It is antivirus2009 and spysweeper. Please help. Thanks

[tiffanyle2000]

It has a lot of popup windows, always start up with antivirus2009 and Spy Sweeper. It won't let me in this site (www.safer-networking.org) or trensecure site to download hijack....
Please help me. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:45 PM, on 3/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\U_C\Desktop\HJTInstall.exe
C:\Documents and Settings\U_C\Desktop\HJTInstall.exe
\Jqddjqdd\shareddocs\antivirus2009\HiJackThis.exe
C:\Documents and Settings\U_C\Desktop\HJTInstall.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {5e483ab6-da0c-285b-0434-7a4514f3d354} - {453d3f41-54a7-4340-b582-c0ad6ba384e5} - C:\WINDOWS\system32\mzjezf.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {fc7bfae2-c34a-4321-aa42-31760b97964b} - C:\WINDOWS\system32\yohilite.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [CPMd729a208] Rundll32.exe "c:\windows\system32\tojowebo.dll",a
O4 - HKLM\..\Run: [wigegabiwi] Rundll32.exe "C:\WINDOWS\system32\pozimadu.dll",s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [11285347122748501505870628541194] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"
O4 - HKUS\S-1-5-19\..\Run: [wigegabiwi] Rundll32.exe "C:\WINDOWS\system32\pozimadu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wigegabiwi] Rundll32.exe "C:\WINDOWS\system32\pozimadu.dll",s (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: windows\system32\tojowebo.dll,c:\windows\system32\tojowebo.dll,C:\WINDOWS\system32\gebojele.dll,mzjezf.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tojowebo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tojowebo.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 5488 bytes

[peku006]

Hello and Hello and welcome to Safer Networking.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

[tiffanyle2000]

I have to download the combofix program from another computer and copy to the infected computer. Placed the Combofix icon on the desktop. Double click the combofix icon, it tell me to run the program. Then I hit the Run button, it has no action. The first combofix window not showed.
This is same thing when I do the hijack download too (I down load the third link download hijacthis executable. So I can run the hijack using the executable hijack).
What can I do now?
The infected computer won't let me go in the bleepingcomputer website (when I type www.bleepingcomputer.com the ie show me the "The page cannot be display). This is same problem with your website www.safer-networking.org and trendsecure.com.

[peku006]

Hi
Let´s try this....
If you have a previous version of Combofix.exe, delete it

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3




--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[tiffanyle2000]

