Virtumonde the great

Status
Not open for further replies.
N

nox_PHX

New member
As the title says, I'm infected with this ever lasting disease.

Multiple scans haven't been able to remove this, tried safe mode, etc etc.
When I rebooted my pc after a cleaning, some file named OUTLOOK.EXE was ran (twice), I quickly ended it but it as still able to open some CMD boxes, damn.
I'm pretty tech savvy, if that helps.

Umm here are the log(s):
____________________________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 11:55:02.51 on Thu 09/02/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.340 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\user\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\6bfx8ja2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - HiddenExtension: XULRunner: {69E1B4E1-C184-457F-BDDF-36564317491E} - c:\documents and settings\user\local settings\application data\{69E1B4E1-C184-457F-BDDF-36564317491E}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-25 33824]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-9-28 12672]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-4 14336]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-6-7 22784]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-6-2 33792]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-12-19 9472]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2010-4-25 27904]
S1 chtudlst;chtudlst;\??\c:\windows\system32\drivers\chtudlst.sys --> c:\windows\system32\drivers\chtudlst.sys [?]
S1 ezcacfar;ezcacfar;\??\c:\windows\system32\drivers\ezcacfar.sys --> c:\windows\system32\drivers\ezcacfar.sys [?]
S1 lgstinbx;lgstinbx;\??\c:\windows\system32\drivers\lgstinbx.sys --> c:\windows\system32\drivers\lgstinbx.sys [?]
S1 ltjhbnxt;ltjhbnxt;\??\c:\windows\system32\drivers\ltjhbnxt.sys --> c:\windows\system32\drivers\ltjhbnxt.sys [?]
S1 mmovdfbd;mmovdfbd;\??\c:\windows\system32\drivers\mmovdfbd.sys --> c:\windows\system32\drivers\mmovdfbd.sys [?]
S1 pxwduetu;pxwduetu;\??\c:\windows\system32\drivers\pxwduetu.sys --> c:\windows\system32\drivers\pxwduetu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-15 136176]
S2 HW_VSP3s_Service;HW Virtual Serial Port (single);c:\program files\hw group\hw vsp3s\HW_VSP3s_srv.exe [2010-4-25 498968]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-4-3 91392]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-4-3 25856]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-4-3 6016]
S3 cpuz130;cpuz130;\??\c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2009-6-7 31104]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2010-4-25 53888]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-4-3 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-3 24960]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-23 34760]
S3 Vsp;Vsp;\??\c:\windows\system32\drivers\vsp.sys --> c:\windows\system32\drivers\Vsp.sys [?]

=============== Created Last 30 ================

2010-09-02 07:37:48 92 ----a-w- c:\windows\wininit.ini
2010-09-02 01:11:49 0 d-----w- c:\documents and settings\user\Bluetooth Software
2010-09-02 01:07:31 67960 ----a-w- c:\windows\system32\drivers\btwusb.sys
2010-09-02 01:07:30 55352 ----a-w- c:\windows\system32\drivers\btwhid.sys
2010-09-02 01:07:30 37424 ----a-w- c:\windows\system32\drivers\btport.sys
2010-09-02 01:07:30 149123 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2010-09-02 01:07:30 106557 ----a-w- c:\windows\system32\btw_ci.dll
2010-09-02 01:07:29 876384 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2010-09-02 01:07:28 539072 ----a-w- c:\windows\system32\drivers\btaudio.sys
2010-09-02 01:06:58 0 d-----w- c:\program files\WIDCOMM
2010-08-31 15:41:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-31 13:13:09 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-08-31 13:12:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 13:12:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-31 13:12:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 13:12:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 13:08:55 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-31 12:53:56 120 ----a-w- c:\windows\Atixuv.dat
2010-08-31 12:53:56 0 ----a-w- c:\windows\Dmajokakej.bin
2010-08-31 09:47:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-31 09:47:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-31 09:27:18 0 ----a-w- c:\windows\system32\drivers\levuwam.sys
2010-08-31 09:26:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-31 09:26:36 253952 ----a-w- c:\windows\system32\drivers\tcpip7x.sys
2010-08-31 09:26:24 0 d-----w- c:\docume~1\user\applic~1\04636C827F6E9BCCDFEBFBE13DDF8687
2010-08-30 07:56:21 0 d-----w- c:\docume~1\user\applic~1\HandBrake
2010-08-30 07:56:13 0 d-----w- c:\program files\Handbrake

==================== Find3M ====================

2010-08-31 15:48:46 1033728 ----a-w- c:\windows\explorer.exe
2010-08-31 15:48:45 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-08-31 09:43:39 3172 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-31 20:07:54 58352 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-24 04:24:51 2 --shatr- c:\windows\winstart.bat
2009-06-10 22:50:33 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061020090611\index.dat

============= FINISH: 11:57:09.30 ===============

Heres another, after I removed uTorrent.



DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 12:22:33.51 on Thu 09/02/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.344 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\6bfx8ja2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - HiddenExtension: XULRunner: {69E1B4E1-C184-457F-BDDF-36564317491E} - c:\documents and settings\user\local settings\application data\{69E1B4E1-C184-457F-BDDF-36564317491E}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-25 33824]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-9-28 12672]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-4 14336]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-6-7 22784]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-6-2 33792]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-12-19 9472]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2010-4-25 27904]
S1 chtudlst;chtudlst;\??\c:\windows\system32\drivers\chtudlst.sys --> c:\windows\system32\drivers\chtudlst.sys [?]
S1 ezcacfar;ezcacfar;\??\c:\windows\system32\drivers\ezcacfar.sys --> c:\windows\system32\drivers\ezcacfar.sys [?]
S1 lgstinbx;lgstinbx;\??\c:\windows\system32\drivers\lgstinbx.sys --> c:\windows\system32\drivers\lgstinbx.sys [?]
S1 ltjhbnxt;ltjhbnxt;\??\c:\windows\system32\drivers\ltjhbnxt.sys --> c:\windows\system32\drivers\ltjhbnxt.sys [?]
S1 mmovdfbd;mmovdfbd;\??\c:\windows\system32\drivers\mmovdfbd.sys --> c:\windows\system32\drivers\mmovdfbd.sys [?]
S1 pxwduetu;pxwduetu;\??\c:\windows\system32\drivers\pxwduetu.sys --> c:\windows\system32\drivers\pxwduetu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-15 136176]
S2 HW_VSP3s_Service;HW Virtual Serial Port (single);c:\program files\hw group\hw vsp3s\HW_VSP3s_srv.exe [2010-4-25 498968]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-4-3 91392]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-4-3 25856]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-4-3 6016]
S3 cpuz130;cpuz130;\??\c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2009-6-7 31104]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2010-4-25 53888]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-4-3 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-3 24960]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-23 34760]
S3 Vsp;Vsp;\??\c:\windows\system32\drivers\vsp.sys --> c:\windows\system32\drivers\Vsp.sys [?]

=============== Created Last 30 ================

2010-09-02 07:37:48 92 ----a-w- c:\windows\wininit.ini
2010-09-02 01:11:49 0 d-----w- c:\documents and settings\user\Bluetooth Software
2010-09-02 01:07:31 67960 ----a-w- c:\windows\system32\drivers\btwusb.sys
2010-09-02 01:07:30 55352 ----a-w- c:\windows\system32\drivers\btwhid.sys
2010-09-02 01:07:30 37424 ----a-w- c:\windows\system32\drivers\btport.sys
2010-09-02 01:07:30 149123 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2010-09-02 01:07:30 106557 ----a-w- c:\windows\system32\btw_ci.dll
2010-09-02 01:07:29 876384 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2010-09-02 01:07:28 539072 ----a-w- c:\windows\system32\drivers\btaudio.sys
2010-09-02 01:06:58 0 d-----w- c:\program files\WIDCOMM
2010-08-31 15:41:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-31 13:13:09 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-08-31 13:12:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 13:12:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-31 13:12:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 13:12:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 13:08:55 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-31 12:53:56 120 ----a-w- c:\windows\Atixuv.dat
2010-08-31 12:53:56 0 ----a-w- c:\windows\Dmajokakej.bin
2010-08-31 09:47:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-31 09:47:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-31 09:27:18 0 ----a-w- c:\windows\system32\drivers\levuwam.sys
2010-08-31 09:26:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-31 09:26:36 253952 ----a-w- c:\windows\system32\drivers\tcpip7x.sys
2010-08-31 09:26:24 0 d-----w- c:\docume~1\user\applic~1\04636C827F6E9BCCDFEBFBE13DDF8687
2010-08-30 07:56:21 0 d-----w- c:\docume~1\user\applic~1\HandBrake
2010-08-30 07:56:13 0 d-----w- c:\program files\Handbrake

==================== Find3M ====================

2010-08-31 15:48:46 1033728 ----a-w- c:\windows\explorer.exe
2010-08-31 15:48:45 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-08-31 09:43:39 3172 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-31 20:07:54 58352 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-24 04:24:51 2 --shatr- c:\windows\winstart.bat
2009-06-10 22:50:33 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061020090611\index.dat

============= FINISH: 12:24:13.42 ===============
 
Last edited by a moderator:
Hello & Welcome to Safer-Networking

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within four days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

As your logs are a few days old, please run DDS again & post the contents of both logs - no need to attach them - copy/paste the contents will be fine.

Gmer
Download GMER Rootkit Scanner from here & save it to your desktop.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Do not run any programs while Gmer is running.

NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
  • Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
  • Double click the gmer.exe file
  • The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
  • After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your reply
To post in next reply:
Contents of new DDS log
Contents of new Attach.txt
Contents of Gmer log
 
DDS
Code: 
DDS (Ver_10-03-17.01) - NTFSx86  
Run by user at 12:35:50.50 on Sun 09/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1279.671 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated)   {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\taskcgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GMorphCl] "c:\windows\system32\taskcgr.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\lspA.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1	www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\6bfx8ja2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - HiddenExtension: XULRunner: {69E1B4E1-C184-457F-BDDF-36564317491E} - c:\documents and settings\user\local settings\application data\{69E1B4E1-C184-457F-BDDF-36564317491E}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-25 33824]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-9-28 12672]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-4 14336]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2009-6-7 22784]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-6-2 33792]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-12-19 9472]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2010-4-25 27904]
S1 chtudlst;chtudlst;\??\c:\windows\system32\drivers\chtudlst.sys --> c:\windows\system32\drivers\chtudlst.sys [?]
S1 ezcacfar;ezcacfar;\??\c:\windows\system32\drivers\ezcacfar.sys --> c:\windows\system32\drivers\ezcacfar.sys [?]
S1 lgstinbx;lgstinbx;\??\c:\windows\system32\drivers\lgstinbx.sys --> c:\windows\system32\drivers\lgstinbx.sys [?]
S1 ltjhbnxt;ltjhbnxt;\??\c:\windows\system32\drivers\ltjhbnxt.sys --> c:\windows\system32\drivers\ltjhbnxt.sys [?]
S1 mmovdfbd;mmovdfbd;\??\c:\windows\system32\drivers\mmovdfbd.sys --> c:\windows\system32\drivers\mmovdfbd.sys [?]
S1 pxwduetu;pxwduetu;\??\c:\windows\system32\drivers\pxwduetu.sys --> c:\windows\system32\drivers\pxwduetu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-15 136176]
S2 HW_VSP3s_Service;HW Virtual Serial Port (single);c:\program files\hw group\hw vsp3s\HW_VSP3s_srv.exe [2010-4-25 498968]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-4-3 91392]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-4-3 25856]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-4-3 6016]
S3 cpuz130;cpuz130;\??\c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2009-6-7 31104]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2010-4-25 53888]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-4-3 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-3 24960]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-8-23 34760]
S3 Vsp;Vsp;\??\c:\windows\system32\drivers\vsp.sys --> c:\windows\system32\drivers\Vsp.sys [?]

=============== Created Last 30 ================

2010-09-03 14:45:57	34667	----a-w-	c:\windows\system32\taskcgr.exe
2010-09-03 14:45:48	53099	----a-w-	c:\windows\system32\lspA.dll
2010-09-03 14:45:48	4	---ha-w-	c:\windows\system32\iexplore.sy_
2010-09-03 14:45:48	0	----a-w-	c:\windows\system32\lspA.tmp
2010-09-02 07:37:48	92	----a-w-	c:\windows\wininit.ini
2010-09-02 01:11:49	0	d-----w-	c:\documents and settings\user\Bluetooth Software
2010-09-02 01:07:31	67960	----a-w-	c:\windows\system32\drivers\btwusb.sys
2010-09-02 01:07:30	55352	----a-w-	c:\windows\system32\drivers\btwhid.sys
2010-09-02 01:07:30	37424	----a-w-	c:\windows\system32\drivers\btport.sys
2010-09-02 01:07:30	149123	----a-w-	c:\windows\system32\drivers\btwdndis.sys
2010-09-02 01:07:30	106557	----a-w-	c:\windows\system32\btw_ci.dll
2010-09-02 01:07:29	876384	----a-w-	c:\windows\system32\drivers\btkrnl.sys
2010-09-02 01:07:28	539072	----a-w-	c:\windows\system32\drivers\btaudio.sys
2010-09-02 01:06:58	0	d-----w-	c:\program files\WIDCOMM
2010-08-31 15:41:05	221568	------w-	c:\windows\system32\MpSigStub.exe
2010-08-31 13:13:09	0	d-----w-	c:\docume~1\user\applic~1\Malwarebytes
2010-08-31 13:12:56	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 13:12:55	0	d-----w-	c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-31 13:12:54	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-08-31 13:12:54	0	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-08-31 13:08:55	0	d-----w-	c:\program files\Microsoft Security Essentials
2010-08-31 12:53:56	120	----a-w-	c:\windows\Atixuv.dat
2010-08-31 12:53:56	0	----a-w-	c:\windows\Dmajokakej.bin
2010-08-31 09:47:33	0	d-----w-	c:\program files\Spybot - Search & Destroy
2010-08-31 09:47:33	0	d-----w-	c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-31 09:27:18	0	----a-w-	c:\windows\system32\drivers\levuwam.sys
2010-08-31 09:26:54	0	d-----w-	c:\docume~1\alluse~1\applic~1\Update
2010-08-31 09:26:36	253952	----a-w-	c:\windows\system32\drivers\tcpip7x.sys
2010-08-31 09:26:24	0	d-----w-	c:\docume~1\user\applic~1\04636C827F6E9BCCDFEBFBE13DDF8687
2010-08-30 07:56:21	0	d-----w-	c:\docume~1\user\applic~1\HandBrake
2010-08-30 07:56:13	0	d-----w-	c:\program files\Handbrake

