Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 32/Patched.FR--Win32/Patched.FS


  • This topic is locked This topic is locked
42 replies to this topic

#1 addboat

addboat

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 16 November 2010 - 10:47 AM

Managed to get C:\Windows\system 32\winlogon.exe & C:\Windows\Explorer.exe ,infected with above virus.Downloaded and ran Windows security essentials which seemed to quarantine them.Avg .white lined them.Usual things hanging programs and blank desktop.Mal-ware picked up two bugs ,but computer still not right.Any help would be greatly appreciated.I just hope I have covered all your preparation correctly.Thanking you...addboatAttached File  Attach.txt   41.72KB   1 downloadsAttached File  DDS.txt   12.87KB   2 downloadsAttached File  ark.txt   6.01KB   0 downloads

BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:20 AM

Posted 24 November 2010 - 05:42 PM

Hello, addboat.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for :)
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  • Please download DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  • When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
    **Note: It is zipped into a .RAR file. If you do not have a .RAR extractor, you can get one for free here
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

Edited by aommaster, 24 November 2010 - 05:44 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 addboat

addboat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 24 November 2010 - 06:38 PM

Thankyou aommaster for your reply.First bit okay,but when I click the link to Rsit,all I get is a blank page.Can I download this from another source ,or does it need to come from your site?By this you will understand how adeptI am at this process.(cough,cough)
Quick update .Have scanned on quite a few occassions with Malwarebytes,Avg.and Super antispy.System seems clear but I would be very grateful if you would check it for me.
Uninstalled MSE.which was slowing the system down.It had quarantined the virus,but I assume they will be on the shadow copy I created on my external drive.
Again thankyou for taking the time to reply...addboat
ps.Gmer still on desktop,will run it in the am.as it took 8 hrs.last time..

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:20 AM

Posted 24 November 2010 - 06:48 PM

Hi!

Glad to help! I just checked the RSIT link again and it seems to be working fine. Try right clicking the link and clicking "Save Target". Hopefully that should start the download. If not, let me know and we can proceed another way.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 addboat

addboat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 25 November 2010 - 02:18 PM

Hope this is right.!GMER only goes to C:\WINDOWS\Software Distribution\Download\2d8407673ea9865ef7cd775540e3e36b\..Not sure if this is enough?info.txt logfile of random's system information tool 1.08 2010-11-25 00:59:14

