I 've got i think the same problem then here
http://forums.spybot.info/showthread.php?t=51348

After trying to check the files with spybot, it shut itself off and and it changed its files permisson so i cannot use it anymore i ve got the same for HJT i just installed it and changed its files permssion

Someone can help me resolve this issue

Anyone knows how to fix it ?

i could save one file, the startup one of HJT but he still shut down after the scan i had to install it on a usb stick to keep the acces permisson unchanged, but i cannot anyway have the log file of the normal scan

StartupList report, 13/09/2009, 12:53:46
StartupList version: 1.52.2
Started from : M:\Documents\New Folder\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\programe files\winamp\winampa.exe
D:\programe files\vmware\vmware-tray.exe
D:\programe files\vmware\hqtray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\programe files\nero\Nero 8\Nero BackItUp\NBService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
D:\programe files\vmware\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\AVG\AVG8\avgtray.exe
M:\Documents\New Folder\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
WinampAgent = "D:\programe files\winamp\winampa.exe"
vmware-tray = D:\programe files\vmware\vmware-tray.exe
VMware hqtray = "D:\programe files\vmware\hqtray.exe"
UnlockerAssistant = "C:\Program Files\Unlocker\UnlockerAssistant.exe"
SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe
SoundMAX = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
PowerStrip = c:\program files\powerstrip\pstrip.exe
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NeroFilterCheck = C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
NBKeyScan = "D:\programe files\nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
Look 'n' Stop = "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
LogitechQuickCamRibbon = "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
GrooveMonitor = "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
AdobeCS4ServiceManager = "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
ACQTMOUSE = "C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
DAEMON Tools Lite = "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
CurseClient = C:\Program Files\Curse\CurseClient.exe -silent
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - (no file) - {5C255C8A-E604-49b4-9D64-90988571CECB}
(no name) - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll - {A3BC75A2-1F87-4686-AA43-5347D756017C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

{7B02EF0B-A410-4938-8480-9BA26420A627}.job
{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll||C:\WINDOWS\TEMP\logishrd\||C:\DOCUME~1\Shadow\LOCALS~1\Temp\_iu14D2N.tmp||C:\DOCUME~1\Shadow\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\Shadow\Cookies\index.dat||C:\DOCUME~1\Shadow\LOCALS~1\History\History.IE5\index.dat||C:\DOCUME~1\Shadow\LOCALS~1\Temp\uni16.tmp.bak||C:\DOCUME~1\Shadow\LOCALS~1\Temp\~nsu.tmp\Au_.exe||C:\DOCUME~1\Shadow\LOCALS~1\Temp\~nsu.tmp\Au_.exe||C:\DOCUME~1\Shadow\LOCALS~1\Temp\~nsu.tmp||C:\DOCUME~1\Shadow\LOCALS~1\Temp\~nsu.tmp\Bu_.exe||C:\DOCUME~1\Shadow\LOCALS~1\Temp\~nsu.tmp


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,418 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I have followed the processe in the other post and download GMER and Win32kdiag.exe so that's the log from Win32kdiag.exe and gmer it still is running


Running from: C:\Documents and Settings\Shadow\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Shadow\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B1.tmp\ZAP1B1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP203.tmp\ZAP203.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP241.tmp\ZAP241.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4A2.tmp\ZAP4A2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E.tmp\ZAP9E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

and the Gmer One

i had a pop up who said GMER has found Rootkit activity
GMER 1.0.15.15077 [vglqrrcz.exe] - http://www.gmer.net
Rootkit scan 2009-09-13 14:05:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spxy.sys ZwCreateKey [0xB7EA70E0]
SSDT spxy.sys ZwEnumerateKey [0xB7EC5CA4]
SSDT spxy.sys ZwEnumerateValueKey [0xB7EC6032]
SSDT spxy.sys ZwOpenKey [0xB7EA70C0]
SSDT spxy.sys ZwQueryKey [0xB7EC610A]
SSDT spxy.sys ZwQueryValueKey [0xB7EC5F8A]
SSDT spxy.sys ZwSetValueKey [0xB7EC619C]