==================== Find3M  ====================

2010-08-31 15:48:46	1033728	----a-w-	c:\windows\explorer.exe
2010-08-31 15:48:45	507904	----a-w-	c:\windows\system32\winlogon.exe
2010-08-31 09:43:39	3172	----a-w-	c:\windows\system32\d3d9caps.dat
2010-07-31 20:07:54	58352	---ha-w-	c:\windows\system32\mlfcache.dat
2009-08-24 04:24:51	2	--shatr-	c:\windows\winstart.bat
2009-06-10 22:50:33	32768	-csha-w-	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061020090611\index.dat

============= FINISH: 12:39:21.02 ===============

Attach
Code: 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2008 5:34:18 PM
System Uptime: 9/5/2010 12:24:35 PM (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD |  | MS-6738
Processor: AMD Athlon(tm)  | Socket A | 1896/140mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 8.234 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000
Manufacturer: Broadcom
Name: Bluetooth LAN Access Server Driver
PNP Device ID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}\BTWDNDIS\1&30EE4AD&0&1000000020000
Service: BTWDNDIS

==== System Restore Points ===================

RP1: 8/31/2010 10:05:10 AM - System Checkpoint
RP2: 9/1/2010 2:54:50 PM - System Checkpoint
RP3: 9/1/2010 6:06:47 PM - Installed Bluetooth Software
RP4: 9/3/2010 9:41:12 AM - System Checkpoint
RP5: 9/3/2010 7:48:28 PM - Removed TweetDeck

==== Installed Programs ======================

7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.3.4
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AviSynth 2.5
Bonjour
BSPViewer 1.5.6
calibre
Chinese Traditional Fonts Support For Adobe Reader 9
Compatibility Pack for the 2007 Office system
Connect
Counter-Strike
CPUID CPU-Z 1.52.2
Cpukiller3 v1.0.5
Critical Update for Windows Media Player 11 (KB959772)
dBpowerAMP Music Converter
Dropbox
Easy CD & DVD Creator 6
ERUNT 1.1j
EVGA Display Driver
Futuremark SystemInfo
Gabbasoft Cube Demo
GCFScape 1.7.3
GoldWave v5.20
Google Chrome
Google Earth Plug-in
Google Update Helper
GSC 2.00
Half-Life Model Viewer 1.25
Handbrake 0.9.4
HashTab 1.14 for x32
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP USB Multimedia Keyboard Driver V1.2
HW Virtual Serial Port 3.1.2 Single
ISO Recorder
iTunes
Java(TM) 6 Update 13
Jed's Half-Life Model Viewer 1.3.6
Junk Mail filter update
kuler
Left 4 Dead 2 Demo
LibUSB-Win32-0.1.10.1
LimeWire 5.1.2
Malwarebytes' Anti-Malware
Mavis Beacon Teaches Typing Platinum 20
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Essentials
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft WinUsb 1.0
Motorola Driver Installation 4.2.0
Mozilla Firefox (3.5.9)
Mozilla Firefox (3.6.7)
MP3 Converter Simple
MSVCRT
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
Opera 9.64
PaperPort
PdaNet for Android 2.16.2
PDF Settings CS4
Photoshop Camera Raw
PowerDVD
QPST
QuickTime
Razer DeathAdder(TM) Mouse
Realtek AC'97 Audio
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
RSDLite
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Segoe UI
SpeedFan (remove only)
Spelling Dictionaries Support For Adobe Reader 9
Steam
Suite Shared Configuration CS4
UnHackMe 5.00 release
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Ventrilo Client
Videora iPod Converter 4.08
VLC media player 1.0.2
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - Cypress (CyUsb) USB 
Windows Driver Package - Razer (HidUsb) HIDClass  (02/02/2007 1.0.5.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