ComboFix 09-03-04.01 - U_C 2009-03-06 14:48:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.735 [GMT -8:00]
Running from: c:\documents and settings\U_C\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\U_C\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\U_C\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
c:\windows\IE4 Error Log.txt
c:\windows\system32\bohotute.dll
c:\windows\system32\butazaji.dll
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\ekahaluh.ini
c:\windows\system32\elepaleg.ini
c:\windows\system32\gebojele.dll
c:\windows\system32\hejitavo.dll
c:\windows\system32\holiwaga.dll
c:\windows\system32\ivahalak.ini
c:\windows\system32\kalahavi.dll
c:\windows\system32\kobitaka.dll
c:\windows\system32\lewiyidi.dll
c:\windows\system32\mesekaho.dll
c:\windows\system32\milokira.dll
c:\windows\system32\mzjezf.dll
c:\windows\system32\namogizu.dll
c:\windows\system32\nezovefo.dll
c:\windows\system32\nojalite.dll
c:\windows\system32\nonabefa.dll
c:\windows\system32\odisinad.ini
c:\windows\system32\ogayotez.ini
c:\windows\system32\opikumon.ini
c:\windows\system32\ovatijeh.ini
c:\windows\system32\pozimadu.dll
c:\windows\system32\sirifiwi.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\tojowebo.dll
c:\windows\system32\umeyanol.ini
c:\windows\system32\unojitef.ini
c:\windows\system32\usajuhig.ini
c:\windows\system32\vomuganu.dll
c:\windows\system32\weluyiki.dll
c:\windows\system32\wumoyuvo.dll
c:\windows\system32\yohilite.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-05 18:44 . 2009-03-06 12:05 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-05 18:25 . 2009-03-05 18:25 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-05 18:25 . 2009-03-05 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-05 18:25 . 2009-03-05 18:25 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-05 18:25 . 2009-03-05 18:25 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-05 14:01 . 2009-03-05 21:14 1,406 --a------ c:\windows\SysMech6.INI
2009-03-05 13:18 . 2009-03-05 13:18 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2009-03-05 13:07 . 2005-10-24 17:07 41,472 --a------ c:\windows\system32\iolobtdfg.exe
2009-03-05 13:07 . 2005-09-12 20:20 25,264 --a------ c:\windows\system32\smrgdf.exe
2009-03-05 13:06 . 2009-03-05 13:06 <DIR> d-------- c:\program files\iolo
2009-03-05 13:06 . 2006-02-02 18:42 1,211,904 --a------ c:\windows\system32\Incinerator.dll
2009-03-05 10:52 . 2009-03-05 10:52 <DIR> d-------- c:\program files\AVG
2009-03-05 10:52 . 2009-03-05 10:57 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_2
2009-03-05 10:52 . 2009-03-05 10:52 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_1
2009-03-05 10:35 . 2009-03-05 10:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-03-05 10:30 . 2009-03-05 10:30 2,098 ---hs---- c:\windows\system32\rimuwuka.dll
2009-03-05 10:30 . 2009-03-05 10:30 2,098 ---hs---- c:\windows\system32\mibevilo.dll
2009-03-04 21:40 . 2009-03-04 21:40 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup
2009-03-04 20:28 . 2009-03-04 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Prism
2009-03-04 20:27 . 2009-03-04 20:42 <DIR> d-------- c:\program files\Dell Wireless
2009-03-04 20:27 . 2004-08-31 11:53 1,364,036 -ra------ c:\windows\system32\PRISME5.dll
2009-03-04 20:27 . 2004-10-04 14:05 405,593 --a------ c:\windows\system32\PRISMAPI.dll
2009-03-04 20:27 . 2004-10-04 14:10 327,769 --a------ c:\windows\system32\PRISMSVR.exe
2009-03-04 20:27 . 2004-10-04 14:12 57,344 --a------ c:\windows\system32\PRISMSVC.exe
2009-03-04 20:27 . 2004-09-01 14:39 16,979 --a------ c:\windows\system32\drivers\AEGISP.sys
2009-03-04 19:52 . 2004-09-26 19:42 345,184 --a------ c:\windows\system32\drivers\PRISMA02.sys
2009-03-04 19:52 . 2004-08-18 11:01 49,152 --a------ c:\windows\system32\CoPrism.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 04:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 17:29 87,605 ------w c:\windows\system32\lonayemu.dll
2008-09-06 17:29 63,029 --sha-w c:\windows\system32\hupabubi.dll
2008-09-06 17:29 11,264 --sha-w c:\windows\system32\suhahebu.dll
2008-09-06 17:29 63,029 --sha-w c:\windows\system32\tesifoti.dll
2008-09-06 17:29 63,029 --sha-w c:\windows\system32\tukejavi.dll
2008-11-19 20:52 608 --sha-w c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-02-02 578048]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-08-31 36864]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 4865600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1261336]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]

c:\documents and settings\U_C\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-03-04 917611]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\hp laserjet m1522\\Fax Config utility1.exe"=
"c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Combo-Fix\\NirCmd.cfexe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 231704]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2008-11-19 20504]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2008-11-13 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2008-11-13 73856]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2009-03-04 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c78e50d-b1d9-11dd-afd0-0013204ee5da}]
\Shell\AutoRun\command - i:\win\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{453d3f41-54a7-4340-b582-c0ad6ba384e5} - c:\windows\system32\mzjezf.dll
BHO-{fc7bfae2-c34a-4321-aa42-31760b97964b} - c:\windows\system32\yohilite.dll
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-d41a9194 - c:\windows\system32\zetoyago.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sirifiwi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - c:\program files\ClickClean\ClickClean.exe
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 14:53:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\WRLogonNTF.dll
c:\windows\system32\PRISMAPI.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PRISMSVR.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-06 14:54:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 22:54:32

Pre-Run: 203,207,286,784 bytes free
Post-Run: 203,121,442,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

207


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:15 PM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4907 bytes

[peku006]

Hi tiffanyle2000

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\rimuwuka.dll
c:\windows\system32\lonayemu.dll
c:\windows\system32\hupabubi.dll
c:\windows\system32\suhahebu.dll
c:\windows\system32\tesifoti.dll
c:\windows\system32\tukejavi.dll

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform full scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found here:
  
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

[tiffanyle2000]