INT 0x63 ? 89B9DBF8
INT 0x63 ? 89B9DBF8
INT 0x63 ? 89B9DBF8
INT 0x63 ? 89B9DBF8
INT 0x83 ? 89DDEBF8
INT 0x83 ? 89DDEBF8
INT 0x83 ? 89B9DBF8
INT 0x83 ? 89DDEBF8
INT 0x84 ? 89B9DBF8
INT 0x94 ? 89B9DBF8
INT 0xA4 ? 89DDEBF8
INT 0xA4 ? 89DDEBF8
INT 0xA4 ? 89DDEBF8
INT 0xA4 ? 89DDEBF8
INT 0xA4 ? 89DDEBF8

---- Kernel code sections - GMER 1.0.15 ----

? spxy.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B6C888AC 5 Bytes JMP 89B9D1D8
.text adqs8ndc.SYS B6BAE386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text adqs8ndc.SYS B6BAE3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text adqs8ndc.SYS B6BAE3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text adqs8ndc.SYS B6BAE3C9 1 Byte [30]
.text adqs8ndc.SYS B6BAE3C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[520] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text D:\programe files\vmware\vmware-tray.exe[664] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text D:\programe files\vmware\vmware-tray.exe[664] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text D:\programe files\vmware\vmware-tray.exe[664] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text C:\WINDOWS\system32\winlogon.exe[792] ntdll.dll!NtLockProductActivationKeys 7C90D4AE 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll
.text C:\WINDOWS\system32\winlogon.exe[792] USER32.dll!GetSystemMetrics 7E418F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll
.text C:\WINDOWS\System32\svchost.exe[1452] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1452] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1452] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1624] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1624] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1624] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text D:\programe files\vmware\vmware-authd.exe[2368] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text D:\programe files\vmware\vmware-authd.exe[2368] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
.text D:\programe files\vmware\vmware-authd.exe[2368] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C9CB199A.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA8042] spxy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA813E] spxy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA80C0] spxy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA8800] spxy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA86D6] spxy.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB7E9C] spxy.sys
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\adqs8ndc.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02C02F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02C02C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02C02CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02C02CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00E62F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00E62C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00E62CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00E62CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT D:\programe files\vmware\vmware-tray.exe[664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
IAT D:\programe files\vmware\vmware-tray.exe[664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
IAT D:\programe files\vmware\vmware-authd.exe[2368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll
IAT D:\programe files\vmware\vmware-authd.exe[2368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C9CB199A.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DDD1F8
Device \FileSystem\Fastfat \FatCdrom 898A5500
Device \Driver\USBSTOR \Device\0000008f 89883500

AttachedDevice \Driver\Tcpip \Device\Ip lnsfw1.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{A94CCCEF-BE76-41ED-8ED7-768433694899} 89A6C300

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 89B9C1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{050DEBF3-8298-4C85-AE66-C318194FBC3D} 89A6C300
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E531F8
Device \Driver\dmio \Device\DmControl\DmConfig 89E531F8
Device \Driver\dmio \Device\DmControl\DmPnP 89E531F8
Device \Driver\dmio \Device\DmControl\DmInfo 89E531F8
Device \Driver\usbuhci \Device\USBPDO-1 89B9C1F8
Device \Driver\sptd \Device\3064280778 spxy.sys
Device \Driver\usbuhci \Device\USBPDO-2 89B9C1F8
Device \Driver\usbehci \Device\USBPDO-3 89B5F1F8
Device \Driver\PCI_PNP0778 \Device\00000054 spxy.sys
Device \Driver\usbuhci \Device\USBPDO-4 89B9C1F8

AttachedDevice \Driver\Tcpip \Device\Tcp lnsfw1.sys

Device \Driver\usbuhci \Device\USBPDO-5 89B9C1F8
Device \Driver\usbuhci \Device\USBPDO-6 89B9C1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89DDF1F8
Device \Driver\usbehci \Device\USBPDO-7 89B5F1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89DDF1F8
Device \Driver\Cdrom \Device\CdRom0 89B051F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 89DDF1F8
Device \Driver\Cdrom \Device\CdRom1 89B051F8
Device \Driver\Cdrom \Device\CdRom2 89B051F8
Device \Driver\Cdrom \Device\CdRom3 89B051F8
Device \Driver\USBSTOR \Device\00000090 89883500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89A6C300
Device \Driver\USBSTOR \Device\00000091 89883500
Device \Driver\NetBT \Device\NetbiosSmb 89A6C300
Device \Driver\usbhub \Device\00000085 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000086 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000087 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000088 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp lnsfw1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp lnsfw1.sys

