
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\sv-SE
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\pt-BR
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\nl-NL
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\nb-NO
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\ko-KR
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\it-IT
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\he-IL
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\fr-FR
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\fi-FI
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\es-ES
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\el-GR
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\de-DE
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\da-DK
2010-07-23 01:26:56 ----D---- C:\WINDOWS\system32\ar-SA
2010-07-23 01:24:59 ----HD---- C:\WINDOWS\$NtUninstallKB979559$
2010-07-23 01:24:39 ----HD---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-07-23 01:23:02 ----HD---- C:\WINDOWS\$NtUninstallKB979482$
2010-07-23 01:22:48 ----HD---- C:\WINDOWS\$NtUninstallKB975562$
2010-07-22 22:15:39 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-07-22 22:15:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-22 22:15:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-07-22 22:15:38 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-07-22 21:47:53 ----D---- C:\Program Files\IObit
2010-07-22 21:47:53 ----D---- C:\Documents and Settings\Kim Holian\Application Data\IObit
2010-07-22 20:24:44 ----SHD---- C:\FOUND.002
2010-07-22 13:47:56 ----D---- C:\Documents and Settings\All Users\Application Data\SITEguard
2010-07-22 13:46:53 ----D---- C:\Program Files\Common Files\iS3
2010-07-22 13:46:52 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2010-07-22 11:08:41 ----RASH---- C:\WINDOWS\system32\msh263K.dll
2010-07-16 08:40:03 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2010-07-13 18:52:37 ----N---- C:\WINDOWS\system32\spmsg.dll
2010-07-13 17:25:12 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2010-07-13 17:25:10 ----A---- C:\WINDOWS\system32\QTCF.dll
2010-07-13 17:25:06 ----D---- C:\Program Files\QT Lite
2010-07-13 15:54:27 ----D---- C:\Program Files\QuickTime Alternative
2010-07-06 09:02:56 ----D---- C:\Documents and Settings\Kim Holian\Application Data\NCH Software
2010-07-06 09:01:45 ----D---- C:\Documents and Settings\All Users\Application Data\NCH Software

======List of files/folders modified in the last 1 months======

2010-08-03 11:09:34 ----A---- C:\WINDOWS\ModemLog_Motorola SM56 Speakerphone Modem.txt
2010-07-31 16:07:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-07-24 12:48:54 ----A---- C:\WINDOWS\imsins.BAK
2010-07-23 01:29:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ohci1394;OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\system32\DRIVERS\ohci1394.sys [2008-04-14 61696]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-07-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-06-03 29584]
R1 AvgTdiX;AVG Free Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-07-16 243024]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.5.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-11-01 21419]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-08-02 12544]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-08-02 1681920]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IFXTPM;IFXTPM; C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-10-20 36352]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-07-24 4353024]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2005-02-17 5632]
R3 NETw3x32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw3x32.sys [2006-07-26 1707776]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 NuidFltr;NUID filter driver; C:\WINDOWS\system32\DRIVERS\NuidFltr.sys [2009-05-09 14736]
R3 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2005-11-16 28928]
R3 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2005-11-01 51584]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2005-11-16 78976]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-14 79232]
R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2006-08-06 980608]
R3 SynMini;USB2.0 1.3M WebCam; C:\WINDOWS\System32\Drivers\SynMini.sys [2006-08-08 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image; C:\WINDOWS\System32\Drivers\SynScan.sys [2006-08-08 7808]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-05-25 193088]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 ipswuio;ipswuio; C:\WINDOWS\System32\DRIVERS\ipswuio.sys [2006-01-24 34944]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 NDISKIO;NDISKIO; \??\C:\DOCUME~1\KIMHOL~1\LOCALS~1\Temp\000011e1.nmc\nse\bin\ndiskio.sys []
S3 nsak;nsak; \??\C:\DOCUME~1\KIMHOL~1\LOCALS~1\Temp\00000ff1.nmc\nse\bin\nsak.sys []
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-14 11904]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-14 11008]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-08-02 401408]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2006-08-02 434176]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-03-09 153376]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2006-08-02 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2006-08-02 937984]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus® Helper; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 IDriverT;InstallDriver Table Manager; c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2009-01-30 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------




