PDA

View Full Version : problem running antivirus



s3r3nity
2009-06-19, 10:55
gud day! am having problem running my antivirus,i can't open it! also same problem in running the spybot...i can't scan my pc :( also during start up before the windows open theres this pop-up window with words am not familiar with.the only thing i can remember is jo-lyn-bee somethng..am sure it's not gud that thing is appearing during startup...hope some one can help me..here's my log

Logfile of HijackThis v1.99.1
Scan saved at 3:01:56 PM, on 6/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
C:\WINDOWS\system32\keyboard\services.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Cafezee2\Server.exe
D:\Cafezee2\czpinger.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\ogvei.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\winfncoye.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\oxxf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
H:\files.exe
C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\ytbb.exe
C:\Documents and Settings\server2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [] C:\WINDOWS\system\KEYBOARD.exe
O4 - HKLM\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: kbdrv16.com
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} (IPCamPlugIn Control) - http://124.106.161.28/IPCamPluginMJPEG.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F92C77EF-BBAC-4A56-9FAF-5A570D83C5B2}: NameServer = 192.168.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Blade81
2009-06-20, 17:50
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

s3r3nity
2009-06-21, 05:07
i would appreciate if you could help me clean my pc :D: tnx in advance..hoping for your response

Blade81
2009-06-21, 11:59
As you wish :) However, before that I need to see a few extra logs.


Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

s3r3nity
2009-06-22, 07:03
hi! i can't run the dds.exe.in the command promt it say "the command promt has been disable by the administrator.Press any key to continue"...i was log in as the administrator how come i can't access it???

here's the log for gmer....

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-22 11:56:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ZwOpenFile [0xF6E6F080]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\njklm.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe[172] C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe section is writeable [0x00401000, 0x2ECD7, 0xE0000060]
.sdata C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe[172] C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe unknown last code section [0x00438000, 0x1C000, 0xE0000060]
.text C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe[228] C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe section is writeable [0x00401000, 0x2ECD7, 0xE0000060]
.sdata C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe[228] C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe unknown last code section [0x00438000, 0x1C000, 0xE0000060]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6EA6DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6EA6DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3676] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] cswjy <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001583b8f31c
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy@DisplayName Shell Manager
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy@Description Manages network configuration by registering and updating IP addresses and DNS names.
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy\Parameters
Reg HKLM\SYSTEM\ControlSet001\Services\cswjy\Parameters@ServiceDll C:\WINDOWS\system32\hfszcaf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583b8f31c
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy@DisplayName Shell Manager
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy@Description Manages network configuration by registering and updating IP addresses and DNS names.
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\cswjy\Parameters@ServiceDll C:\WINDOWS\system32\hfszcaf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583b8f31c
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy@DisplayName Shell Manager
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy@Description Manages network configuration by registering and updating IP addresses and DNS names.
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy\Parameters
Reg HKLM\SYSTEM\ControlSet003\Services\cswjy\Parameters@ServiceDll C:\WINDOWS\system32\hfszcaf.dll

---- EOF - GMER 1.0.15 ----

s3r3nity
2009-06-22, 07:08
ahm also i would like to ask if there's a temporary solution for my pc problem..i mean is there anyway i can scan my pc even for one day so that i could use my flash drive or memory card? the last time i inserted my removable memory card i was infected by virus..and also i can't view pictures using thumbnail view....

Blade81
2009-06-22, 15:45
Hi,

If you're going to use flash memory meanwhile (I don't recommend that) then the drive must be disinfected first.

1. Download Flash_Disinfector (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your desktop.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.


About dds issue.. Please rename dds to whatever.scr and try running it. If still no success follow the instructions below:

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

s3r3nity
2009-06-23, 07:39
here's the rsit log
Logfile of random's system information tool 1.06 (written by random/random)
Run by server2 at 2009-06-23 11:39:15
Microsoft Windows XP Professional Service Pack 2
System drive C: has 55 GB (72%) free of 76 GB
Total RAM: 1023 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:23 AM, on 6/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
C:\WINDOWS\system32\keyboard\services.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Cafezee2\Server.exe
D:\Cafezee2\czpinger.exe
\Pc08\my documents\My Pictures\My Pictures.exe
C:\WINDOWS\system32\cmd.exe
\Pc08\my documents\My Pictures\My Pictures.exe
C:\WINDOWS\system32\cmd.exe
\Pc08\my documents\My Pictures\My Pictures.exe
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\winyfwi.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\pkgd.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\winqgiiaf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\server2\My Documents\Mozilla Downloads\RSIT.exe
C:\Program Files\trend micro\server2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [] C:\WINDOWS\system\KEYBOARD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - HKCU\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\progra~1\micros~1\csrss.exe
O4 - HKLM\..\Policies\Explorer\Run: [sys] C:\WINDOWS\Fonts\Fonts.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: kbdrv16.com
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} (IPCamPlugIn Control) - http://124.106.161.28/IPCamPluginMJPEG.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F92C77EF-BBAC-4A56-9FAF-5A570D83C5B2}: NameServer = 192.168.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8419 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll [2008-11-11 62728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2009-05-07 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2009-05-18 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2009-05-07 2403392]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-08-24 13574144]
"VMSnap3"=C:\WINDOWS\VMSnap3.EXE [2006-08-30 131072]
"Domino"=C:\WINDOWS\Domino.EXE [2006-06-28 122880]
"EEventManager"=C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe [2006-03-17 172032]
"Shell23"= []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-06-17 495616]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"BigDog303"=C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH) []
"USB2.0"=C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe [2000-01-01 102400]
"Keyboard"=C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe [2000-01-01 106496]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2008-11-11 206088]
""=C:\WINDOWS\system\KEYBOARD.exe [2009-06-17 307200]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 113520]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
""=C:\WINDOWS\system32\dllcache\Default.exe [2009-06-17 307200]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"1"=C:\progra~1\micros~1\csrss.exe []
"sys"=C:\WINDOWS\Fonts\Fonts.exe [2009-06-17 307200]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-05-18 138488]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-03-18 4441328]
"RegistryMechanic"=C:\Program Files\Registry Mechanic\RegMech.exe [2008-07-08 2897816]
"PowerBar"=C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe [2004-04-21 155648]
"Yahoo Messengger"=C:\WINDOWS\system32\SSCVIHOST.exe [2007-05-15 253661]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
""=C:\WINDOWS\system32\dllcache\Default.exe [2009-06-17 307200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
C:\WINDOWS\ALCMTR.EXE [2009-05-08 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 108840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe [2006-11-02 1397760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 359720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
C:\Program Files\lg_fwupdate\fwupdate.exe [2005-04-12 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2009-05-08 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2008-08-24 13574144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2008-08-24 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-06-17 495616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [2004-11-02 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2007-08-20 16384512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
C:\WINDOWS\SkyTel.EXE [2009-05-08 1826816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
kbdrv16.com