ComboFix 09-03-04.01 - U_C 2009-03-07 12:18:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.568 [GMT -8:00]
Running from: c:\documents and settings\U_C\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\U_C\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\hupabubi.dll
c:\windows\system32\lonayemu.dll
c:\windows\system32\rimuwuka.dll
c:\windows\system32\suhahebu.dll
c:\windows\system32\tesifoti.dll
c:\windows\system32\tukejavi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rimuwuka.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-06 20:46 . 2009-03-06 20:46 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-06 20:45 . 2009-03-06 20:47 <DIR> d-------- c:\program files\MSECACHE
2009-03-06 19:43 . 2009-03-06 19:43 <DIR> d-------- c:\program files\CONEXANT
2009-03-06 19:39 . 2009-03-06 19:39 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-06 19:39 . 2009-03-06 19:39 <DIR> d-------- c:\program files\eMachines Bay Reader
2009-03-06 17:35 . 2009-03-06 17:35 <DIR> d-------- c:\program files\Western Digital Technologies
2009-03-06 16:36 . 2009-03-06 16:36 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-06 16:15 . 2009-03-06 17:05 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-06 16:03 . 2009-03-06 16:24 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-06 15:57 . 2009-03-06 15:57 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-06 15:56 . 2008-08-14 02:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-06 15:56 . 2008-08-14 01:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-06 15:56 . 2008-08-14 01:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-06 15:56 . 2008-08-14 01:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-06 15:44 . 2009-03-06 16:45 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-06 15:39 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-06 14:59 . 2009-03-06 14:59 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 18:44 . 2009-03-07 12:18 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-05 18:25 . 2009-03-06 15:11 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-05 18:25 . 2009-03-06 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-05 18:25 . 2009-03-06 16:36 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-05 14:01 . 2009-03-06 19:10 1,696 --a------ c:\windows\SysMech6.INI
2009-03-05 13:18 . 2009-03-05 13:18 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2009-03-05 13:07 . 2005-10-24 17:07 41,472 --a------ c:\windows\system32\iolobtdfg.exe
2009-03-05 13:07 . 2005-09-12 20:20 25,264 --a------ c:\windows\system32\smrgdf.exe
2009-03-05 13:06 . 2009-03-05 13:06 <DIR> d-------- c:\program files\iolo
2009-03-05 13:06 . 2006-02-02 18:42 1,211,904 --a------ c:\windows\system32\Incinerator.dll
2009-03-05 10:52 . 2009-03-05 10:52 <DIR> d-------- c:\program files\AVG
2009-03-05 10:52 . 2009-03-05 10:57 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_2
2009-03-05 10:52 . 2009-03-05 10:52 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_1
2009-03-05 10:35 . 2009-03-05 10:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-03-05 10:30 . 2009-03-05 10:30 2,098 ---hs---- c:\windows\system32\mibevilo.dll
2009-03-04 21:40 . 2009-03-04 21:40 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup
2009-03-04 20:28 . 2009-03-04 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Prism
2009-03-04 20:27 . 2009-03-04 20:42 <DIR> d-------- c:\program files\Dell Wireless
2009-03-04 20:27 . 2004-08-31 11:53 1,364,036 -ra------ c:\windows\system32\PRISME5.dll
2009-03-04 20:27 . 2004-10-04 14:05 405,593 --a------ c:\windows\system32\PRISMAPI.dll
2009-03-04 20:27 . 2004-10-04 14:10 327,769 --a------ c:\windows\system32\PRISMSVR.exe
2009-03-04 20:27 . 2004-10-04 14:12 57,344 --a------ c:\windows\system32\PRISMSVC.exe
2009-03-04 20:27 . 2004-09-01 14:39 16,979 --a------ c:\windows\system32\drivers\AEGISP.sys
2009-03-04 19:52 . 2004-09-26 19:42 345,184 --a------ c:\windows\system32\drivers\PRISMA02.sys
2009-03-04 19:52 . 2004-08-18 11:01 49,152 --a------ c:\windows\system32\CoPrism.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 03:39 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-07 00:13 --------- d-----w c:\program files\HP
2009-03-05 04:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-19 20:52 608 --sha-w c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-06_14.54.02.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-19 20:53:38 10,752 ------w c:\windows\assembly\temp\N14NSZ39TT\interop.hpqusg.dll
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-08-14 09:58:27 2,136,064 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:22:13 2,057,728 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 10:00:45 2,180,352 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-03-07 03:39:12 25,214 ----a-r c:\windows\Installer\{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}\ARPPRODUCTICON.exe
+ 2009-03-06 23:57:41 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2004-08-03 22:56:42 100,352 ----a-w c:\windows\system32\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 ----a-w c:\windows\system32\6to4svc.dll
- 2004-08-03 22:56:42 1,016,832 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2004-08-03 22:56:42 150,528 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:37:02 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2004-08-03 22:56:42 1,053,696 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:37:02 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2003-12-24 21:45:30 221,184 ----a-w c:\windows\system32\diconxp.dll
- 2004-08-03 22:56:42 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
- 2004-08-03 21:14:16 138,496 -c--a-w c:\windows\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 -c--a-w c:\windows\system32\dllcache\afd.sys