info.txt logfile of random's system information tool 1.08 2010-08-03 09:44:50

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E47302B-8081-46D3-9FEA-BEB2E5F5C3EC}\SETUP.EXE" -l0x9 anything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Adobe Photoshop Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Advanced SystemCare 3-->"C:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
AI RoboForm (All Users)-->"C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASUS InstantFun-->MsiExec.exe /I{57B15AD4-8C9D-4164-82BB-E33D8644E757}
ASUS Live Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E657B243-9AD4-4ECC-BE81-4CCF8D667FD0}\setup.exe" -l0x9
Asus MultiFrame-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D48531D-2135-49FC-BC29-ACCDA5396A76}\SETUP.EXE" -l0x9
ASUS Splendid Video Enhancement Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0FC1C14-4824-4A73-87A6-9E888C9C3102}\SETUP.exe" -l0x9 -removeonly
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->MsiExec.exe /I{E161E7E7-9875-4F7F-AFC7-72D40B45B5F3}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATK Media-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{139B0FFA-187E-4BA1-BCA6-6B56B2B6AB8C}\SETUP.EXE" -l0x9
ATK0100 ACPI UTILITY-->C:\WINDOWS\ATK0100\XPunin.exe
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
EPSON Attach To Email-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC69DDB8-4840-4D9B-BB31-0D4DB2BA1312}\SETUP.EXE" -l0x9 UNINST
EPSON File Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
ESCX3900 User's Guide-->C:\Program Files\EPSON\TPMANUAL\ESCX3900\USE_G\DOCUNINS.EXE
Express Dictate-->C:\Program Files\NCH Swift Sound\Express\uninst.exe
Express Scribe-->C:\Program Files\NCH Swift Sound\Scribe\uninst.exe
Flickr Uploadr 3.2.1-->"C:\Program Files\Flickr Uploadr\uninstall.exe"
Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
Inkscape 0.47-->C:\Program Files\Inkscape\Uninstall.exe
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
Java™ 6 Update 19-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
KODAK Gallery Upload Software-->MsiExec.exe /I{B7F98125-4955-41E3-8A71-4CE11CE9C198}
LifeFrame2-->MsiExec.exe /I{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi-->MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHelp-->MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Motorola SM56 Speakerphone Modem-->rundll32.exe sm56coin.dll,SM56UnInstaller
Mozilla Firefox (3.6.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Net4Switch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D6D7811-43B3-463C-BC79-5D1755269989}\SETUP.EXE" -l0x9
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
PhotoPad Image Editor-->C:\Program Files\NCH Software\PhotoPad\uninst.exe
PIF DESIGNER-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B90450DF-E781-46FD-B1F1-0C86DA40E443}\SETUP.EXE" -l0x9 anything
Pixillion Image Converter-->C:\Program Files\NCH Software\Pixillion\uninst.exe
Power4 Gear-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4462AD13-F2AA-4CBD-9F95-293C38EED870}\setup.exe" -l0x9
PowerForPhone-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{89DDBCD4-B326-4545-9A05-26C7B16C1DEB}\SETUP.EXE" -l0x9
QT Lite 3.2.2-->"C:\Program Files\QT Lite\unins000.exe"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.exe" -l0x9 -removeonly
REALTEK PCIE NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E2F183-BAC4-4D01-BD7A-59F781E17EFA}\SETUP.EXE" -l0x9 REMOVE
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for 2007 Microsoft Office System (KB982312)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {B0EC5722-241F-4CDA-83B4-AA5846B6F9F4}
Security Update for 2007 Microsoft Office System (KB982331)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {E8766951-2B6C-4022-86E8-80D2D1762B76}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {1142CCEC-ACA9-484B-BA90-C3A5CA1988C5}
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5A4E43D5-858F-49BD-BA72-8F30E1793060}
Security Update for Microsoft Office Excel 2007 (KB982308)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C3F9A0DC-A5D1-4BB6-870E-2953E5A2487B}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {1109D0B3-EFA3-4553-AAED-4C3E9AD130E8}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office Outlook 2007 (KB980376)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {48113C06-9BA2-4D54-A731-D1D2C5B3144A}
Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Security Update for Microsoft Office Publisher 2007 (KB982124)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {289FA8BC-6A8E-4341-B194-EB26B49E9F5D}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB982135)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {0112C750-A06F-4F92-9C40-E5C1EA9A70EB}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Outlook 2007 Junk Email Filter (kb2202131)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {A67392E8-282B-4BEF-8020-EF3DD664DE7B}
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB982632)-->"C:\WINDOWS\ie8updates\KB982632-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB978207)-->"C:\WINDOWS\$NtUninstallKB978207$\spuninst\spuninst.exe"
Update for Windows XP (KB980182)-->"C:\WINDOWS\$NtUninstallKB980182$\spuninst\spuninst.exe"
USB2.0 1.3M WebCam-->C:\WINDOWS\StkUnist.exe
vPedal Media Player Plug-in 1.0-->"C:\Program Files\vPedal Media Player Plug-in\unins000.exe"
vPedal Quicktime Assistant-->"C:\Program Files\vPedal Quicktime Assistant\unins000.exe"
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray-->"C:\WINDOWS\$NtUninstallKB952011$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinFlash-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE10AB76-4756-4913-BE25-55D1C1051F9A}\setup.exe" -l0x9
Wireless Console 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83F73CB1-7705-49D1-9852-84D839CA2A45}\setup.exe" -l0x9 -removeonly