C:\Documents and Settings\server2\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll [2008-11-11 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0
"DisableStatusMessages"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=223
"HideClock"=0
"NofolderOptions"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"CZ_RESTRICTEDUSER"=
"HideClock"=
"Run"=
"NoDesktop"=
"NoActiveDesktop"=
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\Intaller\WinRar_4[1].1.65.exe"="F:\Intaller\WinRar_4[1].1.65.exe:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.exe:*:Enabled:ipsec"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\SkyTel.EXE"="C:\WINDOWS\SkyTel.EXE:*:Enabled:ipsec"
"C:\WINDOWS\system32\RUNDLL32.EXE"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:ipsec"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\QuickTime\QTTask.exe"="C:\Program Files\QuickTime\QTTask.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\nwiz.exe"="C:\WINDOWS\system32\nwiz.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winsvydl.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winsvydl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wintybg.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wintybg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wshbup.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wshbup.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\rwehl.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\rwehl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winoelbkk.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winoelbkk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winqhcdrh.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winqhcdrh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winptqbu.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winptqbu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winkvpqll.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winkvpqll.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\nhtsj.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\nhtsj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winqkbfsr.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winqkbfsr.exe:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:ipsec"
"C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe"="C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.2"
"H:\MS-DOS.com"="H:\MS-DOS.com:*:Enabled:ipsec"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:ipsec"
"H:\CONTACT LENSE.exe"="H:\CONTACT LENSE.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"="C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winlofa.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winlofa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winmkvao.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winmkvao.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winwsxom.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winwsxom.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winfkcy.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winfkcy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\vhdau.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\vhdau.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wegr.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wegr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winrcyeqh.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winrcyeqh.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\dllcache\Default.exe"="C:\WINDOWS\system32\dllcache\Default.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winulnce.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winulnce.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\gbtyjv.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\gbtyjv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winbywaw.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winbywaw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\jupnt.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\jupnt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\hwfo.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\hwfo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\bbix.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\bbix.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winwjgljj.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winwjgljj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\nfaj.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\nfaj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winiiwd.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winiiwd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winaeric.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winaeric.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winyalb.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winyalb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winabftf.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winabftf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winrgve.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winrgve.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\windgnfmy.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\windgnfmy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\atmbtl.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\atmbtl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winreavo.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winreavo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winmdlrb.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winmdlrb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wingkaunm.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wingkaunm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winceikku.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winceikku.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\kuxoj.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\kuxoj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\fdaumh.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\fdaumh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winbhabyk.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winbhabyk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\jmwo.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\jmwo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\opol.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\opol.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winpappe.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winpappe.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winnxbckp.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winnxbckp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\laet.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\laet.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winaoyix.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winaoyix.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wineaukp.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wineaukp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winxpmigi.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winxpmigi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winepfobp.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winepfobp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\irfacx.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\irfacx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\basmgw.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\basmgw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\xlfmi.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\xlfmi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wpwq.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wpwq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\kgtiji.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\kgtiji.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\hexxr.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\hexxr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winmbhwbl.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winmbhwbl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\qyegf.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\qyegf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winsqrsqn.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winsqrsqn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wineatv.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wineatv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\bgbc.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\bgbc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\icgg.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\icgg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\uljhaw.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\uljhaw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winbpme.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winbpme.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\wtelo.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\wtelo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winbsxdyn.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winbsxdyn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\savdl.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\savdl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\windgcmns.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\windgcmns.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winthwhqy.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winthwhqy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\jnbyp.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\jnbyp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winoxcb.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winoxcb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winubpuwy.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winubpuwy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\gnrrk.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\gnrrk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\bnjjw.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\bnjjw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winaaul.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winaaul.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\winysmvr.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\winysmvr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\attmbi.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\attmbi.exe:*:Enabled:ipsec"
"C:\WINDOWS\system\KEYBOARD.exe"="C:\WINDOWS\system\KEYBOARD.exe:*:Enabled:ipsec"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"="C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com:*:Enabled:ipsec"
"C:\WINDOWS\Fonts\tskmgr.exe"="C:\WINDOWS\Fonts\tskmgr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\server2\LOCALS~1\Temp\kljju.exe"="C:\DOCUME~1\server2\LOCALS~1\Temp\kljju.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e1a6e6b-3ddc-11de-b362-00248cb8a964}]
shell\auto\command - Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - Scrap
shell\open\command - Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d86e34-4cd4-11de-b38d-00248cb8a964}]
shell\auto\command - I:\Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - I:\Scrap
shell\open\command - I:\Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bc47a62-5ae7-11de-b3b9-00248cb8a964}]
shell\AutoRun\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bc47a63-5ae7-11de-b3b9-00248cb8a964}]
shell\AutoRun\command - I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd2e252-4420-11de-b36d-00248cb8a964}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe voda.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd2e254-4420-11de-b36d-00248cb8a964}]
shell\AutoRun\command - H:\RECYCLER\k-1-3542-4232123213-7676767-8888886\r00t.exe
shell\open\command - H:\RECYCLER\k-1-3542-4232123213-7676767-8888886\r00t.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{202d4bbc-5563-11de-b3a4-00248cb8a964}]
shell\AutoPlay\command - vmxi.pif
shell\AutoRun\command - vmxi.pif
shell\explOre\command - vmxi.pif
shell\OpeN\command - vmxi.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{202d4bbd-5563-11de-b3a4-00248cb8a964}]
shell\AutoPlay\command - H:\InnocentFile.exe
shell\AutoRun\command - H:\InnocentFile.exe
shell\Explore\command - H:\InnocentFile.exe
shell\Open\command - H:\InnocentFile.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{202d4bbe-5563-11de-b3a4-00248cb8a964}]
shell\AutoRun\command - asneg.com
shell\explore\command - asneg.com
shell\open\command - asneg.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23dc7c10-5248-11de-b39b-00248cb8a964}]
shell\auto\command - Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - Scrap
shell\open\command - Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23dc7c11-5248-11de-b39b-00248cb8a964}]
shell\AutoRun\command - I:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cbfa88e-4042-11de-b367-00248cb8a964}]
shell\AutoRun\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ee1be31-598c-11de-b3b7-00248cb8a964}]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45572e5d-4e57-11de-b392-00248cb8a964}]
shell\AutoRun\command - H:\2a.exe
shell\open\command - H:\2a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a528ea9-4fe8-11de-b396-00248cb8a964}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe winconfig.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a528eab-4fe8-11de-b396-00248cb8a964}]
shell\AutoRun\command - wscript.exe system32.dll.vbs
shell\explore\command - wscript.exe system32.dll.vbs
shell\open\command - wscript.exe system32.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a623600-3d16-11de-b361-00248cb8a964}]
shell\AutoRun\command - I:\flnm.cmd
shell\open\command - I:\flnm.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ee8019c-48ee-11de-b381-00248cb8a964}]
shell\auto\command - H:\Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - H:\Scrap
shell\open\command - H:\Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51c5f67f-50ac-11de-b398-00248cb8a964}]
shell\autOpLAy\command - delim.pif
shell\AutoRun\command - delim.pif
shell\eXPloRe\command - delim.pif
shell\open\command - delim.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51c5f681-50ac-11de-b398-00248cb8a964}]
shell\AutoRun\command - wscript.exe sowar.vbs
shell\Open\command - wscript.exe sowar.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51c5f687-50ac-11de-b398-00248cb8a964}]
shell\AutoRun\command - RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe
shell\open\command - RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{586d7266-562b-11de-b3a5-00248cb8a964}]
shell\AutoRun\command - H:\rousan.exe
shell\explore\command - H:\rousan.exe
shell\open\command - H:\rousan.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58f63fbb-4299-11de-b36b-00248cb8a964}]
shell\auto\command - H:\Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - H:\Scrap
shell\open\command - H:\Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5cc443a7-3eb5-11de-b364-00248cb8a964}]
shell\auto\command - I:\Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - I:\Scrap
shell\open\command - I:\Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62523903-5348-11de-b3a0-00248cb8a964}]
shell\AutoRun\command - system~1\_resto~1\RP09.exe
shell\explore\command - system~1\_resto~1\RP09.exe
shell\open\command - system~1\_resto~1\RP09.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e39419f-4daa-11de-b390-00248cb8a964}]
shell\AutoRun\command - RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe
shell\open\command - RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f978348-4f23-11de-b394-00248cb8a964}]
shell\AutoRun\command - hni.cmd
shell\explore\command - hni.cmd
shell\open\command - hni.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f978349-4f23-11de-b394-00248cb8a964}]
shell\AutoRun\command - I:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88c01138-45e3-11de-b371-00248cb8a964}]
shell\AutoRun\command - H:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe
shell\open\command - H:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8dd68ed6-481d-11de-b37c-00248cb8a964}]
shell\AutoRun\command - I:\password_viewer.exe %1
shell\Explore\command - I:\password_viewer.exe %1
shell\Open\command - I:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8df7ff24-4a64-11de-b386-00248cb8a964}]
shell\AutoplAY\command - I:\pbgtfi.pif
shell\AutoRun\command - I:\pbgtfi.pif
shell\explOrE\command - I:\pbgtfi.pif
shell\oPEn\command - I:\pbgtfi.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ede0908-46a6-11de-b376-00248cb8a964}]
shell\AutoRun\command - H:\uulaqvl.cmd
shell\explore\command - H:\uulaqvl.cmd
shell\open\command - H:\uulaqvl.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97b70556-4b2f-11de-b387-00248cb8a964}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe voda.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b76ecf5c-597e-11de-b3b6-00248cb8a964}]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b76ecf5d-597e-11de-b3b6-00248cb8a964}]
shell\AutoRun\command - I:\password_viewer.exe %1
shell\Explore\command - I:\password_viewer.exe %1
shell\Open\command - I:\password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbdd64d4-53d1-11de-b3a1-00248cb8a964}]
shell\AutoRun\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbdd64d8-53d1-11de-b3a1-00248cb8a964}]
shell\Autoplay\command - H:\smss.exe
shell\AutoRun\command - H:\smss.exe
shell\Explore\command - H:\smss.exe
shell\Open\command - H:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbdd64da-53d1-11de-b3a1-00248cb8a964}]
shell\AutoRun\command - hyetn1i.exe
shell\open\command - hyetn1i.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbdd64db-53d1-11de-b3a1-00248cb8a964}]
shell\AutopLAy\command - H:\vkor.exe
shell\AutoRun\command - H:\vkor.exe
shell\expLoRe\command - H:\vkor.exe
shell\opeN\command - H:\vkor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be27b248-3f61-11de-b365-00248cb8a964}]
shell\AutoRun\command - H:\lhylec9x.cmd
shell\open\command - H:\lhylec9x.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be27b24e-3f61-11de-b365-00248cb8a964}]
shell\1\command - I:\Recycle.exe
shell\2\command - I:\Recycle.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycle.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2bdb641-5a2b-11de-b3b8-00248cb8a964}]
shell\AutoRun\command - I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2bdb642-5a2b-11de-b3b8-00248cb8a964}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MS-DOS.com
shell\Explore\command - H:\MS-DOS.com
shell\Open\command - H:\MS-DOS.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2bdb643-5a2b-11de-b3b8-00248cb8a964}]
shell\AutoRun\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2bdb645-5a2b-11de-b3b8-00248cb8a964}]
shell\AutoRun\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - H:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2bdb646-5a2b-11de-b3b8-00248cb8a964}]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2bdb647-5a2b-11de-b3b8-00248cb8a964}]
shell\AutoRun\command - I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe
shell\open\command - I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Drive13.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c63fe42f-41ca-11de-b36a-00248cb8a964}]
shell\auto\command - H:\Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - H:\Scrap
shell\open\command - H:\Scrap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c63fe431-41ca-11de-b36a-00248cb8a964}]
shell\AutOpLaY\command - I:\aphhu.cmd
shell\AutoRun\command - I:\aphhu.cmd
shell\eXplORE\command - I:\aphhu.cmd
shell\Open\command - I:\aphhu.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6d814c6-588e-11de-b3b0-00248cb8a964}]
shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d15eba52-45ac-11de-b370-00248cb8a964}]
shell\AutoRun\command - password_viewer.exe %1
shell\Explore\command - password_viewer.exe %1
shell\Open\command - password_viewer.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d15eba54-45ac-11de-b370-00248cb8a964}]
shell\AutoRun\command - 0o.com
shell\explore\command - 0o.com
shell\open\command - 0o.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7ae8d34-3ba5-11de-b35a-00248cb8a964}]
shell\AutoRun\command - I:\ot8unvb.cmd
shell\explore\command - I:\ot8unvb.cmd
shell\open\command - I:\ot8unvb.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3b51099-517a-11de-b399-00248cb8a964}]
shell\auto\command - H:\Scrap
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Scrap
shell\explore\command - H:\Scrap
shell\open\command - H:\Scrap


