PDA

View Full Version : At the end of my tether. Please help!



Greyfox--
2008-10-12, 15:43
First of all i have just signed up as this seemed a good place to get help with my problem but i also look forward to contributing to this by the looks of it great site.

Now to to the problem. I have somehow got infected with the trojan 'Zlob.DNSChanger'

It keeps causing sites to get redirected. Eg when trying to get onto the microsoft update website i get redirected to a completely irrelevant site and other sites simply do not load such as bleepingcomputer.com. Ran scans with malwarebytes pro, spybot SD, and NOD32. Malwarebytes detects sometimes 2, 4 or 6 trojan dns infected files and it says it has deleted them but whenever i run a new scan then come up again. NOD32 dosent detect these files but spybot SD detects 'Zlob.DNSChanger and says it has removed it but once again after reboot it's back again.

Any ideas how to get rid of this?

Help greatly appreciated.

EDIT: Added to this i have also ran smitfraudfix and combofix and they havent helped fix the problem either.

Greyfox--
2008-10-12, 18:45
Anyone? :(

Blade81
2008-10-13, 08:42
Hi

I think you missed both
BEFORE you POST
(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) and Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806) sticky.

Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

Greyfox--
2008-10-13, 15:51
Thanks for reply. Here you go.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:51:21, on 15/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NOD32\egui.exe
C:\WINDOWS\system32\CTHELPER.EXE
F:\Microsoft office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DK\DkService.exe
C:\Program Files\NOD32\ekrn.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Itunes\iTunesHelper.exe
C:\Program Files\Hijackthis\124.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan remover\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6173 bytes

Blade81
2008-10-13, 17:13
Hi

Was that log taken while Zlob.DNSChanger present in the system or did you fix it away? If you fixed it then please reboot and take hjt log before fixing anything.

Greyfox--
2008-10-13, 19:06
Right rebooted comp and run a SD scan just to make sure ZLOB.dnschanger was still present and it was but i DID NOT delete it and just closes SD instead.

Here is the new hijacklog.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:05:17, on 15/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DK\DkService.exe
C:\Program Files\NOD32\ekrn.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NOD32\egui.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
F:\Microsoft office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Itunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Spybot SD\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\124.exe
C:\Program Files\Firefox\firefox.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan remover\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6279 bytes



Thanks.

Blade81
2008-10-14, 07:12
Hi

Where is it found in? Let's see if this finds anything.

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find the file in c:\rsit folder)

Greyfox--
2008-10-15, 01:19
First here is an example of where the trojan is always found by malwarebytes pro

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{66ddfb55-1287-497e-a988-c81d22dc3513}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.67 85.255.112.200 -> Quarantined and deleted successfully.


Now the log txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by Edward Berrecloth at 2008-10-16 23:18:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 22 GB (75%) free of 30 GB
Total RAM: 2047 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:29, on 16/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NOD32\egui.exe
C:\WINDOWS\system32\CTHELPER.EXE
F:\Microsoft office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DK\DkService.exe
C:\Program Files\NOD32\ekrn.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Itunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Edward Berrecloth\Desktop\RSIT.exe
C:\Program Files\Hijackthis\Edward Berrecloth.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan remover\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6260 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\WinXP Manager Live Update.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - F:\Microsoft office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"egui"=C:\Program Files\NOD32\egui.exe [2008-07-01 1447168]
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2007-04-09 19456]
"SBDrvDet"=C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe [2002-12-03 45056]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"GrooveMonitor"=F:\Microsoft office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"iTunesHelper"=C:\Program Files\Itunes\iTunesHelper.exe [2008-10-01 289576]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"TrojanScanner"=C:\Program Files\Trojan remover\Trojan Remover\Trjscan.exe [2008-10-09 967048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2006-11-16 139264]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SetDefaultMIDI"=C:\WINDOWS\MIDIDef.exe [2003-06-20 49152]
"RogueMonitor"=C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe [2008-02-24 421568]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\avgas.exe [2007-06-11 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\Daemon tools\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\DK\DkIcon.exe [2005-04-30 196696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen]
C:\Program Files\Gadwin printscreen\PrintScreen\PrintScreen.exe [2007-08-20 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2008-10-09 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SAS\SUPERAntiSpyware.exe [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
C:\PROGRA~1\Samsung\NATURA~1.EXE [2002-04-12 155715]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
C:\PROGRA~1\Windows Desktop Search\WindowsSearch.exe /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Edward Berrecloth^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
C:\PROGRA~1\Samsung\NATURA~1.EXE [2002-04-12 155715]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Edward Berrecloth^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
F:\MICROS~1\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SAS\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=F:\Microsoft office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\shellexecutehook.dll [2007-05-30 79408]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SAS\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"F:\Microsoft office\Office12\OUTLOOK.EXE"="F:\Microsoft office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"F:\Microsoft office\Office12\GROOVE.EXE"="F:\Microsoft office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"F:\Microsoft office\Office12\ONENOTE.EXE"="F:\Microsoft office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"E:\Steam\SteamApps\edd678\team fortress 2\hl2.exe"="E:\Steam\SteamApps\edd678\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Bitlord\BitLord.exe"="C:\Program Files\Bitlord\BitLord.exe:*:Enabled:BitLord"
"C:\Program Files\Utorrent\uTorrent.exe"="C:\Program Files\Utorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Itunes\iTunes.exe"="C:\Program Files\Itunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe:*:Enabled:VideoAccelerator"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ffb3ff5-8423-11dd-9470-806d6172696f}]
shell\AutoRun\command - G:\SETUP.EXE /UPDATE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c31bb77a-87f5-11dd-b57c-000129fc4003}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com
shell\Open\command - resycled\boot.com