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: KIM-LAPTOP
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019D275433F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5555
Source Name: Dhcp
Time Written: 20100530143501.000000+600
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019D275433F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5552
Source Name: Dhcp
Time Written: 20100530143421.000000+600
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019D275433F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5550
Source Name: Dhcp
Time Written: 20100530143401.000000+600
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019D275433F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5548
Source Name: Dhcp
Time Written: 20100530143356.000000+600
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019D275433F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 5546
Source Name: Dhcp
Time Written: 20100530143351.000000+600
Event Type: warning
User:

=====Application event log=====

Computer Name: KIM-LAPTOP
Event Code: 1020
Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Record Number: 239
Source Name: ASP.NET 2.0.50727.0
Time Written: 20091114115851.000000+660
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 0
Message: HTTP namespace reservations are not installed.

Record Number: 222
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20091102140228.000000+660
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 0
Message: A configuration entry for BuildProvider System.ServiceModel.Activation.ServiceBuildProvider, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 does not exist.

Record Number: 221
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20091102140225.000000+660
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 0
Message: Could not detect IIS installation or IIS is disabled, skipping the Web Host Script Mappings component since it depends upon IIS to function properly.
If you believe this message is an error, check your IIS installation to make sure it is installed properly.

Record Number: 220
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20091102140224.000000+660
Event Type: warning
User:

Computer Name: KIM-LAPTOP
Event Code: 1020
Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Record Number: 202
Source Name: ASP.NET 2.0.50727.0
Time Written: 20091102140058.000000+660
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QT Lite\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------





#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 03 August 2010 - 03:17 AM

Hello, mothydog.
Glad to help smile.gif
We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 mothydog

mothydog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 03 August 2010 - 07:18 PM

Thanks again!