======File associations======

.reg - open - C:\WINDOWS\pchealth\Global.exe

======List of files/folders created in the last 1 months======

2009-06-23 11:39:16 ----D---- C:\Program Files\trend micro
2009-06-23 11:39:15 ----D---- C:\rsit
2009-06-23 10:54:18 ----RASH---- C:\WINDOWS\system32\SSCVIHOST.exe
2009-06-23 10:54:18 ----RASH---- C:\WINDOWS\system32\blastclnnn.exe
2009-06-23 10:54:18 ----A---- C:\WINDOWS\SSCVIHOST.exe
2009-06-19 17:12:37 ----SHD---- C:\Config.Msi
2009-06-19 17:09:30 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-06-19 17:08:29 ----D---- C:\Program Files\NOS
2009-06-19 17:08:29 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-06-19 13:23:54 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-06-19 13:23:54 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 13:03:49 ----D---- C:\Program Files\Kaspersky Lab
2009-06-18 12:33:33 ----D---- C:\WINDOWS\system32\keyboard
2009-06-18 12:33:33 ----D---- C:\Documents and Settings\All Users\Application Data\Fearghus
2009-06-17 18:47:19 ----RASH---- C:\MS-DOS.com
2009-06-17 18:32:58 ----RASH---- C:\WINDOWS\system32\regedit.exe
2009-06-14 11:05:44 ----SHD---- C:\FOUND.007
2009-06-11 11:26:30 ----SHD---- C:\FOUND.006
2009-06-09 16:15:20 ----RSHD---- C:\RECYCLER
2009-06-09 14:56:23 ----RSHD---- C:\RESTORE
2009-06-09 10:04:44 ----SHD---- C:\FOUND.005
2009-06-07 19:29:46 ----A---- C:\WINDOWS\system32\wshirda.dll
2009-06-07 19:29:46 ----A---- C:\WINDOWS\system32\irmon.dll
2009-06-07 19:29:46 ----A---- C:\WINDOWS\system32\irftp.exe
2009-06-07 11:15:34 ----D---- C:\Program Files\HijackThis
2009-06-07 11:09:28 ----D---- C:\WINDOWS\system32\appmgmt
2009-06-03 15:12:36 ----SHD---- C:\FOUND.004
2009-06-03 11:59:49 ----RSH---- C:\system32.dll.vbs
2009-06-03 10:08:48 ----SHD---- C:\FOUND.003
2009-06-02 14:35:50 ----A---- C:\WINDOWS\ModemLog_ZTE Proprietary USB Modem.txt
2009-05-29 19:35:38 ----A---- C:\WINDOWS\system32\ap_i2p.ini
2009-05-29 19:35:35 ----D---- C:\Program Files\AdultPDF
2009-05-28 12:05:12 ----SHD---- C:\FOUND.002

======List of files/folders modified in the last 1 months======

2009-06-22 20:00:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-22 10:41:14 ----A---- C:\WINDOWS\NeroDigital.ini
2009-06-17 18:42:14 ----A---- C:\WINDOWS\system32\nvcplui.exe
2009-06-07 19:31:04 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-06-03 20:57:18 ----A---- C:\WINDOWS\win.ini
2009-05-27 12:29:30 ----A---- C:\avi_log.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2005-07-08 29696]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2006-11-02 28672]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228]
R3 dac970nt;dac970nt; \??\C:\WINDOWS\system32\drivers\njklm.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-08-28 4609024]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-08-24 6128352]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2006-10-02 10368]
R3 SiSGbeXP;SiS191/SiS190 Ethernet Device NDIS 5.1 Driver; C:\WINDOWS\system32\DRIVERS\SiSGbeXP.sys [2006-12-20 41600]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 vmfilter303;vmfilter303; C:\WINDOWS\system32\drivers\vmfilter303.sys [2006-04-25 428160]
R3 ZSMC303;A4 TECH PC Camera H; C:\WINDOWS\System32\Drivers\usbVM303.sys [2006-12-01 392122]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2005-07-08 99584]
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2004-08-03 274304]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 ZTEusbmdm6k;ZTE Proprietary USB Driver; C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys []
S3 ZTEusbnmea;ZTE NMEA Port; C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys []
S3 ZTEusbser6k;ZTE Diagnostic Port; C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2005-07-08 871424]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 61440]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-08-24 163908]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2009-05-08 150528]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-07 215992]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 610600]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 147744]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 523056]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 227104]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

s3r3nity
2009-06-23, 07:47
info log

info.txt logfile of random's system information tool 1.06 2009-06-23 11:39:27

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->msiexec /x{5C68CBBE-3284-4633-B314-D2555B5540C8}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
A4 TECH PC Camera H-->C:\Program Files\InstallShield Installation Information\{CE3B8E96-B0AF-4871-9178-1519B58E3A93}\setup.exe -runfromtemp -l0x0009 -removeonly
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Cafezee Server-->C:\WINDOWS\Cafezee Server Uninstaller.exe
CardRecovery-->C:\PROGRA~1\CARDRE~1\UNWISE.EXE C:\PROGRA~1\CARDRE~1\INSTALL.LOG
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07-->"C:\Program Files\Cucusoft\avi-dvd-pro\unins000.exe"
DVD Solution-->"C:\Program Files\Uninstall_CDS.exe"
EPSON Attach To Email-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Event Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48F22622-1CC2-4A83-9C1E-644DD96F832D}\Setup.exe" -l0x9 -u
EPSON File Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Image To PDF v3.3.0-->"C:\Program Files\AdultPDF\Image To PDF\unins000.exe"
Imikimi Plugin-->"C:\Program Files\Imikimi\uninstall.exe"
InCD-->C:\WINDOWS\NuNInst.exe /UNINSTALL
iTunes-->MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
LG ODD Auto Firmware Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6179550A-3E7C-499E-BCC9-9E8113E0A285}\setup.exe"
Magic Video Converter Trial Version (English) 8.0.2.18-->"C:\Program Files\Magic Video Converter\unins000.exe"
MemoriesOnTV 3.1.8-->"C:\Program Files\MemoriesOnTV3\unins000.exe"
MemoriesOnTV ClipShow Volume 1-->"C:\Program Files\MemoriesOnTV3\unins001.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Norton PartitionMagic 8.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PerfV350 User's Guide-->C:\Program Files\EPSON\TPMANUAL\PerfV350\USE_G\DOCUNINS.EXE
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
QuickTime-->MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Registry Mechanic 8.0-->"C:\Program Files\Registry Mechanic\unins000.exe" /Log
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony Ericsson Media Manager 1.2-->MsiExec.exe /X{9EB1504E-FD95-4BCD-8E93-B4039F59C469}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wondershare Photo Story Platinum 3.1.0 trial version-->"C:\Program Files\Wondershare\Photo Story Platinum\unins000.exe"
Yahoo! Messenger-->C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Security center information======

AV: Kaspersky Anti-Virus (disabled)

======System event log======

Computer Name: SERVER2
Event Code: 7
Message: The device, \Device\Harddisk2\D, has a bad block.