======List of files/folders created in the last 1 months======

2008-10-16 23:18:13 ----D---- C:\rsit
2008-10-15 17:22:34 ----D---- C:\Program Files\Spyware blaster
2008-10-15 17:17:54 ----D---- C:\Program Files\Hosts
2008-10-14 19:46:03 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-14 19:44:18 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2008-10-14 19:44:18 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2008-10-14 19:44:18 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2008-10-14 19:44:18 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2008-10-14 19:44:18 ----A---- C:\WINDOWS\system32\unacev2.dll
2008-10-14 19:43:57 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Simply Super Software
2008-10-14 19:43:57 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-10-14 19:25:24 ----A---- C:\WINDOWS\IsUninst.exe
2008-10-14 19:22:53 ----A---- C:\WINDOWS\system32\nvudisp.exe
2008-10-14 19:16:49 ----D---- C:\NVIDIA
2008-10-14 19:14:23 ----D---- C:\Program Files\DCPRO
2008-10-14 19:11:04 ----AD---- C:\Program Files\nv4loopfix
2008-10-14 18:59:40 ----D---- C:\Program Files\SystemRequirementsLab
2008-10-14 18:59:36 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\SystemRequirementsLab
2008-10-14 16:36:54 ----D---- C:\fixwareout
2008-10-14 14:11:37 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-14 12:45:08 ----D---- C:\Program Files\Combofix
2008-10-14 11:08:22 ----D---- C:\WINDOWS\ERUNT
2008-10-13 23:59:29 ----D---- C:\SDFix
2008-10-13 18:36:40 ----D---- C:\Program Files\DR.Web cureit
2008-10-13 17:43:09 ----D---- C:\Program Files\ATF clean
2008-10-13 17:11:01 ----A---- C:\WINDOWS\system32\swxcacls.exe
2008-10-13 17:11:01 ----A---- C:\WINDOWS\system32\swsc.exe
2008-10-13 17:11:01 ----A---- C:\WINDOWS\system32\swreg.exe
2008-10-13 17:09:59 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-13 16:01:43 ----D---- C:\Program Files\Trojan remover
2008-10-13 14:37:26 ----SHD---- C:\RECYCLER
2008-10-13 14:30:24 ----A---- C:\WINDOWS\SWREG.exe
2008-10-13 14:30:24 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-13 14:30:23 ----A---- C:\WINDOWS\zip.exe
2008-10-13 14:30:23 ----A---- C:\WINDOWS\VFIND.exe
2008-10-13 14:30:23 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-13 14:30:23 ----A---- C:\WINDOWS\SWSC.exe
2008-10-13 14:30:23 ----A---- C:\WINDOWS\sed.exe
2008-10-13 14:30:23 ----A---- C:\WINDOWS\grep.exe
2008-10-13 14:30:23 ----A---- C:\WINDOWS\fdsv.exe
2008-10-13 14:18:08 ----D---- C:\WINDOWS\ERDNT
2008-10-13 12:34:36 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-13 12:34:18 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\SUPERAntiSpyware.com
2008-10-13 12:33:53 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-13 12:33:34 ----D---- C:\Program Files\SAS
2008-10-12 21:47:49 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-10-12 21:46:14 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-10-12 21:45:35 ----D---- C:\Program Files\Common Files\Adobe
2008-10-12 21:45:35 ----D---- C:\Program Files\Adobe
2008-10-12 21:40:42 ----D---- C:\Program Files\NOS
2008-10-12 21:40:42 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-11 22:13:17 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-10-11 22:12:44 ----D---- C:\Program Files\MSXML 4.0
2008-10-11 19:49:46 ----D---- C:\Program Files\Rootkit fix
2008-10-11 17:21:04 ----A---- C:\WINDOWS\system32\o4Patch.exe
2008-10-11 17:21:04 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2008-10-11 17:21:03 ----A---- C:\WINDOWS\system32\WS2Fix.exe.vir
2008-10-11 17:21:03 ----A---- C:\WINDOWS\system32\VACFix.exe
2008-10-11 17:21:03 ----A---- C:\WINDOWS\system32\404Fix.exe
2008-10-11 17:21:02 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2008-10-11 17:21:02 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2008-10-11 17:21:02 ----A---- C:\WINDOWS\system32\dumphive.exe
2008-10-10 11:09:10 ----D---- C:\Program Files\Quicktime
2008-10-09 20:41:21 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-09 20:40:26 ----D---- C:\Program Files\Spybot SD
2008-10-08 14:44:30 ----D---- C:\Program Files\Gadwin printscreen
2008-10-07 21:47:26 ----D---- C:\Program Files\Google
2008-10-07 21:46:57 ----D---- C:\Program Files\Google Earth
2008-10-07 21:07:44 ----D---- C:\Program Files\fixwareout
2008-10-07 12:05:12 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\LimeWire
2008-10-07 11:51:50 ----D---- C:\WINDOWS\Minidump
2008-10-07 11:47:44 ----D---- C:\Program Files\iPod
2008-10-07 11:47:42 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 10:25:47 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\SuperNZB
2008-10-06 10:24:19 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\NewzToolz-EZ
2008-10-06 10:23:43 ----D---- C:\Program Files\NewzToolz-EZ
2008-10-05 21:43:18 ----D---- C:\WINDOWS\system32\Adobe
2008-10-05 18:48:35 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\uTorrent
2008-10-05 18:47:31 ----D---- C:\Program Files\Utorrent
2008-10-02 18:40:56 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Grisoft
2008-10-02 18:40:06 ----D---- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-09-30 19:04:17 ----A---- C:\WINDOWS\system32\tmp.txt
2008-09-30 19:02:46 ----D---- C:\Program Files\Smitfraudfix
2008-09-30 18:55:18 ----D---- C:\Program Files\Hijackthis
2008-09-30 18:40:47 ----D---- C:\Program Files\Common Files\Logitech
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\msxml4r.dll
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\msxml4a.dll
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\msvcr71.dll
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\msvcp71.dll
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71u.dll
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71KOR.DLL
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71JPN.DLL
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71ITA.DLL
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71ESP.DLL