Device \Driver\usbuhci \Device\USBFDO-0 89B9C1F8
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 89B9C1F8
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 89B9C1F8
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89849500
Device \Driver\usbehci \Device\USBFDO-3 89B5F1F8
Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89849500
Device \Driver\usbuhci \Device\USBFDO-4 89B9C1F8
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Ftdisk \Device\FtControl 89DDF1F8
Device \Driver\usbuhci \Device\USBFDO-5 89B9C1F8
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-6 89B9C1F8
Device \Driver\usbuhci \Device\USBFDO-6 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000008b hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-7 89B5F1F8
Device \Driver\usbehci \Device\USBFDO-7 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000008c hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{722D0DBA-45C6-4A09-ACC1-9A9F1A61EAAF} 89A6C300
Device \Driver\usbhub \Device\0000008d hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\adqs8ndc \Device\Scsi\adqs8ndc1 89AF51F8
Device \FileSystem\Fastfat \Fat 898A5500

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89860500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\Program Files\Soft4Ever\looknstop\looknstop.exe [444] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [512] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ D:\programe files\vmware\vmware-tray.exe [664] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1108] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1228] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\vmnat.exe [1416] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1452] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1592] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1624] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1692] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1812] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgnsx.exe [1924] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2312] 0x35670000
Library \\?\globalroot\Device\__max++>\C9CB199A.x86.dll (*** hidden *** ) @ D:\programe files\vmware\vmware-authd.exe [2368] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA3 0x68 0xC6 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0xBC 0x6B 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAF 0xFA 0x55 0x98 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x06 0x69 0x15 0x30 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA3 0x68 0xC6 0xFB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0xBC 0x6B 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAF 0xFA 0x55 0x98 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x06 0x69 0x15 0x30 ...

---- EOF - GMER 1.0.15 ----

Hello aloukar

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Please do not start any new topics, just reply to this thread by using the SUBMIT REPLY

Your infected with one of the latest nasty rootkits, lets see if we can clean it up.


Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).




Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Post the report for exehelper and the combofix log please

Thx for helping me this the log file of exehelper i think it doesn't show anything

i 'm going to use combofix now


exeHelper by Raktor - 09

Build 20090914

Run at 18:18:06 on 09/16/09

Now searching...

Checking for numerical processes...

Checking for bad processes...

Checking for bad files...

Resetting filetype association for .exe

Resetting filetype association for .com

--Finished--

Hi,

exehelper worked just fine :bigthumb: It reset all your permissions back that where blocking you from running some programs.

Go ahead with Combofix, dont forget to rename it

HI ken545

I 'am trying to turn off my AV, but he just wont i tried to uninstall it the same i had this error message


Local machine: installation failed
Initialization:
Warning: Checking of state of the item file avgcsrvx.exe failed.
File opening failed. %FILE% = ""
Error 0xe001042c
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005


so i cannot run combofix, who says that my AV can damage my computer if it still on when combofix run

actualy is only the real time scanner of avg who is running i have tried by the turning off ine the services but the only option aviable is START

You can go ahead and run Combofix, you can run it in Safemode, make sure it was renamed when you downloaded it