Record Number: 9236
Source Name: Disk
Time Written: 20090614143216.000000+480
Event Type: error
User:

Computer Name: SERVER2
Event Code: 7
Message: The device, \Device\Harddisk2\D, has a bad block.

Record Number: 9235
Source Name: Disk
Time Written: 20090614143216.000000+480
Event Type: error
User:

Computer Name: SERVER2
Event Code: 7
Message: The device, \Device\Harddisk2\D, has a bad block.

Record Number: 9234
Source Name: Disk
Time Written: 20090614143216.000000+480
Event Type: error
User:

Computer Name: SERVER2
Event Code: 7
Message: The device, \Device\Harddisk2\D, has a bad block.

Record Number: 9233
Source Name: Disk
Time Written: 20090614143216.000000+480
Event Type: error
User:

Computer Name: SERVER2
Event Code: 7
Message: The device, \Device\Harddisk2\D, has a bad block.

Record Number: 9232
Source Name: Disk
Time Written: 20090614143216.000000+480
Event Type: error
User:

=====Application event log=====

Computer Name: SERVER2
Event Code: 1000
Message: Faulting application ois.exe, version 12.0.4518.1014, stamp 454175ff, faulting module gdi32.dll, version 5.1.2600.2180, stamp 41109697, debug? 0, fault address 0x0000e13f.

Record Number: 525
Source Name: Microsoft Office 12
Time Written: 20090609135439.000000+480
Event Type: error
User:

Computer Name: SERVER2
Event Code: 1517
Message: Windows saved user SERVER2\server2 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 516
Source Name: Userenv
Time Written: 20090608200631.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SERVER2
Event Code: 1517
Message: Windows saved user SERVER2\server2 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 510
Source Name: Userenv
Time Written: 20090607203644.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SERVER2
Event Code: 1517
Message: Windows saved user SERVER2\server2 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 500
Source Name: Userenv
Time Written: 20090607152523.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SERVER2
Event Code: 1517
Message: Windows saved user SERVER2\server2 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 497
Source Name: Userenv
Time Written: 20090607123310.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL;H:\quicktime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip;H:\quicktime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

Blade81
2009-06-23, 19:21
Hi,


Computer Name: SERVER2
Event Code: 7
Message: The device, \Device\Harddisk2\D, has a bad block.

Your hard drive may have its end near. It's better to take needed backups after we've cleaned the mess.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix*from any of the links below. You must*rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on Combo-Fix.exe*& follow the prompts (allow recovery console to install when asked for permission).
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log*so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Note: If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

s3r3nity
2009-06-24, 06:34
hi! tnx for your response...here's the combofix log

ComboFix 09-06-22.0E - server2 06/24/2009 11:23.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.404 [GMT 8:00]
Running from: c:\documents and settings\server2\My Documents\Mozilla Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\restore\H-6-1-53-0976546321-090909032-8763-1337
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
C:\Autorun.inf
C:\MS-DOS.com
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\restore\H-6-1-53-0976546321-090909032-8763-1337\Desktop.ini
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\Cursors\Boom.vbs
c:\windows\Fonts\fonts.exe
c:\windows\Fonts\tskmgr.exe
c:\windows\Fonts\wav.wav
c:\windows\Help\Microsoft.hlp
c:\windows\Media\rndll32.pif
c:\windows\pchealth\Global.exe
c:\windows\pchealth\helpctr\binaries\HelpHost.com
c:\windows\system\KEYBOARD.exe
c:\windows\system32\autorun.ini
c:\windows\system32\blastclnnn.exe
c:\windows\system32\dllcache\autorun.inf
c:\windows\system32\dllcache\Default.exe
c:\windows\system32\dllcache\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
c:\windows\system32\dllcache\rndll32.exe
c:\windows\system32\dllcache\tskmgr.exe
c:\windows\system32\drivers\drivers.cab.exe
c:\windows\system32\drivers\kl1.sys
c:\windows\system32\msxml71.dll
c:\windows\system32\regedit.exe
c:\windows\system32\setting.ini
c:\windows\system32\SSCVIHOST.exe
c:\windows\system32\uninstall.exe
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DAC970NT
-------\Service_dac970nt


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 07:34 . 2009-06-23 07:34 -------- d-----w- c:\program files\ImTOO
2009-06-23 03:39 . 2009-06-23 03:39 -------- d-----w- c:\program files\trend micro
2009-06-23 03:39 . 2009-06-23 03:39 -------- d-----w- C:\rsit
2009-06-23 02:54 . 2007-05-15 02:34 253661 ----a-w- c:\windows\SSCVIHOST.exe
2009-06-19 09:09 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\server2\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-19 09:09 . 2009-06-19 09:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-19 09:08 . 2009-06-19 09:08 155648 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-19 09:08 . 2009-06-19 09:08 -------- d-----w- c:\program files\NOS
2009-06-19 09:08 . 2009-06-19 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-19 05:23 . 2009-06-19 05:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-19 05:23 . 2009-06-19 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 05:04 . 2009-06-19 05:04 96976 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-19 05:04 . 2009-06-19 05:04 87855 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-19 05:03 . 2009-06-19 05:03 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-18 04:33 . 2009-06-18 04:33 -------- d-----w- c:\windows\system32\keyboard
2009-06-18 04:33 . 2009-06-18 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Fearghus
2009-06-14 03:05 . 2009-06-14 03:05 -------- d-sh--w- C:\FOUND.007
2009-06-14 02:56 . 2009-06-14 02:56 544768 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\SanDiskFormatExtension.dll
2009-06-14 02:56 . 2009-06-14 02:56 4702208 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\LaunchPad.exe
2009-06-14 02:56 . 2009-06-14 02:56 3428352 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\Launchpad Removal.exe
2009-06-14 02:56 . 2009-06-14 02:56 2600960 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\u3dapi10.dll
2009-06-14 02:56 . 2009-06-14 02:56 2129920 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\LPSecurityExtension.dll
2009-06-14 02:56 . 2009-06-14 02:56 180224 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\cleanup.exe
2009-06-14 02:56 . 2009-06-14 02:56 132408 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\U3AccessGrant.exe
2009-06-11 12:08 . 2009-06-24 03:25 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-11 03:26 . 2009-06-11 03:26 -------- d-sh--w- C:\FOUND.006
2009-06-09 06:56 . 2009-06-09 06:56 -------- d-sh--r- C:\RESTORE
2009-06-09 02:04 . 2009-06-09 02:04 -------- d-sh--w- C:\FOUND.005
2009-06-03 07:12 . 2009-06-03 07:12 -------- d-sh--w- C:\FOUND.004
2009-06-03 02:08 . 2009-06-03 02:08 -------- d-sh--w- C:\FOUND.003
2009-05-29 11:35 . 2009-05-29 11:35 -------- d-----w- c:\program files\AdultPDF
2009-05-28 04:05 . 2009-05-28 04:05 -------- d-sh--w- C:\FOUND.002