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71DEU.DLL
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71CHT.DLL
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\MFC71CHS.DLL
2008-09-30 18:40:42 ----AC---- C:\WINDOWS\system32\capicom.dll
2008-09-30 18:40:42 ----A---- C:\WINDOWS\system32\MFC71ENU.DLL
2008-09-30 18:40:41 ----AC---- C:\WINDOWS\system32\MFC71.dll
2008-09-30 18:40:41 ----AC---- C:\WINDOWS\system32\gdiplus.dll
2008-09-30 18:40:41 ----AC---- C:\WINDOWS\system32\atl71.dll
2008-09-30 18:40:03 ----D---- C:\Program Files\Logitech
2008-09-24 19:55:03 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Mozilla
2008-09-24 19:53:52 ----D---- C:\Program Files\Firefox
2008-09-24 15:27:28 ----AC---- C:\WINDOWS\system32\eaxac3.dll
2008-09-23 19:23:43 ----D---- C:\Program Files\Microsoft Silverlight
2008-09-23 19:23:07 ----D---- C:\WINDOWS\system32\GroupPolicy
2008-09-23 19:23:07 ----D---- C:\Program Files\Windows Desktop Search
2008-09-23 19:22:53 ----HDC---- C:\WINDOWS\$NtUninstallKB915800-v4$
2008-09-23 19:19:06 ----D---- C:\WINDOWS\system32\URTTEMP
2008-09-23 17:45:10 ----RSD---- C:\WINDOWS\assembly
2008-09-23 17:44:37 ----D---- C:\WINDOWS\Microsoft.NET
2008-09-23 16:52:59 ----D---- C:\WINDOWS\Sun
2008-09-23 16:52:58 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Sun
2008-09-23 16:01:08 ----D---- C:\Program Files\Marvell
2008-09-23 15:51:45 ----AC---- C:\WINDOWS\system32\CapabilityTable.exe
2008-09-23 15:51:39 ----RAC---- C:\WINDOWS\system32\nvuide.exe
2008-09-23 15:50:52 ----RAC---- C:\WINDOWS\system32\fdco1.dll
2008-09-23 15:50:44 ----AC---- C:\WINDOWS\system32\nvunrm.exe
2008-09-23 15:50:41 ----RAC---- C:\WINDOWS\system32\nvconrm.dll
2008-09-23 15:50:41 ----RAC---- C:\WINDOWS\system32\bdco1.dll
2008-09-23 15:50:35 ----RAC---- C:\WINDOWS\system32\nvusmb.exe
2008-09-23 15:50:34 ----AC---- C:\WINDOWS\system32\NVUNINST.EXE
2008-09-23 15:38:51 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Help
2008-09-22 14:50:16 ----AC---- C:\WINDOWS\system32\javaws.exe
2008-09-22 14:50:16 ----AC---- C:\WINDOWS\system32\javaw.exe
2008-09-22 14:50:16 ----AC---- C:\WINDOWS\system32\java.exe
2008-09-22 14:49:07 ----D---- C:\Program Files\Java
2008-09-22 14:47:46 ----D---- C:\Program Files\Common Files\Java
2008-09-22 14:39:02 ----D---- C:\Program Files\Avg Anti-Spyware
2008-09-22 14:29:54 ----D---- C:\Program Files\Limewire
2008-09-21 16:54:15 ----D---- C:\Program Files\Ad-Aware
2008-09-20 21:00:58 ----D---- C:\Program Files\DK
2008-09-20 20:59:06 ----D---- C:\WINDOWS\system32\appmgmt
2008-09-20 16:54:02 ----D---- C:\WINDOWS\WBEM
2008-09-20 16:42:40 ----D---- C:\WINDOWS\LastGood(2)
2008-09-19 17:23:25 ----D---- C:\WINDOWS\ie7updates
2008-09-19 17:22:32 ----HDC---- C:\WINDOWS\ie7
2008-09-19 17:22:22 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-09-19 17:21:53 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-09-19 17:06:34 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2008-09-19 10:20:51 ----D---- C:\Program Files\Memory improve
2008-09-19 10:06:45 ----AC---- C:\WINDOWS\system32\wuapi.dll.mui
2008-09-18 23:29:52 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2008-09-18 23:29:37 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-09-18 23:29:03 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-09-18 23:28:55 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-09-18 19:19:21 ----RHD---- C:\MSOCache
2008-09-18 17:02:01 ----D---- C:\Program Files\Bitlord
2008-09-18 16:51:18 ----AC---- C:\WINDOWS\uninst.exe
2008-09-18 14:35:27 ----A---- C:\WINDOWS\system32\msonpmon.dll
2008-09-18 14:34:51 ----D---- C:\Program Files\Microsoft Works
2008-09-18 14:34:45 ----D---- C:\Program Files\MSBuild
2008-09-18 14:34:29 ----D---- C:\Program Files\Microsoft Visual Studio
2008-09-18 14:34:29 ----D---- C:\Program Files\Common Files\DESIGNER
2008-09-18 14:32:05 ----D---- C:\WINDOWS\SHELLNEW
2008-09-18 14:31:46 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-17 21:51:11 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\DAEMON Tools
2008-09-17 21:50:46 ----D---- C:\Program Files\Daemon tools
2008-09-17 15:57:48 ----D---- C:\Program Files\Registry backup
2008-09-17 14:30:01 ----AC---- C:\WINDOWS\system32\Gif89.dll
2008-09-17 14:29:43 ----D---- C:\Program Files\Samsung
2008-09-17 14:07:43 ----C---- C:\WINDOWS\system32\spmsg.dll
2008-09-17 14:07:40 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-09-17 14:07:25 ----D---- C:\Program Files\Windows Media Connect 2
2008-09-17 14:07:20 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-09-17 14:06:40 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-09-17 14:06:17 ----D---- C:\WINDOWS\system32\LogFiles
2008-09-17 14:06:13 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-09-17 13:34:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-09-17 13:34:43 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-09-17 13:34:38 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-17 13:34:30 ----SHD---- C:\Config.Msi
2008-09-17 13:34:30 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-09-17 13:33:42 ----AC---- C:\WINDOWS\system32\MRT.exe
2008-09-17 13:33:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-09-17 13:33:23 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-09-17 13:33:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-09-17 13:33:10 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-09-17 13:33:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-09-17 13:32:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-09-17 13:32:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-09-17 13:32:40 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-09-17 13:32:30 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-09-17 13:32:20 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-17 13:26:29 ----AC---- C:\WINDOWS\system32\mucltui.dll.mui
2008-09-17 13:26:29 ----AC---- C:\WINDOWS\system32\mucltui.dll
2008-09-17 13:25:13 ----D---- C:\WINDOWS\Prefetch