To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

hi ken545,

This is the log file of combofix


ComboFix 09-09-17.04 - Shadow 18/09/2009 12:11.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1379 [GMT 1:00]
Running from: c:\documents and settings\Shadow\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Look 'n' Stop 2.06p3 (Soft4Ever) *enabled* {2A530F53-4A99-4EE0-8471-4A00BA4A47B0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll
c:\documents and settings\Shadow\Application Data\.#
c:\documents and settings\Shadow\Application Data\.#\MBX@954@3841A8.###
c:\documents and settings\Shadow\Application Data\.#\MBX@954@3841D8.###
c:\documents and settings\Shadow\Application Data\.#\MBX@954@384208.###
c:\windows\msa.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-17 23:14 . 2009-09-17 23:14 -------- d-----w- c:\documents and settings\Shadow\Application Data\AVG8
2009-09-14 19:25 . 2009-09-14 19:25 54624 ----a-w- c:\windows\system32\9003.sys
2009-09-14 19:22 . 2009-09-14 19:22 128352 ----a-w- c:\windows\system32\fb152.dll
2009-09-14 19:22 . 2009-09-14 19:22 54624 ----a-w- c:\windows\system32\fb152.sys
2009-09-13 12:31 . 2009-09-13 12:29 359932 ----a-w- C:\dds.scr
2009-09-12 23:42 . 2009-09-12 23:42 -------- d-----w- c:\program files\Trend Micro
2009-09-12 21:52 . 2009-09-13 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-10 12:05 . 2009-09-10 12:05 -------- d-----w- c:\documents and settings\Shadow\Local Settings\Application Data\Cooliris
2009-09-10 02:29 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-10 02:29 . 2009-09-10 02:29 -------- d-----w- c:\program files\Panda Security
2009-09-05 16:41 . 2009-09-05 16:41 114048 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-09-02 15:56 . 2009-09-02 15:56 -------- d-----w- c:\program files\Bonjour
2009-09-02 15:31 . 2009-09-02 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-09-02 15:20 . 2009-09-02 15:20 -------- d-----w- c:\documents and settings\Shadow\Application Data\Yahoo!
2009-09-02 15:20 . 2009-09-12 22:09 -------- d-----w- c:\program files\Yahoo!
2009-09-02 15:20 . 2009-09-02 15:20 -------- d-----w- c:\program files\CCleaner
2009-08-26 21:33 . 2009-09-12 22:08 -------- d-----w- c:\program files\PokerStars.NET
2009-08-23 13:28 . 2009-08-23 13:28 -------- d-----w- c:\documents and settings\Shadow\Application Data\dvdcss
2009-08-21 11:47 . 2009-08-21 11:47 -------- d-----w- c:\documents and settings\Shadow\Local Settings\Application Data\P5
2009-08-21 01:44 . 2009-09-11 21:09 -------- d-----w- c:\documents and settings\Shadow\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 11:16 . 2009-08-14 09:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-09-18 11:16 . 2009-06-25 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-18 11:08 . 2009-06-25 13:44 -------- d-----w- c:\documents and settings\Shadow\Application Data\VMware
2009-09-17 23:15 . 2009-06-20 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-17 14:19 . 2009-06-20 01:46 -------- d-----w- c:\documents and settings\Shadow\Application Data\uTorrent
2009-09-12 15:31 . 2009-07-21 14:42 -------- d-----w- c:\documents and settings\Shadow\Application Data\FileZilla
2009-09-11 10:00 . 2009-08-12 23:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 18:18 . 2009-06-25 10:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-02 16:00 . 2009-06-20 01:59 68456 ----a-w- c:\documents and settings\Shadow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 15:54 . 2009-06-26 17:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-20 17:46 . 2009-08-20 17:43 -------- d-----w- c:\documents and settings\Shadow\Application Data\winamp
2009-08-18 00:05 . 2009-07-27 21:44 -------- d-----w- c:\program files\Unlocker
2009-08-17 14:25 . 2009-08-17 14:25 -------- d-----w- c:\documents and settings\Shadow\Application Data\Artisteer
2009-08-16 18:06 . 2009-06-20 01:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 18:06 . 2009-06-20 01:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 18:06 . 2009-06-20 01:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 01:37 . 2009-08-13 01:37 -------- d-----w- c:\program files\Microsoft
2009-08-13 01:37 . 2009-08-13 01:36 -------- d-----w- c:\program files\Windows Live
2009-08-13 01:37 . 2009-08-13 01:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-13 01:34 . 2009-08-13 01:34 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-12 23:33 . 2009-08-12 23:26 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-12 23:32 . 2009-08-12 23:32 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-12 23:32 . 2009-08-12 23:32 -------- d-----w- c:\program files\MSXML 6.0
2009-08-12 23:32 . 2009-06-25 10:30 -------- d-----w- c:\program files\Microsoft.NET
2009-08-12 23:29 . 2009-06-25 13:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-08-12 23:22 . 2009-08-12 23:22 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2009-08-12 23:22 . 2009-08-12 23:22 -------- d-----w- c:\program files\Microsoft SDKs