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 05:15 . 2009-05-08 03:11 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-19 05:15 . 2009-05-08 03:11 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-19 05:15 . 2009-05-08 03:11 1404960 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-19 05:15 . 2009-05-08 03:11 12056 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-17 10:42 . 2008-08-24 04:11 870944 ----a-w- c:\windows\system32\nvcplui.exe
2009-06-17 10:37 . 2009-05-07 12:01 677104 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-06-17 10:37 . 2008-07-04 05:35 132456 ----a-w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
2009-06-17 10:33 . 2009-01-06 05:50 148776 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.0.2.20\SetupAdmin.exe
2009-06-15 11:19 . 2009-05-13 10:19 192512 ----a-w- c:\documents and settings\server2\Application Data\U3\temp\cleanup.exe
2009-06-15 11:19 . 2009-05-13 10:18 3174400 ---ha-w- c:\documents and settings\server2\Application Data\U3\temp\Launchpad Removal.exe
2009-05-28 12:19 . 2009-05-07 10:54 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-20 05:08 . 2009-05-20 05:08 -------- d-----w- c:\documents and settings\server2\Application Data\Sony
2009-05-20 05:08 . 2009-05-20 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-05-20 05:03 . 2009-05-20 05:03 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-05-20 05:03 . 2009-05-20 05:03 -------- d-----w- c:\program files\Sony Ericsson
2009-05-20 05:03 . 2009-05-20 05:03 -------- d-----w- c:\program files\Sony
2009-05-20 04:50 . 2009-05-20 04:49 21955888 ----a-w- c:\documents and settings\server2\Application Data\Sony Setup\A189E68E-2253-4C3B-86B7-D77E36F13C55\QuickTimeInstaller.exe
2009-05-20 04:49 . 2009-05-20 04:48 23510720 ----a-w- c:\documents and settings\server2\Application Data\Sony Setup\09063B41-0916-4360-A80D-0C2A2B89D300\dotnetfx.exe
2009-05-20 04:48 . 2009-05-20 04:48 2667792 ----a-w- c:\documents and settings\server2\Application Data\Sony Setup\CF356349-4782-4F9D-AE42-7E3C6AD74B9C\WindowsInstaller-KB893803-v2-x86.exe
2009-05-20 04:48 . 2009-05-20 04:48 -------- d-----w- c:\documents and settings\server2\Application Data\Sony Setup
2009-05-20 04:46 . 2009-05-20 04:46 -------- d-----w- c:\program files\Sony Setup
2009-05-15 05:33 . 2009-05-15 05:33 -------- d-----w- c:\program files\MemoriesOnTV3
2009-05-14 07:12 . 2009-05-14 07:12 -------- d-----w- c:\program files\Wondershare
2009-05-13 10:18 . 2009-05-13 10:18 -------- d-----w- c:\documents and settings\server2\Application Data\U3
2009-05-10 10:58 . 2009-05-10 10:58 -------- d-----w- c:\documents and settings\server2\Application Data\CyberLink
2009-05-10 10:58 . 2009-05-10 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-09 11:22 . 2009-05-09 11:22 7680 ----a-w- c:\documents and settings\server2\Application Data\Thinstall\MemoriesOnTV 4\40000034900002i\Motv.exe
2009-05-09 11:22 . 2009-05-09 11:22 -------- d-----w- c:\documents and settings\server2\Application Data\Thinstall
2009-05-09 08:17 . 2009-05-09 08:17 -------- d-----w- c:\program files\Imikimi
2009-05-08 12:25 . 2009-05-08 12:25 162500 ----a-w- c:\windows\Cafezee Server Uninstaller.exe
2009-05-08 12:09 . 2009-05-08 06:37 68456 ----a-w- c:\documents and settings\server2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-08 10:00 . 2009-05-08 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-05-08 10:00 . 2009-05-08 09:59 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-05-08 07:54 . 2009-05-08 07:54 -------- d-----w- c:\program files\Magic Video Converter
2009-05-08 07:53 . 2009-05-08 07:53 -------- d-----w- c:\program files\Cucusoft
2009-05-08 07:48 . 2009-05-08 07:48 -------- d-----w- c:\program files\DataDoctorRecovery
2009-05-08 07:20 . 2009-05-08 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-08 07:05 . 2009-05-08 07:05 -------- d-----w- c:\documents and settings\server2\Application Data\EPSON
2009-05-08 06:57 . 2009-05-08 06:57 0 ----a-w- c:\windows\nsreg.dat
2009-05-08 06:47 . 2009-05-08 06:47 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2009-05-08 06:44 . 2009-05-08 06:44 -------- d-----w- c:\program files\epson
2009-05-08 06:40 . 2009-05-08 06:40 -------- d-----w- c:\program files\Vimicro
2009-05-08 06:40 . 2009-05-08 06:40 -------- d-----w- c:\documents and settings\server2\Application Data\InstallShield
2009-05-08 06:16 . 2009-05-08 06:16 -------- d-----w- c:\program files\HP
2009-05-08 06:10 . 2009-05-07 11:41 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-05-08 06:10 . 2008-08-24 04:11 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-08 06:10 . 2009-05-07 11:33 69632 ------r- c:\windows\Alcmtr.exe
2009-05-08 06:10 . 2009-05-07 11:01 86016 ------r- c:\windows\SoundMan.exe
2009-05-08 06:10 . 2009-05-07 11:01 1826816 ------r- c:\windows\SkyTel.exe
2009-05-08 03:11 . 2009-05-08 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-05-08 03:09 . 2009-05-08 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\documents and settings\server2\Application Data\Yahoo!
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\program files\Yahoo!
2009-05-07 11:46 . 2009-05-07 11:46 -------- d-----w- c:\program files\lg_fwupdate
2009-05-07 11:42 . 2009-05-07 11:42 -------- d-----w- c:\program files\Common Files\LightScribe
2009-05-07 11:40 . 2009-05-07 11:40 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-07 11:40 . 2009-05-07 11:40 -------- d-----w- c:\program files\Ahead
2009-05-07 11:39 . 2009-05-07 11:39 -------- d-----w- c:\program files\CyberLink
2009-05-07 11:39 . 2009-05-07 11:39 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-05-07 11:27 . 2009-05-07 11:27 -------- d-----w- c:\program files\Microsoft Works
2009-05-07 11:27 . 2009-05-07 11:27 -------- d-----w- c:\program files\MSBuild
2009-05-07 11:25 . 2009-05-07 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 11:21 . 2009-05-07 11:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-07 11:19 . 2009-05-07 11:19 -------- d-----w- c:\program files\CardRecovery
2009-05-07 11:13 . 2009-05-07 11:13 -------- d-----w- c:\program files\Symantec
2009-05-07 11:13 . 2009-05-07 11:01 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 11:12 . 2009-05-07 11:12 -------- d-----w- c:\documents and settings\server2\Application Data\Apple Computer
2009-05-07 11:12 . 2009-05-07 11:11 -------- d-----w- c:\program files\iTunes
2009-05-07 11:12 . 2009-05-07 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-05-07 11:12 . 2009-05-07 11:12 -------- d-----w- c:\program files\iPod
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\program files\Common Files\Apple
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\program files\Bonjour
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\program files\QuickTime
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-05-07 11:10 . 2009-05-07 11:10 -------- d-----w- c:\program files\Google
2009-05-07 11:10 . 2009-05-07 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-07 11:10 . 2009-05-07 11:10 -------- d-----w- c:\program files\Skype
2009-05-07 11:04 . 2009-05-07 11:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 11:01 . 2009-05-07 11:01 -------- d-----w- c:\program files\Realtek
2009-05-07 11:01 . 2009-05-07 11:01 315392 ----a-w- c:\windows\HideWin.exe
2009-05-07 10:55 . 2009-05-07 10:55 -------- d-----w- c:\program files\microsoft frontpage
2009-05-07 10:52 . 2009-05-07 10:52 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2004-10-01 07:00 . 2009-05-07 11:39 114688 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-18 138488]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4441328]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2897816]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-24 13574144]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 131072]
"Domino"="c:\windows\Domino.EXE" [2006-06-28 122880]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 172032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-06-17 495616]
"USB2.0"="c:\documents and settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe" [1999-12-31 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 113520]
"Keyboard"="c:\documents and settings\All Users\Application Data\Fearghus\lsass.exe" [1999-12-31 106496]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\server2\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 183296]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 176456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
kbdrv16.com [2000-1-1 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"CZ_RESTRICTEDUSER"= 1 (0x1)
"Run"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe c:\windows\system32\keyboard\services.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SkyTel.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Registry Mechanic\\RegMech.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Fearghus\\lsass.exe"=
"c:\\Program Files\\Common Files\\Adobe Systems Shared\\Service\\Adobelmsvc.exe"=
"\\\\Pc08\\my documents\\My Pictures\\My Pictures.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"d:\\Cafezee2\\czpinger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3874:TCP"= 3874:TCP:hbybvt

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 32784]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [5/8/2009 2:41 PM 428160]
S2 cswjy;Shell Manager;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 9:07 AM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DAC970NT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cswjy
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BigDog303 - c:\windows\VM303_STI.EXE
HKLM-Run-Shell23 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F92C77EF-BBAC-4A56-9FAF-5A570D83C5B2} = 192.168.2.1
DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} - hxxp://124.106.161.28/IPCamPluginMJPEG.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 11:28
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cswjy]
"ServiceDll"="c:\windows\system32\hfszcaf.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3956)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-24 11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 03:29

Pre-Run: 51,721,404,416 bytes free
Post-Run: 53,071,106,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