ComboFix 10-08-03.02 - Kim Holian 04/08/2010 10:11:14.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.365 [GMT 10:00]
Running from: c:\documents and settings\Kim Holian\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-02 23:44 . 2010-08-02 23:44 -------- d-----w- c:\program files\trend micro
2010-08-02 23:44 . 2010-08-02 23:44 -------- d-----w- C:\rsit
2010-08-02 23:26 . 2010-08-02 23:26 133440 ----a-w- c:\windows\system32\LnkProtect.dll
2010-07-26 01:52 . 2010-07-26 01:52 -------- d-----w- c:\documents and settings\Kim Holian\Local Settings\Application Data\Apple Computer
2010-07-24 04:09 . 2010-07-24 04:09 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\Malwarebytes
2010-07-24 03:56 . 2010-08-02 23:26 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-24 03:56 . 2010-07-24 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-24 03:55 . 2010-07-24 03:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-23 06:34 . 2010-07-23 06:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-23 00:26 . 2010-07-23 00:26 -------- d-sh--w- c:\documents and settings\Kim Holian\PrivacIE
2010-07-22 23:36 . 2010-07-22 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-22 23:36 . 2010-07-22 23:36 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\Office Genuine Advantage
2010-07-22 15:42 . 2010-07-22 15:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-22 15:42 . 2010-07-22 15:42 -------- d-sh--w- c:\documents and settings\Kim Holian\IETldCache
2010-07-22 15:35 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-22 15:35 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-22 15:35 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-22 15:35 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-22 15:35 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-22 15:35 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-22 15:35 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-22 15:35 . 2010-07-22 15:35 -------- d-----w- c:\windows\ie8updates
2010-07-22 15:35 . 2010-04-16 11:43 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-07-22 15:32 . 2010-07-22 15:32 -------- d--h--w- c:\windows\ie8
2010-07-22 12:56 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-22 12:15 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 12:15 . 2010-07-22 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 12:15 . 2010-07-22 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-22 12:15 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 11:47 . 2010-07-22 11:47 -------- d-----w- c:\program files\IObit
2010-07-22 11:47 . 2010-07-22 11:47 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\IObit
2010-07-22 10:24 . 2010-07-22 10:24 -------- d-----w- C:\FOUND.002
2010-07-22 03:47 . 2010-07-22 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-22 03:46 . 2010-07-22 03:46 -------- d-----w- c:\program files\Common Files\iS3
2010-07-22 03:46 . 2010-07-22 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-22 01:08 . 2010-07-22 01:08 54272 --sha-r- c:\windows\system32\msh263K.dll
2010-07-21 00:14 . 2010-07-21 00:14 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-21 00:14 . 2010-07-21 00:14 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 00:14 . 2010-07-21 00:14 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-15 22:40 . 2010-07-15 22:40 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 22:40 . 2010-07-15 22:40 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 22:40 . 2010-07-15 22:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 22:38 . 2010-07-15 22:38 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 22:38 . 2010-07-15 22:38 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 22:38 . 2010-07-15 22:38 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 22:38 . 2010-07-15 22:38 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-13 07:25 . 2010-07-13 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-13 07:25 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-07-13 07:25 . 2010-07-13 07:25 -------- d-----w- c:\program files\QT Lite
2010-07-13 05:54 . 2010-07-13 05:54 -------- d-----w- c:\program files\QuickTime Alternative
2010-07-05 23:02 . 2010-07-05 23:02 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\NCH Software
2010-07-05 23:01 . 2010-07-05 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 03:54 . 2010-07-22 03:52 1224 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-15 22:40 . 2009-11-02 06:59 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:39 . 2009-11-02 06:59 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2009-11-01 10:32 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-02 22:56 . 2009-11-02 06:59 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-06 10:41 . 2004-08-20 05:18 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-07-24 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-16 110592]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-20 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-15 2879488]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-06 573440]
"PowerForPhone"="c:\program files\ASUS\PowerForPhone\PowerForPhone.exe" [2006-06-29 774144]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-06-08 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-24 786521]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-02 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 90112]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

c:\documents and settings\Kim Holian\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2009-11-1 491520]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 22:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.EXE"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\System32\\SPOOLSV.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/11/2009 4:59 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/11/2009 4:59 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 8:40 AM 308136]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/11/2009 8:15 PM 36352]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [1/11/2009 8:08 PM 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [1/11/2009 8:08 PM 7808]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [1/11/2009 8:53 PM 34944]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\KIMHOL~1\LOCALS~1\Temp\000011e1.nmc\nse\bin\ndiskio.sys --> c:\docume~1\KIMHOL~1\LOCALS~1\Temp\000011e1.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\KIMHOL~1\LOCALS~1\Temp\00000ff1.nmc\nse\bin\nsak.sys --> c:\docume~1\KIMHOL~1\LOCALS~1\Temp\00000ff1.nmc\nse\bin\nsak.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-05-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-11 07:48]

2010-08-03 c:\windows\Tasks\Ddwsc.job
- c:\windows\system32\msh263K.dll [2010-07-22 01:08]

2010-08-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.asus.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.nchsoftware.com/software/thanks.html?software=Express&appname=Express%20Dictate&version=5.12&buyoffer=express
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Kim Holian\Application Data\Mozilla\Firefox\Profiles\zka2q4vt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - theage.com.au
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\Kim Holian\Application Data\Mozilla\Firefox\Profiles\zka2q4vt.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-TPSvc - TPSvc.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 10:14
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WININET.dll
c:\program files\ASUS\Asus MultiFrame\HookTitle.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-04 10:16:25
ComboFix-quarantined-files.txt 2010-08-04 00:16

Pre-Run: 42,332,946,432 bytes free
Post-Run: 43,187,634,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 810E7C8310E5F75010BDC763D8DAC19C


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 05 August 2010 - 02:49 AM

Hello, mothydog.
Sorry for the delay in the response. Apparently, I thought I sent you the fix.