======List of files/folders modified in the last 1 months======

2008-10-16 23:18:17 ----D---- C:\WINDOWS\Temp
2008-10-16 21:36:14 ----AC---- C:\WINDOWS\NeroDigital.ini
2008-10-15 22:59:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-15 19:39:59 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-15 19:32:52 ----RD---- C:\Program Files
2008-10-15 19:32:50 ----D---- C:\WINDOWS\system32
2008-10-15 17:31:24 ----SHD---- C:\System Volume Information
2008-10-15 17:31:24 ----D---- C:\WINDOWS\system32\Restore
2008-10-15 17:29:03 ----SH---- C:\boot.ini
2008-10-15 17:29:03 ----AC---- C:\WINDOWS\win.ini
2008-10-15 17:29:03 ----A---- C:\WINDOWS\system.ini
2008-10-15 13:49:07 ----SHD---- C:\WINDOWS\Installer
2008-10-14 19:32:59 ----D---- C:\WINDOWS
2008-10-14 19:32:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-14 19:32:30 ----D---- C:\WINDOWS\Help
2008-10-14 19:31:33 ----HD---- C:\WINDOWS\inf
2008-10-14 19:27:13 ----D---- C:\WINDOWS\nview
2008-10-14 19:25:34 ----D---- C:\WINDOWS\system32\drivers
2008-10-14 19:19:41 ----D---- C:\WINDOWS\system32\config
2008-10-14 19:19:26 ----D---- C:\WINDOWS\system32\wbem
2008-10-14 19:19:26 ----D---- C:\WINDOWS\Registration
2008-10-14 19:01:59 ----SD---- C:\Documents and Settings\Edward Berrecloth\Application Data\Microsoft
2008-10-13 19:08:12 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-13 17:43:34 ----D---- C:\Program Files\Messenger
2008-10-13 17:43:33 ----D---- C:\Program Files\Creative
2008-10-13 14:31:43 ----D---- C:\WINDOWS\AppPatch
2008-10-13 14:31:43 ----D---- C:\Program Files\Common Files
2008-10-13 12:36:41 ----D---- C:\WINDOWS\pss
2008-10-12 21:52:10 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Adobe
2008-10-11 22:12:44 ----D---- C:\WINDOWS\WinSxS
2008-10-10 11:09:13 ----D---- C:\Program Files\Common Files\Apple
2008-10-08 16:44:50 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-07 11:48:03 ----D---- C:\Program Files\Itunes
2008-10-07 11:46:05 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-10-07 11:46:05 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-30 22:42:54 ----D---- C:\WINDOWS\Debug
2008-09-30 18:46:54 ----D---- C:\WINDOWS\twain_32
2008-09-30 18:43:40 ----D---- C:\Program Files\NOD32
2008-09-30 18:40:39 ----HD---- C:\Program Files\InstallShield Installation Information
2008-09-24 19:30:29 ----D---- C:\WINDOWS\system32\Defaults
2008-09-24 18:02:34 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Ahead
2008-09-23 19:41:39 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-09-23 19:23:50 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-09-23 19:23:10 ----D---- C:\WINDOWS\system32\en-us
2008-09-23 19:20:46 ----D---- C:\WINDOWS\system32\Data
2008-09-23 19:02:27 ----RD---- C:\WINDOWS\Web
2008-09-23 19:01:37 ----AC---- C:\WINDOWS\ODBCINST.INI
2008-09-23 18:29:09 ----SD---- C:\WINDOWS\Tasks
2008-09-23 17:44:42 ----D---- C:\Program Files\Internet Explorer
2008-09-23 17:44:41 ----D---- C:\WINDOWS\system32\mui
2008-09-23 17:21:14 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-22 13:05:51 ----D---- C:\Documents and Settings\Edward Berrecloth\Application Data\Apple Computer
2008-09-19 17:22:54 ----D---- C:\WINDOWS\Media
2008-09-19 17:04:11 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-09-19 10:07:01 ----D---- C:\WINDOWS\SoftwareDistribution
2008-09-18 14:34:11 ----RSD---- C:\WINDOWS\Fonts
2008-09-18 14:32:13 ----D---- C:\Program Files\Common Files\System
2008-09-17 14:07:25 ----D---- C:\Program Files\Windows Media Player
2008-09-17 13:24:56 ----D---- C:\WINDOWS\system32\Setup
2008-09-17 09:55:00 ----N---- C:\WINDOWS\system32\nv4_disp.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.sys []
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2007-05-30 10872]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-07-01 53256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SAS\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SAS\SASKUTIL.sys []
R1 SAVRKBootTasks;Boot Tasks Driver; \??\C:\WINDOWS\system32\SAVRKBootTasks.sys []