319

s3r3nity
2009-06-24, 06:35
hi! tnx for your response..here's the combofix log

ComboFix 09-06-22.0E - server2 06/24/2009 11:23.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.404 [GMT 8:00]
Running from: c:\documents and settings\server2\My Documents\Mozilla Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\restore\H-6-1-53-0976546321-090909032-8763-1337
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
C:\Autorun.inf
C:\MS-DOS.com
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\restore\H-6-1-53-0976546321-090909032-8763-1337\Desktop.ini
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\Cursors\Boom.vbs
c:\windows\Fonts\fonts.exe
c:\windows\Fonts\tskmgr.exe
c:\windows\Fonts\wav.wav
c:\windows\Help\Microsoft.hlp
c:\windows\Media\rndll32.pif
c:\windows\pchealth\Global.exe
c:\windows\pchealth\helpctr\binaries\HelpHost.com
c:\windows\system\KEYBOARD.exe
c:\windows\system32\autorun.ini
c:\windows\system32\blastclnnn.exe
c:\windows\system32\dllcache\autorun.inf
c:\windows\system32\dllcache\Default.exe
c:\windows\system32\dllcache\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
c:\windows\system32\dllcache\rndll32.exe
c:\windows\system32\dllcache\tskmgr.exe
c:\windows\system32\drivers\drivers.cab.exe
c:\windows\system32\drivers\kl1.sys
c:\windows\system32\msxml71.dll
c:\windows\system32\regedit.exe
c:\windows\system32\setting.ini
c:\windows\system32\SSCVIHOST.exe
c:\windows\system32\uninstall.exe
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DAC970NT
-------\Service_dac970nt


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 07:34 . 2009-06-23 07:34 -------- d-----w- c:\program files\ImTOO
2009-06-23 03:39 . 2009-06-23 03:39 -------- d-----w- c:\program files\trend micro
2009-06-23 03:39 . 2009-06-23 03:39 -------- d-----w- C:\rsit
2009-06-23 02:54 . 2007-05-15 02:34 253661 ----a-w- c:\windows\SSCVIHOST.exe
2009-06-19 09:09 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\server2\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-19 09:09 . 2009-06-19 09:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-19 09:08 . 2009-06-19 09:08 155648 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-19 09:08 . 2009-06-19 09:08 -------- d-----w- c:\program files\NOS
2009-06-19 09:08 . 2009-06-19 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-19 05:23 . 2009-06-19 05:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-19 05:23 . 2009-06-19 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 05:04 . 2009-06-19 05:04 96976 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-19 05:04 . 2009-06-19 05:04 87855 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-19 05:03 . 2009-06-19 05:03 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-18 04:33 . 2009-06-18 04:33 -------- d-----w- c:\windows\system32\keyboard
2009-06-18 04:33 . 2009-06-18 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Fearghus
2009-06-14 03:05 . 2009-06-14 03:05 -------- d-sh--w- C:\FOUND.007
2009-06-14 02:56 . 2009-06-14 02:56 544768 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\SanDiskFormatExtension.dll
2009-06-14 02:56 . 2009-06-14 02:56 4702208 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\LaunchPad.exe
2009-06-14 02:56 . 2009-06-14 02:56 3428352 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\Launchpad Removal.exe
2009-06-14 02:56 . 2009-06-14 02:56 2600960 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\u3dapi10.dll
2009-06-14 02:56 . 2009-06-14 02:56 2129920 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\LPSecurityExtension.dll
2009-06-14 02:56 . 2009-06-14 02:56 180224 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\cleanup.exe
2009-06-14 02:56 . 2009-06-14 02:56 132408 ----a-w- c:\documents and settings\server2\Application Data\U3\351480056C0284AF\U3AccessGrant.exe
2009-06-11 12:08 . 2009-06-24 03:25 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-11 03:26 . 2009-06-11 03:26 -------- d-sh--w- C:\FOUND.006
2009-06-09 06:56 . 2009-06-09 06:56 -------- d-sh--r- C:\RESTORE
2009-06-09 02:04 . 2009-06-09 02:04 -------- d-sh--w- C:\FOUND.005
2009-06-03 07:12 . 2009-06-03 07:12 -------- d-sh--w- C:\FOUND.004
2009-06-03 02:08 . 2009-06-03 02:08 -------- d-sh--w- C:\FOUND.003
2009-05-29 11:35 . 2009-05-29 11:35 -------- d-----w- c:\program files\AdultPDF
2009-05-28 04:05 . 2009-05-28 04:05 -------- d-sh--w- C:\FOUND.002