Let me know if you're still getting redirects after this.
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/334024/please-help-with-redirect-hijack/
    Collect::
    c:\windows\Tasks\Ddwsc.job
    c:\windows\system32\msh263K.dll
    c:\windows\system32\drivers\kgpcpy.cfg
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 08 August 2010 - 02:45 AM

Hello mothydog
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 mothydog

mothydog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 08 August 2010 - 08:16 PM

Hi there - sorry, busy weekend! Still having the redirect problem though... sad.gif



ComboFix 10-08-03.02 - Kim Holian 04/08/2010 10:11:14.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.365 [GMT 10:00]
Running from: c:\documents and settings\Kim Holian\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-02 23:44 . 2010-08-02 23:44 -------- d-----w- c:\program files\trend micro
2010-08-02 23:44 . 2010-08-02 23:44 -------- d-----w- C:\rsit
2010-08-02 23:26 . 2010-08-02 23:26 133440 ----a-w- c:\windows\system32\LnkProtect.dll
2010-07-26 01:52 . 2010-07-26 01:52 -------- d-----w- c:\documents and settings\Kim Holian\Local Settings\Application Data\Apple Computer
2010-07-24 04:09 . 2010-07-24 04:09 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\Malwarebytes
2010-07-24 03:56 . 2010-08-02 23:26 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-24 03:56 . 2010-07-24 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-24 03:55 . 2010-07-24 03:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-23 06:34 . 2010-07-23 06:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-23 00:26 . 2010-07-23 00:26 -------- d-sh--w- c:\documents and settings\Kim Holian\PrivacIE
2010-07-22 23:36 . 2010-07-22 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-22 23:36 . 2010-07-22 23:36 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\Office Genuine Advantage
2010-07-22 15:42 . 2010-07-22 15:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-22 15:42 . 2010-07-22 15:42 -------- d-sh--w- c:\documents and settings\Kim Holian\IETldCache
2010-07-22 15:35 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-22 15:35 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-22 15:35 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-22 15:35 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-22 15:35 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-22 15:35 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-22 15:35 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-22 15:35 . 2010-07-22 15:35 -------- d-----w- c:\windows\ie8updates
2010-07-22 15:35 . 2010-04-16 11:43 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-07-22 15:32 . 2010-07-22 15:32 -------- d--h--w- c:\windows\ie8
2010-07-22 12:56 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-22 12:15 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 12:15 . 2010-07-22 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 12:15 . 2010-07-22 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-22 12:15 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 11:47 . 2010-07-22 11:47 -------- d-----w- c:\program files\IObit
2010-07-22 11:47 . 2010-07-22 11:47 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\IObit
2010-07-22 10:24 . 2010-07-22 10:24 -------- d-----w- C:\FOUND.002
2010-07-22 03:47 . 2010-07-22 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-22 03:46 . 2010-07-22 03:46 -------- d-----w- c:\program files\Common Files\iS3
2010-07-22 03:46 . 2010-07-22 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-22 01:08 . 2010-07-22 01:08 54272 --sha-r- c:\windows\system32\msh263K.dll
2010-07-21 00:14 . 2010-07-21 00:14 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-21 00:14 . 2010-07-21 00:14 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 00:14 . 2010-07-21 00:14 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-15 22:40 . 2010-07-15 22:40 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 22:40 . 2010-07-15 22:40 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 22:40 . 2010-07-15 22:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 22:38 . 2010-07-15 22:38 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 22:38 . 2010-07-15 22:38 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 22:38 . 2010-07-15 22:38 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 22:38 . 2010-07-15 22:38 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-13 07:25 . 2010-07-13 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-13 07:25 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-07-13 07:25 . 2010-07-13 07:25 -------- d-----w- c:\program files\QT Lite
2010-07-13 05:54 . 2010-07-13 05:54 -------- d-----w- c:\program files\QuickTime Alternative
2010-07-05 23:02 . 2010-07-05 23:02 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\NCH Software
2010-07-05 23:01 . 2010-07-05 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 03:54 . 2010-07-22 03:52 1224 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-15 22:40 . 2009-11-02 06:59 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:39 . 2009-11-02 06:59 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2009-11-01 10:32 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-02 22:56 . 2009-11-02 06:59 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-06 10:41 . 2004-08-20 05:18 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-07-24 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-16 110592]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-20 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-15 2879488]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-06 573440]
"PowerForPhone"="c:\program files\ASUS\PowerForPhone\PowerForPhone.exe" [2006-06-29 774144]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-06-08 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-24 786521]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-02 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 90112]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