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-07-01 39944]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 MBAMDrvService;MBAMDrvService; \??\C:\WINDOWS\system32\drivers\mbam.sys []
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2001-09-06 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2001-09-06 55936]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2004-04-06 646128]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2004-04-29 374000]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2004-03-16 6096]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2004-03-16 130384]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2004-03-16 147088]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\System32\drivers\ha10kx2k.sys [2004-06-16 952144]
R3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\System32\drivers\hap17v2k.sys [2004-05-03 147696]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-09-06 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-01-12 12928]
R3 NWRDR;NetWare Rdr; C:\WINDOWS\system32\DRIVERS\nwrdr.sys [2008-04-13 163584]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2004-03-16 178736]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 Razerlow;Razerlow USB Filter Driver; C:\WINDOWS\System32\Drivers\Razerlow.sys [2005-04-24 13225]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2004-08-19 189568]
S1 project; service tool ; C:\WINDOWS\System32\Drivers\register.sys [2001-11-28 1950]
S3 affhousm;affhousm; C:\WINDOWS\system32\drivers\affhousm.sys []
S3 COMMONFX.DLL;COMMONFX.DLL; C:\WINDOWS\system32\COMMONFX.DLL [2004-03-16 118868]
S3 CT20XUT.DLL;CT20XUT.DLL; C:\WINDOWS\system32\CT20XUT.DLL [2007-04-12 164608]
S3 CTAUDFX.DLL;CTAUDFX.DLL; C:\WINDOWS\system32\CTAUDFX.DLL [2004-03-16 692306]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\System32\drivers\ctdvda2k.sys [2004-03-15 337056]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; C:\WINDOWS\system32\CTEAPSFX.DLL [2007-04-12 168192]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; C:\WINDOWS\system32\CTEDSPFX.DLL [2007-04-12 280320]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; C:\WINDOWS\system32\CTEDSPIO.DLL [2007-04-12 128768]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; C:\WINDOWS\system32\CTEDSPSY.DLL [2007-04-12 323328]
S3 CTERFXFX.DLL;CTERFXFX.DLL; C:\WINDOWS\system32\CTERFXFX.DLL [2007-04-12 94976]
S3 CTEXFIFX.DLL;CTEXFIFX.DLL; C:\WINDOWS\system32\CTEXFIFX.DLL [2007-04-12 1317632]
S3 CTHWIUT.DLL;CTHWIUT.DLL; C:\WINDOWS\system32\CTHWIUT.DLL [2007-04-12 66816]
S3 CTSBLFX.DLL;CTSBLFX.DLL; C:\WINDOWS\system32\CTSBLFX.DLL [2004-03-16 606208]
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\System32\drivers\hap16v2k.sys [2004-05-03 150160]
S3 Lvckap;Logitech Kernel Audio Processing Filter Driver; \??\C:\WINDOWS\system32\drivers\Lvckap.sys []
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\70C9.tmp []
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-01-12 33408]
S3 SASENUM;SASENUM; \??\C:\Program Files\SAS\SASENUM.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Ad-Aware\aawservice.exe [2008-05-12 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe [2007-05-30 312880]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Diskeeper;Diskeeper; C:\Program Files\DK\DkService.exe [2005-04-30 622700]
R2 ekrn;Eset Service; C:\Program Files\NOD32\ekrn.exe [2008-07-01 468224]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe [2008-09-10 110256]
R2 NWCWorkstation;Client Service for NetWare; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\NOD32\EHttpSrv.exe [2008-07-01 19200]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe []
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; F:\Microsoft office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 NBService;NBService; C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe [2006-11-10 774144]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------