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 05:15 . 2009-05-08 03:11 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-19 05:15 . 2009-05-08 03:11 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-19 05:15 . 2009-05-08 03:11 1404960 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-19 05:15 . 2009-05-08 03:11 12056 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-17 10:42 . 2008-08-24 04:11 870944 ----a-w- c:\windows\system32\nvcplui.exe
2009-06-17 10:37 . 2009-05-07 12:01 677104 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-06-17 10:37 . 2008-07-04 05:35 132456 ----a-w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
2009-06-17 10:33 . 2009-01-06 05:50 148776 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.0.2.20\SetupAdmin.exe
2009-06-15 11:19 . 2009-05-13 10:19 192512 ----a-w- c:\documents and settings\server2\Application Data\U3\temp\cleanup.exe
2009-06-15 11:19 . 2009-05-13 10:18 3174400 ---ha-w- c:\documents and settings\server2\Application Data\U3\temp\Launchpad Removal.exe
2009-05-28 12:19 . 2009-05-07 10:54 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-20 05:08 . 2009-05-20 05:08 -------- d-----w- c:\documents and settings\server2\Application Data\Sony
2009-05-20 05:08 . 2009-05-20 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-05-20 05:03 . 2009-05-20 05:03 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-05-20 05:03 . 2009-05-20 05:03 -------- d-----w- c:\program files\Sony Ericsson
2009-05-20 05:03 . 2009-05-20 05:03 -------- d-----w- c:\program files\Sony
2009-05-20 04:50 . 2009-05-20 04:49 21955888 ----a-w- c:\documents and settings\server2\Application Data\Sony Setup\A189E68E-2253-4C3B-86B7-D77E36F13C55\QuickTimeInstaller.exe
2009-05-20 04:49 . 2009-05-20 04:48 23510720 ----a-w- c:\documents and settings\server2\Application Data\Sony Setup\09063B41-0916-4360-A80D-0C2A2B89D300\dotnetfx.exe
2009-05-20 04:48 . 2009-05-20 04:48 2667792 ----a-w- c:\documents and settings\server2\Application Data\Sony Setup\CF356349-4782-4F9D-AE42-7E3C6AD74B9C\WindowsInstaller-KB893803-v2-x86.exe
2009-05-20 04:48 . 2009-05-20 04:48 -------- d-----w- c:\documents and settings\server2\Application Data\Sony Setup
2009-05-20 04:46 . 2009-05-20 04:46 -------- d-----w- c:\program files\Sony Setup
2009-05-15 05:33 . 2009-05-15 05:33 -------- d-----w- c:\program files\MemoriesOnTV3
2009-05-14 07:12 . 2009-05-14 07:12 -------- d-----w- c:\program files\Wondershare
2009-05-13 10:18 . 2009-05-13 10:18 -------- d-----w- c:\documents and settings\server2\Application Data\U3
2009-05-10 10:58 . 2009-05-10 10:58 -------- d-----w- c:\documents and settings\server2\Application Data\CyberLink
2009-05-10 10:58 . 2009-05-10 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-09 11:22 . 2009-05-09 11:22 7680 ----a-w- c:\documents and settings\server2\Application Data\Thinstall\MemoriesOnTV 4\40000034900002i\Motv.exe
2009-05-09 11:22 . 2009-05-09 11:22 -------- d-----w- c:\documents and settings\server2\Application Data\Thinstall
2009-05-09 08:17 . 2009-05-09 08:17 -------- d-----w- c:\program files\Imikimi
2009-05-08 12:25 . 2009-05-08 12:25 162500 ----a-w- c:\windows\Cafezee Server Uninstaller.exe
2009-05-08 12:09 . 2009-05-08 06:37 68456 ----a-w- c:\documents and settings\server2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-08 10:00 . 2009-05-08 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-05-08 10:00 . 2009-05-08 09:59 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-05-08 07:54 . 2009-05-08 07:54 -------- d-----w- c:\program files\Magic Video Converter
2009-05-08 07:53 . 2009-05-08 07:53 -------- d-----w- c:\program files\Cucusoft
2009-05-08 07:48 . 2009-05-08 07:48 -------- d-----w- c:\program files\DataDoctorRecovery
2009-05-08 07:20 . 2009-05-08 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-08 07:05 . 2009-05-08 07:05 -------- d-----w- c:\documents and settings\server2\Application Data\EPSON
2009-05-08 06:57 . 2009-05-08 06:57 0 ----a-w- c:\windows\nsreg.dat
2009-05-08 06:47 . 2009-05-08 06:47 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2009-05-08 06:44 . 2009-05-08 06:44 -------- d-----w- c:\program files\epson
2009-05-08 06:40 . 2009-05-08 06:40 -------- d-----w- c:\program files\Vimicro
2009-05-08 06:40 . 2009-05-08 06:40 -------- d-----w- c:\documents and settings\server2\Application Data\InstallShield
2009-05-08 06:16 . 2009-05-08 06:16 -------- d-----w- c:\program files\HP
2009-05-08 06:10 . 2009-05-07 11:41 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-05-08 06:10 . 2008-08-24 04:11 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-08 06:10 . 2009-05-07 11:33 69632 ------r- c:\windows\Alcmtr.exe
2009-05-08 06:10 . 2009-05-07 11:01 86016 ------r- c:\windows\SoundMan.exe
2009-05-08 06:10 . 2009-05-07 11:01 1826816 ------r- c:\windows\SkyTel.exe
2009-05-08 03:11 . 2009-05-08 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-05-08 03:09 . 2009-05-08 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\documents and settings\server2\Application Data\Yahoo!
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-07 12:01 . 2009-05-07 12:01 -------- d-----w- c:\program files\Yahoo!
2009-05-07 11:46 . 2009-05-07 11:46 -------- d-----w- c:\program files\lg_fwupdate
2009-05-07 11:42 . 2009-05-07 11:42 -------- d-----w- c:\program files\Common Files\LightScribe
2009-05-07 11:40 . 2009-05-07 11:40 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-07 11:40 . 2009-05-07 11:40 -------- d-----w- c:\program files\Ahead
2009-05-07 11:39 . 2009-05-07 11:39 -------- d-----w- c:\program files\CyberLink
2009-05-07 11:39 . 2009-05-07 11:39 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-05-07 11:27 . 2009-05-07 11:27 -------- d-----w- c:\program files\Microsoft Works
2009-05-07 11:27 . 2009-05-07 11:27 -------- d-----w- c:\program files\MSBuild
2009-05-07 11:25 . 2009-05-07 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 11:21 . 2009-05-07 11:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-07 11:19 . 2009-05-07 11:19 -------- d-----w- c:\program files\CardRecovery
2009-05-07 11:13 . 2009-05-07 11:13 -------- d-----w- c:\program files\Symantec
2009-05-07 11:13 . 2009-05-07 11:01 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 11:12 . 2009-05-07 11:12 -------- d-----w- c:\documents and settings\server2\Application Data\Apple Computer
2009-05-07 11:12 . 2009-05-07 11:11 -------- d-----w- c:\program files\iTunes
2009-05-07 11:12 . 2009-05-07 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-05-07 11:12 . 2009-05-07 11:12 -------- d-----w- c:\program files\iPod
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\program files\Common Files\Apple
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\program files\Bonjour
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\program files\QuickTime
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-07 11:11 . 2009-05-07 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-05-07 11:10 . 2009-05-07 11:10 -------- d-----w- c:\program files\Google
2009-05-07 11:10 . 2009-05-07 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-07 11:10 . 2009-05-07 11:10 -------- d-----w- c:\program files\Skype
2009-05-07 11:04 . 2009-05-07 11:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-07 11:01 . 2009-05-07 11:01 -------- d-----w- c:\program files\Realtek
2009-05-07 11:01 . 2009-05-07 11:01 315392 ----a-w- c:\windows\HideWin.exe
2009-05-07 10:55 . 2009-05-07 10:55 -------- d-----w- c:\program files\microsoft frontpage
2009-05-07 10:52 . 2009-05-07 10:52 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2004-10-01 07:00 . 2009-05-07 11:39 114688 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-18 138488]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4441328]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2897816]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-24 13574144]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 131072]
"Domino"="c:\windows\Domino.EXE" [2006-06-28 122880]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 172032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-06-17 495616]
"USB2.0"="c:\documents and settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe" [1999-12-31 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 113520]
"Keyboard"="c:\documents and settings\All Users\Application Data\Fearghus\lsass.exe" [1999-12-31 106496]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\server2\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 183296]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 176456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
kbdrv16.com [2000-1-1 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"CZ_RESTRICTEDUSER"= 1 (0x1)
"Run"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe c:\windows\system32\keyboard\services.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SkyTel.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Registry Mechanic\\RegMech.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Fearghus\\lsass.exe"=
"c:\\Program Files\\Common Files\\Adobe Systems Shared\\Service\\Adobelmsvc.exe"=
"\\\\Pc08\\my documents\\My Pictures\\My Pictures.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"d:\\Cafezee2\\czpinger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3874:TCP"= 3874:TCP:hbybvt

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 32784]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [5/8/2009 2:41 PM 428160]
S2 cswjy;Shell Manager;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 9:07 AM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DAC970NT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cswjy
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BigDog303 - c:\windows\VM303_STI.EXE
HKLM-Run-Shell23 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F92C77EF-BBAC-4A56-9FAF-5A570D83C5B2} = 192.168.2.1
DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} - hxxp://124.106.161.28/IPCamPluginMJPEG.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 11:28
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cswjy]
"ServiceDll"="c:\windows\system32\hfszcaf.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3956)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-24 11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 03:29

Pre-Run: 51,721,404,416 bytes free
Post-Run: 53,071,106,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

319

Blade81
2009-06-24, 17:43
Hi,

Please see if you can run dds now and post back contents of dds.txt file if run was successful :)

s3r3nity
2009-06-25, 05:47
Gudmoring! here's the dds log


DDS (Ver_09-05-14.01) - FAT32x86
Run by server2 at 10:44:07.39 on Thu 06/25/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.392 [GMT 8:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
D:\Cafezee2\Server.exe
D:\Cafezee2\czpinger.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\winyieoeg.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\winqsdwpg.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\wa70ca.exe
C:\DOCUME~1\server2\LOCALS~1\Temp\kveui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\server2\My Documents\Mozilla Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Shell=Explorer.exe c:\windows\system32\keyboard\services.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [PowerBar] "c:\program files\cyberlink dvd solution\multimedia launcher\PowerBar.exe" /AtBootTime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VMSnap3] c:\windows\VMSnap3.EXE
mRun: [Domino] c:\windows\Domino.EXE
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [USB2.0] c:\documents and settings\all users\application data\microsoft\usb2.0\usb-hi.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Keyboard] c:\documents and settings\all users\application data\fearghus\lsass.exe
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\server2\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\server2\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\kbdrv16.com
uPolicies-explorer: HideClock = 0 (0x0)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: CZ_RESTRICTEDUSER = 1 (0x1)
mPolicies-explorer: Run = 1 (0x1)
mPolicies-explorer: HideClock = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} - hxxp://124.106.161.28/IPCamPluginMJPEG.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
TCP: {F92C77EF-BBAC-4A56-9FAF-5A570D83C5B2} = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\server2\applic~1\mozilla\firefox\profiles\hww1dnbz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
FF - plugin: h:\quicktime\plugins\npqtplugin.dll
FF - plugin: h:\quicktime\plugins\npqtplugin2.dll
FF - plugin: h:\quicktime\plugins\npqtplugin3.dll
FF - plugin: h:\quicktime\plugins\npqtplugin4.dll
FF - plugin: h:\quicktime\plugins\npqtplugin5.dll
FF - plugin: h:\quicktime\plugins\npqtplugin6.dll
FF - plugin: h:\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R3 dac970nt;dac970nt;\??\c:\windows\system32\drivers\njklm.sys --> c:\windows\system32\drivers\njklm.sys [?]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2009-5-8 428160]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 cswjy;Shell Manager;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

=============== Created Last 30 ================

2009-06-24 13:30 <DIR> --dsh--- C:\Recycled
2009-06-24 11:29 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-24 11:20 <DIR> a-dshr-- C:\cmdcons
2009-06-24 11:17 161,792 a------- c:\windows\SWREG.exe
2009-06-24 11:17 155,136 a------- c:\windows\PEV.exe
2009-06-24 11:17 98,816 a------- c:\windows\sed.exe
2009-06-23 15:34 <DIR> --d----- c:\program files\ImTOO
2009-06-23 11:39 <DIR> --d----- c:\program files\trend micro
2009-06-23 10:54 253,661 a------- c:\windows\SSCVIHOST.exe
2009-06-19 13:23 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-19 13:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-19 13:04 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-06-19 13:04 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-06-19 13:03 <DIR> --d----- c:\program files\Kaspersky Lab
2009-06-18 20:20 0 a------- C:\cb256e
2009-06-18 12:33 <DIR> --d----- c:\windows\system32\keyboard
2009-06-18 12:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Fearghus
2009-06-14 11:05 <DIR> --dsh--- C:\FOUND.007
2009-06-11 20:08 12 a------- c:\windows\bthservsdp.dat
2009-06-11 11:26 <DIR> --dsh--- C:\FOUND.006
2009-06-09 14:56 <DIR> --dshr-- C:\RESTORE
2009-06-09 10:04 <DIR> --dsh--- C:\FOUND.005
2009-06-07 11:09 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-03 15:12 <DIR> --dsh--- C:\FOUND.004
2009-06-03 10:08 <DIR> --dsh--- C:\FOUND.003
2009-05-29 19:35 71 a------- c:\windows\system32\ap_i2p.ini
2009-05-29 19:35 <DIR> --d----- c:\program files\AdultPDF
2009-05-29 10:01 5,632 a--sh--- C:\Thumbs.db
2009-05-29 10:01 63,636 a------- C:\1.jpg
2009-05-28 12:05 <DIR> --dsh--- C:\FOUND.002