2009-08-12 21:56 . 2009-08-12 21:56 -------- d-----w- c:\program files\Reference Assemblies
2009-08-12 21:37 . 2009-06-25 10:30 -------- d-----w- c:\program files\Microsoft Works
2009-08-11 13:23 . 2009-07-10 01:42 -------- d-----w- c:\documents and settings\Shadow\Application Data\Apple Computer
2009-08-08 13:36 . 2009-07-19 03:16 -------- d-----w- c:\program files\Common Files\Logishrd
2009-08-07 13:41 . 2009-07-19 03:16 -------- d-----w- c:\program files\Logitech
2009-08-07 13:41 . 2009-06-20 01:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 20:13 . 2009-08-05 20:11 -------- d-----w- c:\documents and settings\Shadow\Application Data\Nvu
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 23:17 . 2009-07-30 23:17 -------- d-----w- c:\documents and settings\Shadow\Application Data\Inkscape
2009-07-29 12:01 . 2009-07-29 12:01 -------- d-----w- c:\documents and settings\Shadow\Application Data\Notepad++
2009-07-27 23:33 . 2009-07-27 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-27 23:29 . 2009-07-27 23:29 -------- d-----w- c:\program files\Adobe Media Player
2009-07-27 23:26 . 2009-07-27 23:26 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-27 21:44 . 2009-07-27 21:44 -------- d-----w- c:\documents and settings\Shadow\Application Data\Desktopicon
2009-07-23 04:16 . 2009-07-23 04:16 -------- d-----w- c:\program files\MSXML 4.0
2009-07-23 02:00 . 2009-07-23 02:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-22 12:23 . 2009-07-22 12:23 -------- d-----w- c:\documents and settings\Shadow\Application Data\Nero
2009-07-22 12:22 . 2009-07-22 12:20 -------- d-----w- c:\program files\Common Files\Nero
2009-07-22 12:20 . 2009-07-22 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-07-21 17:23 . 2009-07-19 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-07-21 17:05 . 2009-07-21 17:05 -------- d-----w- c:\program files\Multi-Direction Opitcal Mouse
2009-07-20 17:21 . 2009-06-20 01:03 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-14 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 01:51 . 2009-06-29 01:51 8 -c--a-w- c:\windows\system32\nvModes.dat
2009-06-25 10:24 . 2009-06-25 10:24 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-30 1935360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"WinampAgent"="d:\programe files\winamp\winampa.exe" [2009-07-01 37888]
"vmware-tray"="d:\programe files\vmware\vmware-tray.exe" [2007-10-08 72240]
"VMware hqtray"="d:\programe files\vmware\hqtray.exe" [2007-10-08 55856]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-20 1036288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2009-03-11 738336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="d:\programe files\nero\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"Look 'n' Stop"="c:\program files\Soft4Ever\looknstop\looknstop.exe" [2009-06-20 552960]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ACQTMOUSE"="c:\program files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 489984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 18:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"d:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Shadow\\My Documents\\Downloads\\vlc-1.0.1-win32\\vlc-1.0.1\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/09/2009 03:29 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/06/2009 02:11 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/06/2009 02:11 108552]
S1 lnsfw1;lnsfw1;c:\windows\system32\drivers\lnsfw1.sys [20/06/2009 04:12 79232]
S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [15/07/2007 02:37 27992]
S3 9003;9003;c:\windows\system32\9003.sys [14/09/2009 20:25 54624]
S3 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [20/06/2009 02:10 908056]
S3 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 02:10 297752]
S3 fb152;fb152;c:\windows\system32\fb152.sys [14/09/2009 20:22 54624]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 01:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 02:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 01:28 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Shadow\Application Data\Mozilla\Firefox\Profiles\5axetzfv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\documents and settings\Shadow\Application Data\Mozilla\Firefox\Profiles\5axetzfv.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Shadow\Application Data\Mozilla\Firefox\Profiles\5axetzfv.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HijackThis startup scan - m:\documents\New Folder\HijackThis.exe
AddRemove-HijackThis - m:\documents\New Folder\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 12:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(856)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-09-18 12:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 11:21