c:\documents and settings\Kim Holian\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2009-11-1 491520]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 22:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.EXE"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\System32\\SPOOLSV.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/11/2009 4:59 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/11/2009 4:59 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 8:40 AM 308136]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/11/2009 8:15 PM 36352]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [1/11/2009 8:08 PM 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [1/11/2009 8:08 PM 7808]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [1/11/2009 8:53 PM 34944]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\KIMHOL~1\LOCALS~1\Temp\000011e1.nmc\nse\bin\ndiskio.sys --> c:\docume~1\KIMHOL~1\LOCALS~1\Temp\000011e1.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\KIMHOL~1\LOCALS~1\Temp\00000ff1.nmc\nse\bin\nsak.sys --> c:\docume~1\KIMHOL~1\LOCALS~1\Temp\00000ff1.nmc\nse\bin\nsak.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-05-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-11 07:48]

2010-08-03 c:\windows\Tasks\Ddwsc.job
- c:\windows\system32\msh263K.dll [2010-07-22 01:08]

2010-08-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.asus.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.nchsoftware.com/software/thanks.html?software=Express&appname=Express%20Dictate&version=5.12&buyoffer=express
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Kim Holian\Application Data\Mozilla\Firefox\Profiles\zka2q4vt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - theage.com.au
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\Kim Holian\Application Data\Mozilla\Firefox\Profiles\zka2q4vt.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-TPSvc - TPSvc.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 10:14
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WININET.dll
c:\program files\ASUS\Asus MultiFrame\HookTitle.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-04 10:16:25
ComboFix-quarantined-files.txt 2010-08-04 00:16

Pre-Run: 42,332,946,432 bytes free
Post-Run: 43,187,634,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 810E7C8310E5F75010BDC763D8DAC19C


#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 08 August 2010 - 11:39 PM

Hi!

It doesn't look like you ran the CFScript. Could you try it again? Make sure you drag the file over the combofix icon smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 12 August 2010 - 03:13 AM

Hello mothydog
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 mothydog

mothydog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 12 August 2010 - 03:26 AM

Yes!! Sorry, had trouble with the last instruction. Hopefully I have done the right thing finally...

L  F U@_7 7 |@_7  {  PO :i +00 /C:\

Thanks!

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 12 August 2010 - 03:35 AM

Hi!

That's interesting... what is that? blink.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 mothydog

mothydog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 12 August 2010 - 04:27 AM

B*ggered if I know!! Seems I got things wrong in a big way. What about the following?!

ComboFix 10-08-03.02 - Kim Holian 04/08/2010 10:11:14.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.365 [GMT 10:00]
Running from: c:\documents and settings\Kim Holian\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-02 23:44 . 2010-08-02 23:44 -------- d-----w- c:\program files\trend micro
2010-08-02 23:44 . 2010-08-02 23:44 -------- d-----w- C:\rsit
2010-08-02 23:26 . 2010-08-02 23:26 133440 ----a-w- c:\windows\system32\LnkProtect.dll
2010-07-26 01:52 . 2010-07-26 01:52 -------- d-----w- c:\documents and settings\Kim Holian\Local Settings\Application Data\Apple Computer
2010-07-24 04:09 . 2010-07-24 04:09 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\Malwarebytes
2010-07-24 03:56 . 2010-08-02 23:26 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-24 03:56 . 2010-07-24 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-24 03:55 . 2010-07-24 03:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-23 06:34 . 2010-07-23 06:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-23 00:26 . 2010-07-23 00:26 -------- d-sh--w- c:\documents and settings\Kim Holian\PrivacIE
2010-07-22 23:36 . 2010-07-22 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-22 23:36 . 2010-07-22 23:36 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\Office Genuine Advantage
2010-07-22 15:42 . 2010-07-22 15:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-22 15:42 . 2010-07-22 15:42 -------- d-sh--w- c:\documents and settings\Kim Holian\IETldCache
2010-07-22 15:35 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-22 15:35 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-22 15:35 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-22 15:35 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-22 15:35 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-22 15:35 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-22 15:35 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-22 15:35 . 2010-07-22 15:35 -------- d-----w- c:\windows\ie8updates
2010-07-22 15:35 . 2010-04-16 11:43 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-07-22 15:32 . 2010-07-22 15:32 -------- d--h--w- c:\windows\ie8
2010-07-22 12:56 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-22 12:15 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 12:15 . 2010-07-22 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 12:15 . 2010-07-22 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-22 12:15 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 11:47 . 2010-07-22 11:47 -------- d-----w- c:\program files\IObit
2010-07-22 11:47 . 2010-07-22 11:47 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\IObit
2010-07-22 10:24 . 2010-07-22 10:24 -------- d-----w- C:\FOUND.002
2010-07-22 03:47 . 2010-07-22 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-22 03:46 . 2010-07-22 03:46 -------- d-----w- c:\program files\Common Files\iS3
2010-07-22 03:46 . 2010-07-22 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-22 01:08 . 2010-07-22 01:08 54272 --sha-r- c:\windows\system32\msh263K.dll
2010-07-21 00:14 . 2010-07-21 00:14 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-21 00:14 . 2010-07-21 00:14 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 00:14 . 2010-07-21 00:14 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-15 22:40 . 2010-07-15 22:40 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 22:40 . 2010-07-15 22:40 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 22:40 . 2010-07-15 22:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 22:38 . 2010-07-15 22:38 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 22:38 . 2010-07-15 22:38 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 22:38 . 2010-07-15 22:38 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 22:38 . 2010-07-15 22:38 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-13 07:25 . 2010-07-13 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-13 07:25 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-07-13 07:25 . 2010-07-13 07:25 -------- d-----w- c:\program files\QT Lite
2010-07-13 05:54 . 2010-07-13 05:54 -------- d-----w- c:\program files\QuickTime Alternative
2010-07-05 23:02 . 2010-07-05 23:02 -------- d-----w- c:\documents and settings\Kim Holian\Application Data\NCH Software
2010-07-05 23:01 . 2010-07-05 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 03:54 . 2010-07-22 03:52 1224 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-15 22:40 . 2009-11-02 06:59 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:39 . 2009-11-02 06:59 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2009-11-01 10:32 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-02 22:56 . 2009-11-02 06:59 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-06 10:41 . 2004-08-20 05:18 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-07-24 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-16 110592]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-20 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-15 2879488]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-06 573440]
"PowerForPhone"="c:\program files\ASUS\PowerForPhone\PowerForPhone.exe" [2006-06-29 774144]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-06-08 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-24 786521]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-02 61440]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 90112]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