==================== Find3M ====================

2009-06-19 13:15 1,404,960 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-19 13:15 12,056 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-19 13:15 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-19 13:15 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-17 18:42 870,944 a------- c:\windows\system32\nvcplui.exe
2009-06-17 18:32 307,200 a--shr-- c:\windows\system32\dllcache\svchost.exe
2009-05-28 20:19 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-08 20:25 162,500 a------- c:\windows\Cafezee Server Uninstaller.exe
2009-05-08 14:10 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-08 14:10 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-05-08 14:10 1,826,816 -----r-- c:\windows\SkyTel.exe
2009-05-08 14:10 86,016 -----r-- c:\windows\SoundMan.exe
2009-05-08 14:10 69,632 -----r-- c:\windows\Alcmtr.exe
2009-05-07 19:01 315,392 a------- c:\windows\HideWin.exe
2009-05-07 18:52 21,640 a------- c:\windows\system32\emptyregdb.dat
2004-10-01 15:00 114,688 a------- c:\program files\Uninstall_CDS.exe

============= FINISH: 10:44:18.37 ===============

s3r3nity
2009-06-25, 05:50
and here's the attach.txt, i also attached a zip file of it ( there's a notice that attach.txt should be zipped not post in the forum,just to be sure :laugh:) tnx for your responsing....

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/7/2009 6:57:26 PM
System Uptime: 6/25/2009 9:56:56 AM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5SD2-VM
Processor: Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz | LGA 775 | 1799/200mhz
Processor: Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz | LGA 775 | 1799/200mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 74 GiB total, 48.744 GiB free.
D: is FIXED (FAT32) - 75 GiB total, 22.718 GiB free.
E: is FIXED (FAT32) - 37 GiB total, 10.429 GiB free.
F: is FIXED (FAT32) - 37 GiB total, 2.046 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP43: 6/21/2009 8:25:26 PM - System Checkpoint
RP44: 6/24/2009 11:18:22 AM - ComboFix created restore point

==== Installed Programs ======================

A4 TECH PC Camera H
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.1
Bonjour
Cafezee Server
CardRecovery
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
DVD Solution
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Event Manager
EPSON File Manager
EPSON Scan Assistant
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
HP 900 Inkjet Printer
Image To PDF v3.3.0
Imikimi Plugin
ImTOO Video Editor
InCD
iTunes
Kaspersky Anti-Virus 2009
LG ODD Auto Firmware Update
LightScribe 1.4.124.1
Magic Video Converter Trial Version (English) 8.0.2.18
MemoriesOnTV 3.1.8
MemoriesOnTV ClipShow Volume 1
Microsoft .NET Framework 2.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
Multimedia Launcher
Nero OEM
Norton PartitionMagic
Norton PartitionMagic 8.0
NVIDIA Drivers
PerfV350 User's Guide
PowerDVD
PowerProducer
QuickTime
Realtek High Definition Audio Driver
Registry Mechanic 8.0
Skype™ 3.8
Sony Ericsson Media Manager 1.2
Spybot - Search & Destroy
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
WinRAR archiver
Wondershare Photo Story Platinum 3.1.0 trial version
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

6/24/2009 11:27:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: kl1
6/24/2009 11:23:07 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
6/18/2009 10:03:39 AM, error: Service Control Manager [7023] - The Shell Manager service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

Blade81
2009-06-25, 17:31
Hi,

Download the latest version of Kaspersky Virus Removal Tool (ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool)

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

s3r3nity
2009-06-26, 07:30
hello,
i already donwloaded the virus removal tool, the problem is after the installation process the pc will restart automatically. i also noticed that during installation it creates a folder in my desktop but after the pc restart the folder is gone...i think there's something blocking the tool to install in my pc....i also tried to install it in the safe mode but when i select the safe mode option the pc will start also.. what should i do?

s3r3nity
2009-06-26, 07:30
and also there's a error appear when the windows open..it says " error while unpacking code LP5"

Blade81
2009-06-26, 17:42
Hi,

Let's try another scanner then.

We need to run a system scan with Dr. Web CureIt
Please download DrWeb-CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) & save it to your desktop.
DO NOT perform a scan yet.
Reboot your computer in
SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)
using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in
Safe Mode
. Do not select
Safe Mode with Networking
or
Safe Mode with Command Prompt
.
Double-click on drweb-cureit.exe to start the program. An
Express Scan of your PC
notice will appear.
Under
Start the Express Scan Now
, Click
OK
to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the
Scan tab
and UNcheck
Heuristic analysis

Back at the main window, click
Complete Scan

Then click the
Start/Stop Scanning
button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click
Yes to all
if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select
Move incurable
.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

In your next reply, please include the following:
Dr.Web's Log

s3r3nity
2009-06-28, 05:17
hi,

i can't log in to safe mode :confused: everytime i will select "safemode" the pc will just restart again..i also tried the other option still to progress i can only log in in normal mode.....can't we just run the dr web cureit in normal mode?

Blade81
2009-06-28, 13:29
Yes, try in normal mode.

s3r3nity
2009-06-30, 08:48
hi, sori for the delay...am having trouble to download the drcureit using the infected pc,so i wat i did is download it frm other pc and save it to my thumb drve.the problem is i cannot run the drcureit in the infected pc,when i double click it, the pc will hang up for a few seconds then thats all nothing happen. its like something is blocking it from running....what should i do i can't run it in safemode and in normal mode...i hope ther's still other way

Blade81
2009-06-30, 17:56
Hi,

I was trying to get some scanner to run to prove there's a Sality file infector present in your system meaning reformat as only sensible solution.

Though you weren't able to get scanners to run there's enough evidence (like safe mode disabled + some signs in the log) to show that infection is present.


If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim)
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm)
There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Help: I Got Hacked. Now What Do I Do? (http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx)
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html)

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

I DO NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image (http://en.wikipedia.org/wiki/ISO_image) file format. Avira uses an EXE that has built-in CD burning capability.
Avira AntiVir Rescue System (http://www.raymond.cc/blog/archives/2008/06/28/free-avira-antivir-rescue-system-cd-to-clean-unremovable-virus/) - Avira's download page (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html).
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Tools Support Forum (http://forum.avira.com/wbb/index.php?page=Board&boardID=210).
Dr Web LiveCD (http://www.freedrweb.com/livecd/). Be sure to print out and follow the instructions provided in the User Manual (ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf).
F-Secure Rescue CD (http://www.techmixer.com/free-f-secure-rescue-bootable-cd-to-clean-virus-and-malware/) - Rescue CD 3.01 released (http://www.f-secure.com/linux-weblog/2008/06/).
Video: How to Remove Malware with F-Secure Rescue CD (http://blog.misec.net/2008/09/19/removing-malware-with-f-secure-rescue-cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum (http://forum.f-secure.com/default.asp?sectionid=0).
BitDefender LiveCD (http://www.techmixer.com/bitdefender-rescue-cd-with-auto-update-virus-definition-features/) - Index of /rescue_cd (http://download.bitdefender.com/rescue_cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum (http://forum.bitdefender.com/index.php?showforum=185).
Kaspersky RescueDisk (http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/) - Index of /devbuilds/RescueDisk/ (http://ftp.kaspersky.com/devbuilds/RescueDisk/)
If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum (http://forum.kaspersky.com/index.php?showforum=4).
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO (http://www.bleepingcomputer.com/tutorials/tutorial114.html). If you need a FREE utility to burn the ISO image, download and use ImgBurn (http://www.imgburn.com/).

s3r3nity
2009-07-02, 06:33
well i guess i have no choice but to format the pc....thank you very much for your help and for your time..godbless! :thanks::2thumb::2thumb:

Blade81
2009-07-02, 08:16
I'm sorry that reformat was only the sensible solution in your case.

Anyway, I wish you safer computing :)

Blade81
2009-07-12, 11:32
Since this issue appears to be resolved ... this Topic has been closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.