Pre-Run: 2,840,862,720 bytes free
Post-Run: 2,875,961,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

261 --- E O F --- 2009-09-18 08:49

And this is the HJT run from a flash disk because the old one on C: still have the permisson altered


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:49, on 18/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\programe files\winamp\winampa.exe
D:\programe files\vmware\vmware-tray.exe
D:\programe files\vmware\hqtray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\programe files\nero\Nero 8\Nero BackItUp\NBService.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
D:\programe files\vmware\vmware-authd.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] "D:\programe files\winamp\winampa.exe"
O4 - HKLM\..\Run: [vmware-tray] D:\programe files\vmware\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "D:\programe files\vmware\hqtray.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\programe files\nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\partypoker\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\partypoker\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\programe files\nero\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\programe files\vmware\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\programe files\vmware\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - D:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - D:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe

--
End of file - 9971 bytes

Hi,

No need to quote the reports, it just makes it harder to look over.

Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

here the win32kdiag.txt

Running from: C:\Documents and Settings\Shadow\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Shadow\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2008-04-14 13:00:00 744448 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()

[1] 2008-04-14 13:00:00 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-08-28 22:38:20 24689600 C:\WINDOWS\system32\MRT.exe ()





Finished!

Lets do this.

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.

c:\windows\system32\9003.sys
c:\windows\system32\fb152.sys





Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please

c:\windows\system32\9003.sys


Additional information
File size: 54624 bytes
MD5 : 43b0076b3ab8996b84d2cc8f990b582f
SHA1 : 97d13f87d18e1829d9af7e54cd5a0b2d68d684e7
SHA256: 5787ad3e47054ed8417522330be69c9b122d33373b960a21ac52eb2d25ad3259
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2E005
timedatestamp.....: 0x4718573F (Fri Oct 19 09:05:35 2007)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9538 0x9600 6.46 f8bb0ff0be497fd92b3101ee9b134c78
.rdata 0xB000 0x204 0x400 2.61 c48c48509a6c34a23e4128aaf530cbcc
.data 0xC000 0x21674 0xA00 0.64 dad2fd5f4c81aa5f92ab076f0ab1a792
INIT 0x2E000 0x716 0x800 5.26 5fec7edfff8b298bc03ef77519f7f86f
.reloc 0x2F000 0xEE2 0x1000 5.71 24939863336ea437d32d34528390c4bb

( 2 imports )

> hal.dll: KfRaiseIrql, KeGetCurrentIrql, KfAcquireSpinLock, KfReleaseSpinLock, KfLowerIrql
> ntoskrnl.exe: KeInitializeSpinLock, MmMapLockedPages, MmProbeAndLockPages, MmBuildMdlForNonPagedPool, IoAllocateMdl, RtlUnicodeStringToAnsiString, RtlInitUnicodeString, ZwQuerySystemInformation, ZwClose, wcslen, wcsrchr, wcschr, IoFreeIrp, KeSetEvent, PsGetCurrentThreadId, KeInitializeEvent, KeWaitForSingleObject, KeUnstackDetachProcess, KeStackAttachProcess, ZwCreateFile, ZwQuerySymbolicLinkObject, ZwOpenProcess, ZwQueryDirectoryFile, ObfDereferenceObject, IofCallDriver, KeGetCurrentThread, IoAllocateIrp, IoGetRelatedDeviceObject, ObReferenceObjectByHandle, MmUnmapLockedPages, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwReadFile, ZwWriteFile, ZwQueryObject, ZwOpenSymbolicLinkObject, ObQueryNameString, strstr, IoDeleteDevice, IoDeleteSymbolicLink, PsSetCreateProcessNotifyRoutine, PsGetCurrentProcessId, KeServiceDescriptorTable, IofCompleteRequest, IoGetCurrentProcess, PsCreateSystemThread, IoCreateSymbolicLink, IoCreateDevice, PsGetVersion, ZwOpenKey, ZwQueryValueKey, ZwEnumerateValueKey, ZwEnumerateKey, KeAddSystemServiceTable, _except_handler3, KeTickCount, KeBugCheckEx, MmUnlockPages, IoFreeMdl, MmIsAddressValid, ExFreePoolWithTag, RtlFreeUnicodeString, ExAllocatePoolWithTag

( 0 exports )
TrID : File type identification
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=43b0076b3ab8996b84d2cc8f990b582f
ssdeep: 768:Xht98mhWffPd0l3V+Vdj4AGXwZONbB0/92+U48swGs47+Sv9NLzbRUh:XhTbE6VFXwkb0F2+U4nS8J7jRe
PEiD : -
packers (Kaspersky): PE_Patch
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=43b0076b3ab8996b84d2cc8f990b582f
RDS : NSRL Reference Data Set