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad Muncher v4.9 Build 32300-->"C:\Program Files\Ad Muncher\AdMunch.exe" /P "InstallerAction=Uninstall" /P "InstallTarget=C:\Program Files\Ad Muncher"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Amazon MP3 Downloader 1.0.9-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
ArtRage-->MsiExec.exe /I{CF72DC2F-F292-4D2B-B4E8-7D2060F095DA}
Artweaver 1.0-->"C:\Program Files\Artweaver 1.0\unins000.exe"
Ashampoo PowerUp 3.23-->"C:\Program Files\Ashampoo\Ashampoo PowerUp 3\unins000.exe"
AVG 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
BitTorrent-->C:\Program Files\BitTorrent\uninst.exe
C-Media WDM Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
Destroy-it! 2000-->"C:\Program Files\Destit\Remove.exe" /U:"C:\Program Files\Destit\Remove.log"
DFX for Windows Media Player-->C:\Program Files\DFX\uninstall_WMP.exe
Driver Genius Professional Edition-->"C:\Program Files\Driver-Soft\DriverGenius\unins000.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
EL-Link For Windows 1.04-->C:\PROGRA~1\EL-Link\UNINST.EXE
EPSON Copy Utility 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A8F8391-4C2C-4BE1-A984-CD4A5A546467}\setup.exe" -l0x9 UNINST
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gadwin PrintScreen-->C:\Program Files\Gadwin Systems\PrintScreen\Uninstall.exe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB935957)-->"C:\WINDOWS\$NtUninstallKB935957$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB2158563)-->"C:\WINDOWS\$NtUninstallKB2158563$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
IE7Pro-->C:\Program Files\IEPro\uninst.exe
Image Convert Jpg Jpeg Bmp Tiff Gif Png Free 5.0-->"C:\Program Files\Image Convert Jpg Jpeg Bmp Tiff Gif Png Free\unins000.exe"
Intel® 536EP Modem-->rundll32 IntelSdi.dll,iSMUninstallation "Intel® 536EP Modem"
Java™ 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020FF}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
Logitech SetPoint 5.20-->MsiExec.exe /I{D3120436-1358-4253-9EB2-257FFE8CE1D9}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
MP3 Player Utilities V1.28-->MsiExec.exe /I{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
My DSC-->C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
Nero 7 Premium-->MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
OpenOffice.org 3.2-->MsiExec.exe /I{09DF00E6-520C-49D5-B7E0-9612165CACA8}
Paint.NET v3.5.5-->MsiExec.exe /X{F0E2B312-D7FD-4349-A9B6-E90B36DB1BD0}
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
Pinpoint Metaviewer-->MsiExec.exe /I{927F494B-BA0F-4951-A57B-0CC052BA3B7A}
Pipex Assistant-->"C:\Program Files\Pipex Assistant\Uninstall Assistant.exe"
PixiePack Codec Pack-->MsiExec.exe /I{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}
RegCure-->C:\Program Files\RegCure\uninst.exe
Replay Music-->"C:\WINDOWS\Replay Music\uninstall.exe" "/U:C:\Program Files\Replay Music 3\Uninstall\uninstall.xml"
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A8894F19-59C8-38D2-8A75-36C0CCE56A5B} /qb+ REBOOTPROMPT=""
Security Update for Windows Internet Explorer 8 (KB2183461)-->"C:\WINDOWS\ie8updates\KB2183461-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2360131)-->"C:\WINDOWS\ie8updates\KB2360131-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB2378111)-->"C:\WINDOWS\$NtUninstallKB2378111_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB975558)-->"C:\WINDOWS\$NtUninstallKB975558_WM8$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2079403)-->"C:\WINDOWS\$NtUninstallKB2079403$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2115168)-->"C:\WINDOWS\$NtUninstallKB2115168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2121546)-->"C:\WINDOWS\$NtUninstallKB2121546$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2160329)-->"C:\WINDOWS\$NtUninstallKB2160329$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2259922)-->"C:\WINDOWS\$NtUninstallKB2259922$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2279986)-->"C:\WINDOWS\$NtUninstallKB2279986$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2286198)-->"C:\WINDOWS\$NtUninstallKB2286198$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2296011)-->"C:\WINDOWS\$NtUninstallKB2296011$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2347290)-->"C:\WINDOWS\$NtUninstallKB2347290$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2360937)-->"C:\WINDOWS\$NtUninstallKB2360937$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2387149)-->"C:\WINDOWS\$NtUninstallKB2387149$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979687)-->"C:\WINDOWS\$NtUninstallKB979687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980436)-->"C:\WINDOWS\$NtUninstallKB980436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981322)-->"C:\WINDOWS\$NtUninstallKB981322$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981852)-->"C:\WINDOWS\$NtUninstallKB981852$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981957)-->"C:\WINDOWS\$NtUninstallKB981957$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981997)-->"C:\WINDOWS\$NtUninstallKB981997$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982132)-->"C:\WINDOWS\$NtUninstallKB982132$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982214)-->"C:\WINDOWS\$NtUninstallKB982214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982665)-->"C:\WINDOWS\$NtUninstallKB982665$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982802)-->"C:\WINDOWS\$NtUninstallKB982802$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SiS 900 PCI Fast Ethernet Adapter Driver-->C:\WINDOWS\SiS\900\Uninst.exe
SpeedTouch USB Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\setup.exe" /l0009 -Control_Panel
Spell Checker For OE 2.1-->C:\Program Files\Common Files\Microsoft Shared\proof\Uninstal.exe
Spotify-->"C:\Program Files\Spotify\uninstall.exe"
SUPERAntiSpyware Professional-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
TypingMaster Pro-->"C:\Program Files\TypingMaster\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB975364)-->"C:\WINDOWS\ie8updates\KB975364-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB2141007)-->"C:\WINDOWS\$NtUninstallKB2141007$\spuninst\spuninst.exe"
Update for Windows XP (KB2345886)-->"C:\WINDOWS\$NtUninstallKB2345886$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows PowerShell™ 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WIRELESS DESIGN & WORK TABLET 100/200/400/1200-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\A_Tablet\USB Tablet Driver\Uninst.isu"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus plus Firewall
FW: AVG Firewall

======System event log======

Computer Name: HOME-0121E018A8
Event Code: 1006
Message:
Record Number: 26913
Source Name: Microsoft Antimalware
Time Written: 20101113235914.000000+000
Event Type: warning
User:

Computer Name: HOME-0121E018A8
Event Code: 3
Message: Printer EPSON SX210 Series was deleted.