and the other

info.txt logfile of random's system information tool 1.04 2008-10-16 23:18:31

======Uninstall list======

-->"C:\Program Files\Creative\Program\Ctzapxx.EXE" /W /U /S
-->C:\Program Files\Nero ultra\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Ad-aware 6 Professional-->C:\PROGRA~1\Ad-Aware\Ad-aware 6\UNWISE.EXE C:\PROGRA~1\Ad-Aware\Ad-aware 6\INSTALL.LOG
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Anti-Spyware 7.5-->C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\Uninstall.exe
BitLord 1.1-->C:\Program Files\Bitlord\uninst.exe
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CCleaner (remove only)-->"C:\Program Files\Cc cleaner\CCleaner\uninst.exe"
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 /remove
DH Driver Cleaner Professional Edition-->C:\Program Files\DCPRO\Driver Cleaner Pro\Uninstall.exe
Diskeeper Lite-->MsiExec.exe /X{28FED8EB-1150-4333-A6C4-67FFB46681BC}
ESET NOD32 Antivirus-->MsiExec.exe /I{3407FD83-0A2F-475E-BE94-34F1FA342C84}
Gadwin PrintScreen-->C:\Program Files\Gadwin printscreen\PrintScreen\Uninstall.exe
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
HijackThis 2.0.2-->"C:\Program Files\Hijackthis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire 4.18.8-->"C:\Program Files\Limewire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\unins000.exe"
Malwarebytes' RogueRemover PRO-->"C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\unins000.exe"
Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.3)-->C:\Program Files\Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Natural Color-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F51D9393-BB14-4566-99BF-D6ED63AEFCD7}\setup.exe"
Nero 7 Ultra Edition-->MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31033}
NOD32 Update Viewer 3.03.0-->"C:\Program Files\NOD32\View\NOD32view\unins000.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Security Update for 2007 Microsoft Office System (KB951596)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Sophos Anti-Rootkit 1.3.1-->C:\Program Files\Rootkit fix\helper.exe remove
Sound Blaster Audigy 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CECB9B3D-E681-4458-85F8-8D182941AF1D}\SETUP.EXE" -l0x9
Spybot - Search & Destroy-->"C:\Program Files\Spybot SD\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\Spyware blaster\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SuperNZB v3.2.1-->"C:\Program Files\NewzToolz-EZ\SuperNZB\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Trojan Remover 6.7.3-->"C:\Program Files\Trojan remover\Trojan Remover\unins000.exe"
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb956080)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {96CC215F-3F22-4E1E-A101-F0041934A456}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
VIA Register Tool-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Your Company Name\VIA Register Tool\Uninst.isu"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WINRar\uninstall.exe

=====HijackThis Backups=====

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

======Hosts File======

127.0.0.1 localhost
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

======Security center information======

AV: ESET NOD32 Antivirus 3.0

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\DK;C:\Program Files\Quicktime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 39 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=2701
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

Blade81
2008-10-15, 07:44
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitLord
uTorrent


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\Bitlord
C:\Documents and Settings\Edward Berrecloth\Application Data\uTorrent
C:\Program Files\Utorrent

Empty Recycle Bin.