9/4/2010 4:22:51 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures. 	New Signature Version:  	Previous Signature Version: 1.89.685.0 	Update Source: Microsoft Update Server 	Update Stage: Search 	Source Path: http://www.microsoft.com 	Signature Type: AntiVirus 	Update Type: Full 	User: NT AUTHORITY\SYSTEM 	Current Engine Version:  	Previous Engine Version: 1.1.6103.0 	Error code: 0x80072efe 	Error description: The connection with the server was terminated abnormally 
9/3/2010 1:41:19 AM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures. 	New Signature Version:  	Previous Signature Version: 1.89.685.0 	Update Source: Microsoft Update Server 	Update Stage: Search 	Source Path: http://www.microsoft.com 	Signature Type: AntiVirus 	Update Type: Full 	User: NT AUTHORITY\SYSTEM 	Current Engine Version:  	Previous Engine Version: 1.1.6103.0 	Error code: 0x80072efe 	Error description: The connection with the server was terminated abnormally 
9/1/2010 5:35:57 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
9/1/2010 11:17:20 AM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures. 	New Signature Version:  	Previous Signature Version: 1.89.685.0 	Update Source: Microsoft Update Server 	Update Stage: Search 	Source Path: http://www.microsoft.com 	Signature Type: AntiVirus 	Update Type: Full 	User: NT AUTHORITY\SYSTEM 	Current Engine Version:  	Previous Engine Version: 1.1.6103.0 	Error code: 0x80072efe 	Error description: The connection with the server was terminated abnormally 
9/1/2010 1:32:24 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures. 	New Signature Version:  	Previous Signature Version: 1.89.685.0 	Update Source: Microsoft Update Server 	Update Stage: Search 	Source Path: http://www.microsoft.com 	Signature Type: AntiVirus 	Update Type: Full 	User: NT AUTHORITY\SYSTEM 	Current Engine Version:  	Previous Engine Version: 1.1.6103.0 	Error code: 0x80072efe 	Error description: The connection with the server was terminated abnormally 
9/1/2010 1:31:54 PM, error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
9/1/2010 1:31:54 PM, error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error:  An instance of the service is already running.
8/31/2010 9:48:18 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/31/2010 8:59:04 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/31/2010 8:58:12 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AmdK7 Fips IPSec MpFilter NetBT oreans32 RasAcd sptd Tcpip viaagp1 videX32
8/31/2010 8:58:12 AM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
8/31/2010 8:58:12 AM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/31/2010 8:58:12 AM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
8/31/2010 8:58:12 AM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
8/31/2010 8:49:56 AM, error: Service Control Manager [7034]  - The Windows Installer service terminated unexpectedly.  It has done this 3 time(s).
8/31/2010 8:48:46 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:760 	Action: Quarantine 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:48:46 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:1720;winlogonshell:HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe 	Action: Quarantine 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:48:45 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:760 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:48:45 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:1720 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:48:07 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:760 	Action: Quarantine 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:48:07 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:1720;winlogonshell:HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe 	Action: Quarantine 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:48:06 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:760 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:48:06 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:1720 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:46:15 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:760 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:46:15 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:1720 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:46:15 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Hiloti.gen!D&threatid=2147630886 	User: USER-91055C0D28\user 	Name: Trojan:Win32/Hiloti.gen!D 	ID: 2147630886 	Severity: Severe 	Category: Trojan 	Path: process:pid:1720 	Action: Remove 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:44:41 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:760 	Action: Quarantine 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:44:41 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:1720;winlogonshell:HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe 	Action: Quarantine 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:44:39 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:760 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:44:39 AM, error: Microsoft Antimalware [1008]  - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.C&threatid=2147637453 	User: USER-91055C0D28\user 	Name: Virus:Win32/Bamital.C 	ID: 2147637453 	Severity: Severe 	Category: Virus 	Path: process:pid:1720 	Action: Clean 	Error Code: 0x800704ec 	Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.  	Status: To finish removing spyware and other potentially unwanted software, restart the computer.  	Signature Version: AV: 1.89.685.0, AS: 1.89.685.0 	Engine Version: 1.1.6103.0
8/31/2010 8:42:34 AM, error: Service Control Manager [7031]  - The Microsoft Antimalware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 15000 milliseconds: Restart the service.
8/31/2010 8:39:18 AM, error: Service Control Manager [7034]  - The Windows Installer service terminated unexpectedly.  It has done this 2 time(s).
8/31/2010 8:20:27 AM, error: Service Control Manager [7034]  - The Windows Installer service terminated unexpectedly.  It has done this 1 time(s).
8/31/2010 8:18:49 AM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures. 	New Signature Version:  	Previous Signature Version: 0.0.0.0 	Update Source: Microsoft Update Server 	Update Stage: Search 	Source Path: http://www.microsoft.com 	Signature Type: AntiVirus 	Update Type: Full 	User: NT AUTHORITY\SYSTEM 	Current Engine Version:  	Previous Engine Version: 0.0.0.0 	Error code: 0x80072efe 	Error description: The connection with the server was terminated abnormally 
8/31/2010 6:11:55 AM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures. 	New Signature Version:  	Previous Signature Version: 0.0.0.0 	Update Source: Microsoft Update Server 	Update Stage: Search 	Source Path: http://www.microsoft.com 	Signature Type: AntiVirus 	Update Type: Full 	User: NT AUTHORITY\SYSTEM 	Current Engine Version:  	Previous Engine Version: 0.0.0.0 	Error code: 0x80072efe 	Error description: The connection with the server was terminated abnormally 
8/31/2010 6:10:47 AM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures. 	New Signature Version:  	Previous Signature Version: 0.0.0.0 	Update Source: Microsoft Update Server 	Update Stage: Search 	Source Path: http://www.microsoft.com 	Signature Type: AntiVirus 	Update Type: Full 	User: NT AUTHORITY\SYSTEM 	Current Engine Version:  	Previous Engine Version: 0.0.0.0 	Error code: 0x80072efe 	Error description: The connection with the server was terminated abnormally 
8/31/2010 6:01:02 AM, error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/31/2010 5:14:07 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  viaagp1 videX32
8/31/2010 2:37:48 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/31/2010 2:35:25 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AmdK7 Fips oreans32 sptd
8/31/2010 2:34:29 AM, error: sptd [4]  - Driver detected an internal error in its data structures for .
8/31/2010 2:34:29 AM, error: Ftdisk [49]  - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
8/31/2010 2:34:29 AM, error: Ftdisk [45]  - The system could not sucessfully load the crash dump driver.
8/31/2010 2:29:51 AM, error: Service Control Manager [7034]  - The LibUsb-Win32 - Daemon, Version 0.1.10.1 service terminated unexpectedly.  It has done this 1 time(s).
8/31/2010 2:29:00 AM, error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/31/2010 2:27:32 AM, error: Service Control Manager [7000]  - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error:  A device attached to the system is not functioning.
8/31/2010 2:26:38 AM, error: Service Control Manager [7000]  - The _c130 service failed to start due to the following error:  The request could not be performed because of an I/O device error.
8/31/2010 10:02:11 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
8/31/2010 10:01:29 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/30/2010 5:59:09 PM, error: Service Control Manager [7023]  - The IPSEC Services service terminated with the following error:  The authentication service is unknown.
8/30/2010 5:59:09 PM, error: Service Control Manager [7003]  - The MotoConnect Service service depends on the following nonexistent service: lanmanworkstation
8/30/2010 5:59:09 PM, error: Service Control Manager [7002]  - The Routing and Remote Access service depends on the NetBIOSGroup group and no member of this group started.
8/29/2010 3:55:53 PM, error: Service Control Manager [7034]  - The HW Virtual Serial Port (single) service terminated unexpectedly.  It has done this 1 time(s).
8/29/2010 11:55:23 PM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the libusbd service.