Record Number: 26742
Source Name: Print
Time Written: 20101112234452.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-0121E018A8
Event Code: 4
Message: Printer EPSON SX210 Series is pending deletion.

Record Number: 26737
Source Name: Print
Time Written: 20101112175949.000000+000
Event Type: warning
User: HOME-0121E018A8\Administrator

Computer Name: HOME-0121E018A8
Event Code: 20
Message: Printer Driver EPSON SX210 Series for Windows NT x86 Version-3 was added or updated. Files:- E_FMAIFDE.DLL, E_FUICFDE.DLL, E_FVIFFDE.VIF, E_FHLDRFDE.CHM, E_FDSPFDE.DLL, E_FJBCFDE.DLL, E_FCONFDE.DLL, E_FAUDFDE.DLL, E_FAREFDE.DLL, E_FREDFDE.DLL, E_FUIRFDE.DLL, E_FUI1FDE.DLL, E_FUIXFDE.DLL, E_FUIXFDE.XML, E_FCF0FDE.CFG, E_FCF0FDE.DEV, E_FGRCFDE.DLL, E_FPRUFDE.DLL, E_FPREFDE.EXE, E_FPI1FDE.DAT, E_FLMWFDE.DLL, E_FLC1FDE.LMC, E_FLC2FDE.LMC, EPSET32.DLL, E_FHM0FDE.DLL, E_FMW0FDE.DLL, E_FHT0FDE.DLL, E_FSR0FDE.DLL, E_FHBRFDE.DLL, E_FHUTFDE.DLL, E_FHUTFDE.EXE, E_FHSRFDE.DLL, E_FBA6FDE.DLL, E_FBL6FDE.DLL, E_FBIDFDE.LMD, E_FBAPFDE.DLL, EBAPI4.DLL, EBPBIDI.DLL, E_FINSFDE.EXE, E_FINSFDE.DAT, E_FINSFDE.DLL, E_FARNFDE.EXE, E_FASKFDE.DLL, E_FAMTFDE.EXE, E_FAIRFDE.DLL, E_FAPRFDE.DLL, E_FATIFDE.EXE, E_FABRFDE.DLL, E_FASRFDE.DLL, E_FBCSFDE.EXE, E_FAIFFDE.DAT, E_FGEPFDE.DLL, E_FASOFDE.DLL, E_S40RP7.EXE, E_S40ST7.EXE, E_FHLIAFDE.CHM, EREGISTR.EXE, EREGISTR.CFG, E_DUPA30.EXE, E_DUPA3E.DLL.

Record Number: 26688
Source Name: Print
Time Written: 20101112092305.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-0121E018A8
Event Code: 8
Message: Printer EPSON Stylus DX4000 Series was purged.

Record Number: 26342
Source Name: Print
Time Written: 20101106153243.000000+000
Event Type: warning
User: HOME-0121E018A8\Administrator

=====Application event log=====

Computer Name: HOME-0121E018A8
Event Code: 2001
Message:
Record Number: 1467
Source Name: Microsoft Office 14
Time Written: 20091226114645.000000+000
Event Type: error
User:

Computer Name: HOME-0121E018A8
Event Code: 2001
Message:
Record Number: 1466
Source Name: Microsoft Office 14
Time Written: 20091226114640.000000+000
Event Type: error
User:

Computer Name: HOME-0121E018A8
Event Code: 2001
Message:
Record Number: 1465
Source Name: Microsoft Office 14
Time Written: 20091226114631.000000+000
Event Type: error
User:

Computer Name: HOME-0121E018A8
Event Code: 2000
Message:
Record Number: 1463
Source Name: Microsoft Office 14
Time Written: 20091226113411.000000+000
Event Type: error
User:

Computer Name: HOME-0121E018A8
Event Code: 2000
Message:
Record Number: 1462
Source Name: Microsoft Office 14
Time Written: 20091226113329.000000+000
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\WINDOWS\system32\WindowsPowerShell\v1.0
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 7 Stepping 1, AuthenticAMD
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0701
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"DEVMGR_SHOW_NONPRESENT_DEVICES"=1
"DEVMGR_SHOW_DETAILS"=1

-----------------EOF-----------------
Logfile of random's system information tool 1.08 (written by random/random)
Run by Administrator at 2010-11-25 00:58:08
Microsoft Windows XP Professional Service Pack 3
System drive C: has 63 GB (81%) free of 78 GB
Total RAM: 1247 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 00:59:06, on 25/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\IEPro\IEProRecorder.dll
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HJRUDZ5DT2] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Lwx.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256699200296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256711517699
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C089F6F-2A5A-4D76-AD72-97982F8178B8}: NameServer = 212.139.132.41 212.139.132.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C089F6F-2A5A-4D76-AD72-97982F8178B8}: NameServer = 212.139.132.41 212.139.132.42
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 7488 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Driver Fetch.job
C:\WINDOWS\tasks\Driver Robot.job
C:\WINDOWS\tasks\File Helper.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-839522115-1708537768-500.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-839522115-1708537768-500.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure Startup.job
C:\WINDOWS\tasks\RegCure.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00011268-E188-40DF-A514-835FCD78B1BF}]
IE7Pro BHO - C:\Program Files\IEPro\iepro.dll [2010-06-02 777392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-10-26 1623392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-13 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-05-13 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
{3041d03e-fd4b-44e0-b742-2d9b88305f98} -
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\IEPro\IEProRecorder.dll [2010-06-02 662736]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"= []
"atwtusb"=atwtusb.exe beta []
"SpeedTouch USB Diagnostics"=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [2007-06-11 901120]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-11-10 2069856]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2009-06-17 55824]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-03-29 437584]
"Ad Muncher"=C:\Program Files\Ad Muncher\AdMunch.exe [2010-11-24 534728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"HJRUDZ5DT2"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Lwx.exe [2010-11-18 193024]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2009-01-30 204288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-05-01 185896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-06-22 12536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-11 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2009-01-30 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDriveAutoRun"=0x80FF0700
"NoDrives"=0xC2FFFF03

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\WNt500x86\RpcSandraSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP3c\WNt500x86\RpcSandraSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP3c\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\sandra.mui"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\sandra.mui:*:Enabled:SiSoftware Sandra Agent Service"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\RpcSandraSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\AVG\AVG9\avgam.exe"="C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe"
"C:\Program Files\AVG\AVG9\avgdiagex.exe"="C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\Program Files\AVG\AVG9\avgemc.exe"="C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\IEPro\MiniDM.exe"="C:\Program Files\IEPro\MiniDM.exe:*:Enabled:MiniDM"
"C:\Program Files\Spotify\spotify.exe"="C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2010-11-25 00:58:09 ----D---- C:\Program Files\trend micro
2010-11-25 00:58:08 ----D---- C:\rsit
2010-11-24 09:58:30 ----D---- C:\Program Files\Ad Muncher
2010-11-18 11:22:20 ----D---- C:\Documents and Settings\All Users\Application Data\Ad Muncher
2010-11-18 10:52:50 ----A---- C:\WINDOWS\Lxipaa.exe
2010-11-15 07:22:45 ----D---- C:\Program Files\Cobian Backup 9
2010-11-13 23:58:23 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-11-12 14:50:30 ----N---- C:\WINDOWS\EEventManager.INI
2010-11-12 09:26:09 ----D---- C:\Program Files\Epson Software
2010-11-12 09:23:57 ----D---- C:\Documents and Settings\Administrator\Application Data\InstallShield
2010-11-12 09:22:50 ----N---- C:\WINDOWS\system32\E_FLBFDE.DLL
2010-11-12 09:22:50 ----N---- C:\WINDOWS\system32\E_FD4BFDE.DLL
2010-11-12 09:20:04 ----N---- C:\WINDOWS\system32\eswiaud.dll
2010-11-12 09:20:04 ----N---- C:\WINDOWS\system32\esdevapp.exe
2010-11-12 09:20:04 ----N---- C:\WINDOWS\system32\escdev.dll
2010-11-03 07:06:55 ----D---- C:\Documents and Settings\Administrator\Application Data\Amazon
2010-11-03 07:05:22 ----D---- C:\Program Files\Amazon