After that:

Do a hard reset for your router. There should be some button that you may have to press with a pin somewhere on router.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category
View, select the Network and Internet Connections category otherwise
double click on Network Connections. Then right click on your default
connection, usually local area connection for cable and dsl, and left
click on properties. Click the Networking tab. Double-click on the
Internet Protocol (TCP/IP) item and select the radio dial that says
Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Reboot and post a fresh hjt log. Is the dnschanger still found?

Greyfox--
2008-10-15, 18:00
Yep dns changer still found


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:00:30, on 17/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NOD32\egui.exe
C:\WINDOWS\system32\CTHELPER.EXE
F:\Microsoft office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DK\DkService.exe
C:\Program Files\NOD32\ekrn.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Hijackthis\124.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Microsoft office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Microsoft office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan remover\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\Rogue remover pro\Update\RogueRemover PRO\RogueRemoverPRO.exe /monitor
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Microsoft office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SAS\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DK\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes pro\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero ultra\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6038 bytes

Blade81
2008-10-15, 19:47
Hi

Looks like you've run ComboFix earlier. Could you check if you can find ComboFix.txt file somewhere on your hard drive (probably in root of c: drive or in c:\ComboFix folder)? If found post it back here, please.


Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Greyfox--
2008-10-15, 21:20
Here you go.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-17 19:17:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spcj.sys ZwCreateKey [0xBA6A80E0]
SSDT spcj.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spcj.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT spcj.sys ZwOpenKey [0xBA6A80C0]
SSDT \??\C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xBAF638AC]
SSDT spcj.sys ZwQueryKey [0xBA6C7108]
SSDT spcj.sys ZwQueryValueKey [0xBA6C6F88]
SSDT spcj.sys ZwSetValueKey [0xBA6C719A]
SSDT \??\C:\Program Files\Avg Anti-Spyware\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xBAF63812]

INT 0x62 ? 8A5CDBF8
INT 0x63 ? 8A5CDBF8
INT 0x73 ? 8A5CDBF8
INT 0x82 ? 8A5CDBF8
INT 0xA4 ? 8A3CCBF8
INT 0xB4 ? 8A3CCBF8

---- Kernel code sections - GMER 1.0.14 ----

? spcj.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9A5F8AC 5 Bytes JMP 8A3CC1D8
.text ati7yv8a.SYS B989B386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text ati7yv8a.SYS B989B3AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ati7yv8a.SYS B989B3C4 3 Bytes [ 00, 70, 02 ]
.text ati7yv8a.SYS B989B3C9 1 Byte [ 2E ]
.text ati7yv8a.SYS B989B3CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\NOD32\ekrn.exe[2012] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spcj.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spcj.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spcj.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spcj.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spcj.sys
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\ati7yv8a.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A5CC1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\usbohci \Device\USBPDO-0 8A31C1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{66DDFB55-1287-497E-A988-C81D22DC3513} 88C331F8
Device \Driver\usbehci \Device\USBPDO-1 8A3181F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5CE1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5CE1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5CE1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5CE1F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5621F8
Device \Driver\PCI_PNP4118 \Device\00000064 spcj.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5621F8
Device \Driver\Cdrom \Device\CdRom0 8A3C01F8
Device \Driver\Cdrom \Device\CdRom1 8A3C01F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5621F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A5621F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88C331F8
Device \Driver\nvatabus \Device\00000084 8A5CD1F8
Device \Driver\NetBT \Device\NetbiosSmb 88C331F8
Device \Driver\nvatabus \Device\00000086 8A5CD1F8
Device \Driver\nvatabus \Device\00000087 8A5CD1F8
Device \Driver\usbohci \Device\USBFDO-0 8A31C1F8
Device \Driver\nvatabus \Device\NvAta0 8A5CD1F8
Device \Driver\usbehci \Device\USBFDO-1 8A3181F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88C101F8
Device \Driver\nvatabus \Device\NvAta1 8A5CD1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88C101F8
Device \Driver\nvatabus \Device\NvAta2 8A5CD1F8
Device \Driver\Ftdisk \Device\FtControl 8A5621F8
Device \Driver\sptd \Device\2582219118 spcj.sys
Device \Driver\ati7yv8a \Device\Scsi\ati7yv8a1Port3Path0Target0Lun0 8A2911F8
Device \Driver\ati7yv8a \Device\Scsi\ati7yv8a1 8A2911F8
Device \FileSystem\Cdfs \Cdfs 8A31F1F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\Daemon tools\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x06 0xE9 0x0D 0x0B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xB7 0xFC 0x97 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xD8 0x01 0x12 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\Daemon tools\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x06 0xE9 0x0D 0x0B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCD 0xB7 0xFC 0x97 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0xD8 0x01 0x12 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.14 ----

Blade81
2008-10-16, 08:18
Hi

Could you please uninstall Daemon Tools, reboot and after that run GMER again, please? Were you able to find any ComboFix.txt file on your hard drive?