==== End Of File ===========================
 
GMER
Code: 
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-05 18:44:46
Windows 5.1.2600 Service Pack 3
Running: mmlolcwy.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kwgiqfod.sys

.text     ...                                                                                                                 

---- Registry - GMER 1.0.15 ----

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x10 0xA0 0xE0 0xF1 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x10 0xA0 0xE0 0xF1 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x10 0xA0 0xE0 0xF1 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x4D 0xF6 0x63 0xD9 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x4D 0xF6 0x63 0xD9 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x4D 0xF6 0x63 0xD9 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xED 0xE2 0x66 0x5C ...
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xED 0xE2 0x66 0x5C ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0xED 0xE2 0x66 0x5C ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                  1
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                  285507792
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                  771343423

---- User code sections - GMER 1.0.15 ----

.text     C:\WINDOWS\System32\svchost.exe[1152] ole32.dll!CoCreateInstance                                                    7750057E 5 Bytes  JMP 00DE000A 
.text     C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!NtProtectVirtualMemory                                              7C90D6EE 5 Bytes  JMP 0093000A 
.text     C:\WINDOWS\system32\wuauclt.exe[1352] ntdll.dll!NtProtectVirtualMemory                                              7C90D6EE 5 Bytes  JMP 0093000A 
.text     C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtProtectVirtualMemory                                                      7C90D6EE 5 Bytes  JMP 00B9000A 
.text     C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!NtWriteVirtualMemory                                                7C90DFAE 5 Bytes  JMP 0094000A 
.text     C:\WINDOWS\system32\wuauclt.exe[1352] ntdll.dll!NtWriteVirtualMemory                                                7C90DFAE 5 Bytes  JMP 0094000A 
.text     C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtWriteVirtualMemory                                                        7C90DFAE 5 Bytes  JMP 00BF000A 
.text     C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!KiUserExceptionDispatcher                                           7C90E47C 5 Bytes  JMP 0092000C 
.text     C:\WINDOWS\system32\wuauclt.exe[1352] ntdll.dll!KiUserExceptionDispatcher                                           7C90E47C 5 Bytes  JMP 0092000C 
.text     C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!KiUserExceptionDispatcher                                                   7C90E47C 5 Bytes  JMP 00B8000C 
.text     C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!GetCursorPos                                                       7E42974E 5 Bytes  JMP 00F4000A 