======List of files/folders modified in the last 1 months======

2010-11-25 00:58:09 ----RD---- C:\Program Files
2010-11-25 00:56:39 ----D---- C:\WINDOWS\Temp
2010-11-24 23:58:03 ----D---- C:\WINDOWS\system32\drivers\Avg
2010-11-24 12:44:04 ----D---- C:\WINDOWS\system32
2010-11-24 12:44:04 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-11-24 12:41:32 ----D---- C:\WINDOWS\system32\CatRoot2
2010-11-19 09:24:41 ----SHD---- C:\WINDOWS\Installer
2010-11-19 09:24:38 ----D---- C:\Config.Msi
2010-11-19 09:24:37 ----D---- C:\WINDOWS\system32\drivers
2010-11-19 09:24:27 ----SD---- C:\WINDOWS\Tasks
2010-11-19 09:17:42 ----D---- C:\WINDOWS
2010-11-18 12:05:18 ----D---- C:\WINDOWS\Prefetch
2010-11-17 08:55:04 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-11-15 22:46:34 ----D---- C:\WINDOWS\system32\NtmsData
2010-11-15 22:42:35 ----D---- C:\WINDOWS\repair
2010-11-14 12:02:59 ----D---- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2010-11-14 00:21:37 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2010-11-14 00:21:06 ----A---- C:\WINDOWS\imsins.BAK
2010-11-14 00:08:40 ----A---- C:\WINDOWS\explorer.exe
2010-11-14 00:08:39 ----A---- C:\WINDOWS\system32\winlogon.exe
2010-11-13 23:54:19 ----HD---- C:\WINDOWS\inf
2010-11-13 23:54:17 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-11-13 21:20:19 ----HDC---- C:\WINDOWS\$NtUninstallKB896358$
2010-11-13 20:40:16 ----SHD---- C:\System Volume Information
2010-11-13 20:40:16 ----D---- C:\WINDOWS\system32\Restore
2010-11-13 12:01:36 ----D---- C:\Documents and Settings\All Users\Application Data\EPSON
2010-11-13 12:01:24 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-11-12 17:59:12 ----D---- C:\Documents and Settings\Administrator\Application Data\EPSON
2010-11-12 17:56:46 ----D---- C:\Program Files\RapidSolution
2010-11-12 17:54:18 ----HD---- C:\Program Files\InstallShield Installation Information
2010-11-12 09:29:10 ----D---- C:\Documents and Settings\All Users\Application Data\UDL
2010-11-12 09:27:11 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-11-12 09:27:11 ----D---- C:\Program Files\Common Files\InstallShield
2010-11-12 09:25:23 ----D---- C:\Program Files\EPSON
2010-11-08 15:11:20 ----D---- C:\Program Files\Replay Music 3
2010-11-08 15:11:06 ----N---- C:\WINDOWS\system32\AUDIOGENIE2.DLL
2010-11-07 13:43:25 ----D---- C:\Documents and Settings\Administrator\Application Data\Spotify
2010-11-02 16:47:16 ----N---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 AvgRkx86;avgrkx86.sys; C:\WINDOWS\System32\Drivers\avgrkx86.sys [2010-04-15 52872]
R0 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
R0 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-06-22 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-06-01 29584]
R1 AvgTdiX;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-06-22 243024]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2006-03-09 12160]
R2 LBeepKE;LBeepKE; C:\WINDOWS\System32\Drivers\LBeepKE.sys [2009-06-17 10384]
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-12-08 53600]
R3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-12-08 70688]
R3 Avgfwdx;Avgfwdx; C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2010-04-15 30104]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2006-06-09 1373120]
R3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntelS51;Intel® 536EP Modem; C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 1903338]
R3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2006-03-09 245248]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S1 acswoggj;acswoggj; \??\C:\WINDOWS\system32\drivers\acswoggj.sys []
S1 arhehvlj;arhehvlj; \??\C:\WINDOWS\system32\drivers\arhehvlj.sys []
S1 hywzxdvu;hywzxdvu; \??\C:\WINDOWS\system32\drivers\hywzxdvu.sys []
S1 igczngbj;igczngbj; \??\C:\WINDOWS\system32\drivers\igczngbj.sys []
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S1 jojnryjn;jojnryjn; \??\C:\WINDOWS\system32\drivers\jojnryjn.sys []
S1 kopscdvp;kopscdvp; \??\C:\WINDOWS\system32\drivers\kopscdvp.sys []
S1 ngegoktx;ngegoktx; \??\C:\WINDOWS\system32\drivers\ngegoktx.sys []
S1 pyiiddgw;pyiiddgw; \??\C:\WINDOWS\system32\drivers\pyiiddgw.sys []
S1 srzrlfkp;srzrlfkp; \??\C:\WINDOWS\system32\drivers\srzrlfkp.sys []
S1 unrbxplz;unrbxplz; \??\C:\WINDOWS\system32\drivers\unrbxplz.sys []
S1 unvetjyq;unvetjyq; \??\C:\WINDOWS\system32\drivers\unvetjyq.sys []
S1 vvfekryq;vvfekryq; \??\C:\WINDOWS\system32\drivers\vvfekryq.sys []
S1 xbihtbwr;xbihtbwr; \??\C:\WINDOWS\system32\drivers\xbihtbwr.sys []
S1 xjjmoppr;xjjmoppr; \??\C:\WINDOWS\system32\drivers\xjjmoppr.sys []
S1 xovclwdd;xovclwdd; \??\C:\WINDOWS\system32\drivers\xovclwdd.sys []
S3 Avgfwfd;AVG network filter service; C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2010-04-15 30104]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cpuz132;cpuz132; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys []
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 DCamUSBSQTECH;Dual-Mode DSC(2770); C:\WINDOWS\System32\Drivers\SQcaptur.sys [2003-01-10 30921]
S3 kwgyraog;kwgyraog; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwgyraog.sys []
S3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2009-06-17 35472]
S3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2009-06-17 37392]
S3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2009-06-17 28560]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\25.tmp []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010\WNt500x86\Sandra.sys []
S3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2004-08-03 32768]
S3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51; C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 utblfilt;utblfilt; C:\WINDOWS\System32\drivers\utblfilt.sys [2001-05-23 12084]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2009-01-30 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9emc;AVG E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-07-21 921952]
R2 avg9wd;AVG WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-06-22 308136]
R2 avgfws9;AVG Firewall; C:\Program Files\AVG\AVG9\avgfws9.exe [2010-09-20 2331544]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-05-13 153376]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2009-01-30 913408]
S2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-03-29 303952]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-30 46104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-23 136120]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-30 881664]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-30 132096]