Greyfox--
2008-10-16, 20:07
Deleted daemontools, sorry the only log i could find for combofix was what is in qurantine.

2007-10-03 23:36:46 25,600 C:\Qoobox\Quarantine\C\WINDOWS\system32\WS2Fix.exe.vir.vir
2008-10-17 18:28:26 2,690 C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir
2008-10-17 22:12:12 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-17 22:12:12 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-17 22:12:12 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-10-17 22:12:24 680 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-!AVG Anti-Spyware.reg.dat
2008-10-17 22:21:16 7,324 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-17 22:21:24 108 C:\Qoobox\Quarantine\catchme.log


Heres the GMER log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-18 18:04:39
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spcl.sys ZwCreateKey [0xBA6A80E0]
SSDT spcl.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spcl.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT spcl.sys ZwOpenKey [0xBA6A80C0]
SSDT spcl.sys ZwQueryKey [0xBA6C7108]
SSDT spcl.sys ZwQueryValueKey [0xBA6C6F88]
SSDT spcl.sys ZwSetValueKey [0xBA6C719A]

INT 0x62 ? 8A5CDBF8
INT 0x63 ? 8A5CDBF8
INT 0x73 ? 8A5CDBF8
INT 0x82 ? 8A5CDBF8
INT 0xA4 ? 8A3C9BF8
INT 0xB4 ? 8A3C9BF8

---- Kernel code sections - GMER 1.0.14 ----

? spcl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9B228AC 5 Bytes JMP 8A3C91D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\NOD32\ekrn.exe[1544] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spcl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spcl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spcl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spcl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spcl.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A5CC1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\usbohci \Device\USBPDO-0 8A3C81F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{66DDFB55-1287-497E-A988-C81D22DC3513} 88D5B1F8
Device \Driver\usbehci \Device\USBPDO-1 8A3BA1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5CE1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5CE1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5CE1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5CE1F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5621F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5621F8
Device \Driver\Cdrom \Device\CdRom0 8A3AE1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5621F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A5621F8
Device \Driver\nvatabus \Device\00000083 8A5CD1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88D5B1F8
Device \Driver\nvatabus \Device\00000085 8A5CD1F8
Device \Driver\NetBT \Device\NetbiosSmb 88D5B1F8
Device \Driver\nvatabus \Device\00000086 8A5CD1F8
Device \Driver\usbohci \Device\USBFDO-0 8A3C81F8
Device \Driver\nvatabus \Device\NvAta0 8A5CD1F8
Device \Driver\usbehci \Device\USBFDO-1 8A3BA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88D361F8
Device \Driver\nvatabus \Device\NvAta1 8A5CD1F8
Device \Driver\nvatabus \Device\NvAta2 8A5CD1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88D361F8
Device \Driver\Ftdisk \Device\FtControl 8A5621F8
Device \FileSystem\Cdfs \Cdfs 8A39A368

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0x03 0x73 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB3 0x03 0x73 0xA0 ...

---- EOF - GMER 1.0.14 ----

Greyfox--
2008-10-16, 20:09
Added to this ive only really just noticed but this trojan must have some sort of advertisement thing with it as every website i go on now has advertisements for penis enlargement :sad:

Blade81
2008-10-16, 20:45
Hi


In the windows control panel. If you are using Windows XP's Category
View, select the Network and Internet Connections category otherwise
double click on Network Connections. Then right click on your default
connection, usually local area connection for cable and dsl, and left
click on properties. Click the Networking tab. Double-click on the
Internet Protocol (TCP/IP) . Are there any DNS server IP addresses visible?

Could you login to your router and check primary and secondary DNS server settings there?

Greyfox--
2008-10-16, 21:11
Nope no dns visible in connection settings.

Logged into router and

primary dns = 85.255.114.67

secondary dns = 85.255.112.200

Blade81
2008-10-16, 22:14
Hi

What brand is your router and how did you reset it?

Greyfox--
2008-10-19, 01:37
Right i think the problem is sorted now. Router after getting trojan kept dropping connection so i was a little worried that like you said my router had been infected. Brought a new router today and after setting it up things that wernt working do eg microsoft update now works

So thanks for all yout help and effort, greatly appreciated :)

Blade81
2008-10-19, 11:03
Good to hear that :)

If you want some tips for the future post a fresh hjt log, please.

Blade81
2008-10-26, 13:17
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.