---- Devices - GMER 1.0.15 ----

Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                             89B6F500
Device    \Driver\NetBT \Device\NetbiosSmb                                                                                    89B6F500
Device    \Driver\NetBT \Device\NetBT_Tcpip_{5CFDD8FF-F098-4D05-8446-824244FE4C83}                                            89B6F500
Device    \Driver\usbehci \Device\USBPDO-3                                                                                    8A0CF1F8
Device    \Driver\usbehci \Device\USBFDO-3                                                                                    8A0CF1F8

---- System - GMER 1.0.15 ----

INT 0x35  ?                                                                                                                   8A0DEBF8
INT 0x3A  ?                                                                                                                   8A0DEBF8
INT 0x3B  ?                                                                                                                   8A0DEBF8
INT 0x3B  ?                                                                                                                   8A0DEBF8

Device    \FileSystem\Cdfs \Cdfs                                                                                              8A1801F8
Device    \Driver\am029ut8 \Device\Scsi\am029ut81                                                                             8A1E01F8
Device    \Driver\am029ut8 \Device\Scsi\am029ut81Port2Path0Target0Lun0                                                        8A1E01F8
Device    \Driver\Cdrom \Device\CdRom0                                                                                        8A1F51F8
Device    \Driver\Cdrom \Device\CdRom1                                                                                        8A1F51F8
Device    \Driver\Cdrom \Device\CdRom2                                                                                        8A1F51F8
Device    \Driver\usbuhci \Device\USBPDO-0                                                                                    8A20C1F8
Device    \Driver\usbuhci \Device\USBPDO-1                                                                                    8A20C1F8
Device    \Driver\usbuhci \Device\USBPDO-2                                                                                    8A20C1F8
Device    \Driver\usbuhci \Device\USBFDO-0                                                                                    8A20C1F8
Device    \Driver\usbuhci \Device\USBFDO-1                                                                                    8A20C1F8
Device    \Driver\usbuhci \Device\USBFDO-2                                                                                    8A20C1F8
Device     -> \Driver\atapi \Device\Harddisk0\DR0                                                                             8A328EC5
Device    \Driver\dmio \Device\DmControl\DmIoDaemon                                                                           8A42C1F8
Device    \Driver\dmio \Device\DmControl\DmConfig                                                                             8A42C1F8
Device    \Driver\dmio \Device\DmControl\DmPnP                                                                                8A42C1F8
Device    \Driver\dmio \Device\DmControl\DmInfo                                                                               8A42C1F8
Device    \FileSystem\Ntfs \Ntfs                                                                                              8A4971F8

INT 0x3E  ?                                                                                                                   8A498BF8
INT 0x3F  ?                                                                                                                   8A498BF8

Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                              8A4991F8
Device    \Driver\Ftdisk \Device\FtControl                                                                                    8A4991F8
Device    \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17                                                                        [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdePort0                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdePort1                                                                                  [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device    \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f                                                                         [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

---- Kernel code sections - GMER 1.0.15 ----

.text     am029ut8.SYS                                                                                                        B7F3C386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text     am029ut8.SYS                                                                                                        B7F3C3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text     am029ut8.SYS                                                                                                        B7F3C3C4 3 Bytes  [00, 80, 02]
.text     am029ut8.SYS                                                                                                        B7F3C3C9 1 Byte  [30]
.text     am029ut8.SYS                                                                                                        B7F3C3C9 11 Bytes  [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text     USBPORT.SYS!DllUnload                                                                                               B83DA8AC 5 Bytes  JMP 8A0DE1D8 

---- Registry - GMER 1.0.15 ----

Reg       HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\

---- Kernel code sections - GMER 1.0.15 ----

.rsrc     C:\WINDOWS\system32\drivers\dmload.sys                                                                              entry point in ".rsrc" section [0xF798E114]
.text     C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                            section is writeable [0xB8854360, 0x37388D, 0xE8000020]
.text     C:\WINDOWS\system32\drivers\oreans32.sys                                                                            section is writeable [0xB8F2C280, 0x7B1C, 0xE8000020]

Device    \Driver\PCI_PNP0496 \Device\00000055                                                                                spbw.sys
Device    \Driver\PCI_PNP0496 \Device\00000055                                                                                spbw.sys
Device    \Driver\sptd \Device\4209741360                                                                                     spbw.sys

---- Kernel code sections - GMER 1.0.15 ----

?         spbw.sys                                                                                                            The system cannot find the file specified. !