-----------------EOF-----------------
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-25 18:51:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080P0 rev.YAR41BW0
Running: tzw3rrl4.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwgyraog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\atwtusb.exe[412] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\atwtusb.exe[412] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\atwtusb.exe[412] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[416] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[448] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[448] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[448] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[572] WS2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[572] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[572] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\TBLMOUSE.EXE[1172] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\TBLMOUSE.EXE[1172] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\TBLMOUSE.EXE[1172] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\devldr32.exe[1220] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\devldr32.exe[1220] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\devldr32.exe[1220] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\ctfmon.exe[1256] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\ctfmon.exe[1256] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\system32\ctfmon.exe[1256] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\WINDOWS\Explorer.EXE[1332] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2052] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2052] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[2052] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9ACD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254656 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2648] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Documents and Settings\Administrator\Desktop\tzw3rrl4.exe[3008] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Documents and Settings\Administrator\Desktop\tzw3rrl4.exe[3008] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Documents and Settings\Administrator\Desktop\tzw3rrl4.exe[3008] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Outlook Express\msimn.exe[3816] ws2_32.dll!getsockname 71AB3D10 5 Bytes JMP 10008770 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Outlook Express\msimn.exe[3816] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10008130 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)
.text C:\Program Files\Outlook Express\msimn.exe[3816] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 100083E0 C:\Program Files\Ad Muncher\AM32-32300.dll (Ad Muncher 32-bit Hook DLL/Murray Hurps Corp Pty Ltd)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Attached Files

  • Attached File  info.txt   25.5KB   0 downloads
  • Attached File  log.txt   26.34KB   0 downloads


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:20 AM

Posted 25 November 2010 - 03:00 PM

Hello, addboat.
That's fine :)

It looks like you got a pretty nasty infection present.

Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.

 

P2P Program Warning!

BitTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

 

Registry Cleaner Program Warning!

RegCure

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

 

We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please go here and download combofix from one of the locations listed
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 addboat

addboat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 25 November 2010 - 04:07 PM

WOW!! Still sitting down .Okay ,I surf the net and buy occassional things off ebay.Don't have a credit card and keep no fiancial records on this.I suppose I have always had a slight mistrust of the net.Pay pal is normally the method used in buying.Reg-cure abd Bit Torrent have already gone .I knew there was a prob with P2P .and normally clicked it off after downloading anything..But"sigh" I suppose it don't work like that.
just had a Heron take most of my fish stock this week so on the basis of "nothing else surely can happen"I will forge ahead,as I don't think I would tackle it myself ,and any "experts " here take your computer away for weeks,and charge you the price of rebuilding it for doing very little.
So if you will so kind as to bear with me.I will download Combo-Fix in the morning and send it in a reply.Thankyou again....addboat

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:20 AM

Posted 25 November 2010 - 04:22 PM

No problem at all :)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 addboat

addboat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 26 November 2010 - 10:53 AM

Hi.Aommaster..Right downloaded Combo-fix (and tried) to disable Avg.Firewall no problem ,but the rest of it!Information online not really that helpful .When I try to run Combo-Fix it alerts me that Avg is running ,and that I should uninstall it.Oh.yes took the check off the Link Scanner as was suggested,but when I open the Avg interface the box is ticked again.I would prefer not to uninstall it,as I won't be able to replace it again(Avg)Is there any workaround or perhaps you could tell me how to disable it.Thankyou again ....addboat

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:20 AM

Posted 26 November 2010 - 11:00 AM

Hi!

No problem. Please try doing the following in order until Combofix runs:
Make sure Combofix is on your desktop and is called Combofix. If you get the same message popping up, continnue to scan with Combofix.
  • Save all documents or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  • Click on your Start Menu, then Run, In the run box type:
    "%userprofile%\desktop\combofix.exe" /killall

If the above fails:
Please uninstall AVG. We can install it later once we're done with the fix.

Once AVG has been uninstalled, please try and run Combofix again. If it still detects the presence of AVG, then please download AVG Remover and run it.

Let me know if you have uninstalled AVG in order to get Combofix to run.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 addboat

addboat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 26 November 2010 - 01:47 PM

Thankyou aommaster.Will have to wait until tomorrow,as grandchildren here,and are into everything.So will try again in am.Oh.tried Combofix a few times but still coming up with the message "dangerous to proceed"....addboat

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:20 AM

Posted 26 November 2010 - 05:09 PM

No problem!

The "dangerous to proceed" message you're talking about: Is that related to the AVG warning? If you have uninstalled AVG and run AVG Remover, then please continue and run combofix.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 addboat

addboat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 26 November 2010 - 05:46 PM

Hi.No. Related to Avg.Plus 1 grandaughter (4) who just adores Granda's computer.I can imagine Combofix running and her being near it.If I remember correctly I don't think you should touch the mouse/keyboard while it is running.Will uninstall in morning and run Combofiz.Thanks again...addboat

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:20 AM

Posted 26 November 2010 - 06:03 PM

Glad to help.

Have fun with your grandkids! :)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 addboat

addboat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 27 November 2010 - 06:04 AM

Hi aommaster..
1 Tried running Combofix a few times last night .always comes to "dangerous to proceed"
2 Tried "%userprofile%\desktop\combofix.exe"/killall cannot find file directory etc..
3 tried to uninstall Avg Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.

Tried this both in add/remove programs and Avg uninstall folder..
Any thoughts...Thanking you...addboat




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users