c:\documents and settings\Kim Holian\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2009-11-1 491520]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 22:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.EXE"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\System32\\SPOOLSV.EXE"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/11/2009 4:59 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/11/2009 4:59 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 8:40 AM 308136]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/11/2009 8:15 PM 36352]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [1/11/2009 8:08 PM 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [1/11/2009 8:08 PM 7808]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [1/11/2009 8:53 PM 34944]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\KIMHOL~1\LOCALS~1\Temp\000011e1.nmc\nse\bin\ndiskio.sys --> c:\docume~1\KIMHOL~1\LOCALS~1\Temp\000011e1.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\KIMHOL~1\LOCALS~1\Temp\00000ff1.nmc\nse\bin\nsak.sys --> c:\docume~1\KIMHOL~1\LOCALS~1\Temp\00000ff1.nmc\nse\bin\nsak.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-05-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-11 07:48]

2010-08-03 c:\windows\Tasks\Ddwsc.job
- c:\windows\system32\msh263K.dll [2010-07-22 01:08]

2010-08-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.asus.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.nchsoftware.com/software/thanks.html?software=Express&appname=Express%20Dictate&version=5.12&buyoffer=express
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Kim Holian\Application Data\Mozilla\Firefox\Profiles\zka2q4vt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - theage.com.au
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\Kim Holian\Application Data\Mozilla\Firefox\Profiles\zka2q4vt.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-TPSvc - TPSvc.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 10:14
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WININET.dll
c:\program files\ASUS\Asus MultiFrame\HookTitle.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-04 10:16:25
ComboFix-quarantined-files.txt 2010-08-04 00:16

Pre-Run: 42,332,946,432 bytes free
Post-Run: 43,187,634,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 810E7C8310E5F75010BDC763D8DAC19C


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:37 PM

Posted 12 August 2010 - 11:13 AM

Hi!

Yes, that's a combofix log smile.gif

Did you drag the CFScript onto the combofix icon? The files we'd like to delete are still present and combofix says no script was run. If you are struggling with this step, let me know and I can explain in more detail how to do it.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 mothydog

mothydog
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 12 August 2010 - 06:49 PM

Okay, it seems it's official - I am struggling!

I drag and drop the cfscript into the combofix icon and a small screen pops up that says 'combofix' and the green bars progress so I gather it is running something but then after a thorough search there is no Combofix.txt !





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users