SSDT      spbw.sys                                                                                                            ZwCreateKey [0xF74E40E0]
SSDT      spbw.sys                                                                                                            ZwEnumerateKey [0xF74FCDA4]
SSDT      spbw.sys                                                                                                            ZwEnumerateValueKey [0xF74FD132]
SSDT      spbw.sys                                                                                                            ZwOpenKey [0xF74E40C0]
SSDT      spbw.sys                                                                                                            ZwQueryKey [0xF74FD20A]
SSDT      spbw.sys                                                                                                            ZwQueryValueKey [0xF74FD08A]
SSDT      spbw.sys                                                                                                            ZwSetValueKey [0xF74FD29C]

---- Files - GMER 1.0.15 ----

File      C:\WINDOWS\system32\drivers\atapi.sys                                                                               suspicious modification
File      C:\WINDOWS\system32\drivers\dmload.sys                                                                              suspicious modification

---- EOF - GMER 1.0.15 ----

The GMER just got done like 5 minutes ago, HOURS later lol

Anything else? :)
 
Hi

Apologies for the delay.... Hectic work & family commitments.

Some bad news I'm afraid:
I hate to be the bearer of bad news but one or more of the identified infections on this system is a Backdoor Trojan. In addition, you have multiple other malware variants on this seriously infected system. The vector for these infections was very likely peer-to-peer filesharing.
Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In addition to the backdoor Trojan that has been identified, this system is afflicted with other infections. Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damages it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system.

Prior to reformatting the system, the hard drive could be removed and attached to another system as a "slave," thereby allowing you to remove and salvage your data files. No programs or executable files should be saved as they would likely be infected, and all data files should be scanned with anti-virus and anti-spyware programs prior to being returned to the hard drive after it has been reformatted. If you are not comfortable performing this procedure yourself, we would advise you to take the computer to a reliable, local, computer repair shop and have them do the work for you.

Should you have any questions, please feel free to ask.
 
jmw3 said:
Hi

Apologies for the delay.... Hectic work & family commitments.

Some bad news I'm afraid:
I hate to be the bearer of bad news but one or more of the identified infections on this system is a Backdoor Trojan. In addition, you have multiple other malware variants on this seriously infected system. The vector for these infections was very likely peer-to-peer filesharing.
Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In addition to the backdoor Trojan that has been identified, this system is afflicted with other infections. Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damages it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system.

Prior to reformatting the system, the hard drive could be removed and attached to another system as a "slave," thereby allowing you to remove and salvage your data files. No programs or executable files should be saved as they would likely be infected, and all data files should be scanned with anti-virus and anti-spyware programs prior to being returned to the hard drive after it has been reformatted. If you are not comfortable performing this procedure yourself, we would advise you to take the computer to a reliable, local, computer repair shop and have them do the work for you.

Should you have any questions, please feel free to ask.
Click to expand...

Well that sucks, been meaning to reformat, now I just have a reason to.
Question, as long as we stay away from anything important, we should be ok, right?
Just asking because I don't know how long it'll be till I purchase a new HDD.
And I just mean basic browsing (YouTube etc)

Also, thanks for letting me know!
 
Hi

Question, as long as we stay away from anything important, we should be ok, right?
Click to expand...
Not quite sure what you mean. Do you mean staying away from your banking sites etc.?
Here is an example of one of the files your dealing with:
tcpip7x.sys
http://www.threatexpert.com/report.aspx?md5=d621f8e4f8a3be77264436fd0d8652be

So after reading that, where do you draw the line as to what is important... when every keystroke is being captured.
We could clean this machine, but until it's reformatted it would never be considered safe to use.

Your choice.
 
That's exactly what I mean. Just browse and mauve watch a couple vids here and there.

I'm not gonna bother wasting your guys' time with this PC, I can already tell it's going to be a long process that'll just end up nowhere. I plan on reformatting soon, just not entirely sure when.

Thanks again.
 
OK, no problem.

Let me know if you need some assistance re-formatting, otherwise I'll close this one.
 
I think I can handle it, but I do have one question before this gets closed/archived:

What would be some good precautions/actions to take once reformatted so that this problem does not occur again?
 
This is a list of recommendations & advice I usually give at the close of a topic. You're free to take any or all of the advice:

Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.

Set Correct Settings For Files That Should Be Hidden In Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab
  • Under Hidden files and folders if necessary select Do not show hidden files and folders
  • If unchecked, checkHide protected operating system files (Recommended)
  • If necessary check Display content of system folders
  • If necessary Uncheck Hide file extensions for known file types
  • Click OK

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here & find a tutorial here. Keep it updated & run it regularly.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Web of Trust
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.
 
Since this issue appears to be resolved ... this Topic has been closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include fresh DDS & Attach logs and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or Moderator a private message (pm). A valid, working link to the closed topic is also required.
 
Status
Not open for further replies.
Back
Top