c:\windows\system32\fb152.sys

Additional information
File size: 54624 bytes
MD5 : 43b0076b3ab8996b84d2cc8f990b582f
SHA1 : 97d13f87d18e1829d9af7e54cd5a0b2d68d684e7
SHA256: 5787ad3e47054ed8417522330be69c9b122d33373b960a21ac52eb2d25ad3259
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2E005
timedatestamp.....: 0x4718573F (Fri Oct 19 09:05:35 2007)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9538 0x9600 6.46 f8bb0ff0be497fd92b3101ee9b134c78
.rdata 0xB000 0x204 0x400 2.61 c48c48509a6c34a23e4128aaf530cbcc
.data 0xC000 0x21674 0xA00 0.64 dad2fd5f4c81aa5f92ab076f0ab1a792
INIT 0x2E000 0x716 0x800 5.26 5fec7edfff8b298bc03ef77519f7f86f
.reloc 0x2F000 0xEE2 0x1000 5.71 24939863336ea437d32d34528390c4bb

( 2 imports )

> hal.dll: KfRaiseIrql, KeGetCurrentIrql, KfAcquireSpinLock, KfReleaseSpinLock, KfLowerIrql
> ntoskrnl.exe: KeInitializeSpinLock, MmMapLockedPages, MmProbeAndLockPages, MmBuildMdlForNonPagedPool, IoAllocateMdl, RtlUnicodeStringToAnsiString, RtlInitUnicodeString, ZwQuerySystemInformation, ZwClose, wcslen, wcsrchr, wcschr, IoFreeIrp, KeSetEvent, PsGetCurrentThreadId, KeInitializeEvent, KeWaitForSingleObject, KeUnstackDetachProcess, KeStackAttachProcess, ZwCreateFile, ZwQuerySymbolicLinkObject, ZwOpenProcess, ZwQueryDirectoryFile, ObfDereferenceObject, IofCallDriver, KeGetCurrentThread, IoAllocateIrp, IoGetRelatedDeviceObject, ObReferenceObjectByHandle, MmUnmapLockedPages, RtlAnsiStringToUnicodeString, RtlInitAnsiString, ZwReadFile, ZwWriteFile, ZwQueryObject, ZwOpenSymbolicLinkObject, ObQueryNameString, strstr, IoDeleteDevice, IoDeleteSymbolicLink, PsSetCreateProcessNotifyRoutine, PsGetCurrentProcessId, KeServiceDescriptorTable, IofCompleteRequest, IoGetCurrentProcess, PsCreateSystemThread, IoCreateSymbolicLink, IoCreateDevice, PsGetVersion, ZwOpenKey, ZwQueryValueKey, ZwEnumerateValueKey, ZwEnumerateKey, KeAddSystemServiceTable, _except_handler3, KeTickCount, KeBugCheckEx, MmUnlockPages, IoFreeMdl, MmIsAddressValid, ExFreePoolWithTag, RtlFreeUnicodeString, ExAllocatePoolWithTag

( 0 exports )
TrID : File type identification
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=43b0076b3ab8996b84d2cc8f990b582f
ssdeep: 768:Xht98mhWffPd0l3V+Vdj4AGXwZONbB0/92+U48swGs47+Sv9NLzbRUh:XhTbE6VFXwkb0F2+U4nS8J7jRe
PEiD : -
packers (Kaspersky): PE_Patch
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=43b0076b3ab8996b84d2cc8f990b582f
RDS : NSRL Reference Data Set
-

the only thing he found was my Windows activation trick :/

Malwarebytes' Anti-Malware 1.41
Database version: 2821
Windows 5.1.2600 Service Pack 3

18/09/2009 21:50:05
mbam-log-2009-09-18 (21-50-05).txt

Scan type: Quick Scan
Objects scanned: 104127
Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52:32, on 18/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\programe files\winamp\winampa.exe
D:\programe files\vmware\vmware-tray.exe
D:\programe files\vmware\hqtray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\programe files\nero\Nero 8\Nero BackItUp\NBService.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
D:\programe files\vmware\vmware-authd.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] "D:\programe files\winamp\winampa.exe"
O4 - HKLM\..\Run: [vmware-tray] D:\programe files\vmware\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "D:\programe files\vmware\hqtray.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\programe files\nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\partypoker\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Games\partypoker\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\programe files\nero\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\programe files\vmware\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\programe files\vmware\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - D:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - D:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe

--
End of file - 9723 bytes

O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll

Your copy of windows is illegal and has been obtained from Cracked software.

Sorry but I cant help you any longer, if you keep using Cracked software of any kind your just going to keep reinfecting your system

This thread is now closed, thank you for wasting my time