- 2004-08-03 22:56:42 1,016,832 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-06-13 13:10:50 272,128 -c----w c:\windows\system32\dllcache\bthport.sys
- 2004-08-03 22:56:42 150,528 -c--a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:37:02 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
- 2004-08-03 22:56:42 1,053,696 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:37:02 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2004-08-03 22:56:44 148,480 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-21 07:11:12 148,992 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
- 2004-08-03 22:56:44 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-03 22:56:44 201,728 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-03 22:56:44 243,200 -c--a-w c:\windows\system32\dllcache\es.dll
+ 2008-07-07 20:32:22 253,952 -c--a-w c:\windows\system32\dllcache\es.dll
- 2004-08-03 22:56:44 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:37:02 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2004-08-03 22:56:44 278,016 -c--a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2004-08-03 22:56:52 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 09:45:01 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2004-08-03 22:56:44 249,344 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:37:02 251,392 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2004-08-03 22:56:44 678,400 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
- 2004-08-03 22:56:44 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:37:02 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2004-08-03 22:56:44 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2004-08-03 22:56:44 15,872 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-03 22:56:52 103,936 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-10 09:31:06 103,936 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2004-08-03 22:56:44 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
- 2004-08-03 22:56:44 73,728 -c--a-w c:\windows\system32\dllcache\mscms.dll
+ 2008-06-24 16:23:05 74,240 -c--a-w c:\windows\system32\dllcache\mscms.dll
- 2004-08-03 22:56:44 3,003,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2004-08-03 22:56:44 448,512 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-03 22:56:44 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:37:02 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2004-08-03 22:56:44 530,432 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:37:02 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2004-08-03 22:56:46 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
- 2004-08-03 22:56:46 1,236,480 -c--a-w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c--a-w c:\windows\system32\dllcache\msxml3.dll
- 2004-08-03 22:56:46 332,288 -c--a-w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c--a-w c:\windows\system32\dllcache\netapi32.dll
- 2004-08-03 22:56:46 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-03 22:56:46 1,287,680 -c--a-w c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w c:\windows\system32\dllcache\quartz.dll
- 2001-08-23 12:00:00 200,064 -c--a-w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w c:\windows\system32\dllcache\rmcast.sys
- 2004-08-03 22:56:46 1,483,264 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2004-08-03 22:56:46 8,384,000 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 -c--a-w c:\windows\system32\dllcache\shell32.dll
- 2004-08-03 22:56:46 473,600 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2004-08-03 21:14:46 336,256 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2004-08-03 22:56:46 246,302 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2004-08-03 21:14:42 359,040 -c--a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w c:\windows\system32\dllcache\tcpip.sys
- 2004-08-03 21:07:46 223,616 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 23:22:08 225,920 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
- 2004-08-03 22:56:48 601,088 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:37:04 615,936 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2004-08-03 22:56:48 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2004-08-03 21:17:42 1,835,904 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2004-08-03 22:56:48 656,384 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:37:03 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2004-08-03 22:56:48 1,050,624 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-11 02:18:18 1,053,696 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2004-08-03 22:57:04 2,105,344 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-11-08 02:32:20 2,109,440 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-03 22:56:44 148,480 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-21 07:11:12 148,992 ----a-w c:\windows\system32\dnsapi.dll
- 2004-08-03 21:14:16 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2009-03-06 02:25:44 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2009-03-07 00:36:48 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\system32\drivers\bthport.sys
+ 2005-07-22 19:01:00 717,952 ----a-w c:\windows\system32\drivers\HSF_CNXT.sys
+ 2005-07-22 19:02:12 1,035,008 ----a-w c:\windows\system32\drivers\HSF_DPV.sys
+ 2005-07-22 19:01:10 231,168 ----a-w c:\windows\system32\drivers\HSFHWBS2.sys
+ 2005-10-05 23:57:08 12,544 ----a-w c:\windows\system32\drivers\mdmxsdk.sys
- 2004-08-03 21:15:18 451,456 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
- 2001-08-23 12:00:00 200,064 ----a-w c:\windows\system32\drivers\RMCast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2004-08-03 21:14:46 336,256 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys
+ 2004-03-22 19:01:38 40,564 ----a-w c:\windows\system32\drivers\Sunkfilt.sys
+ 2004-03-22 19:27:20 42,936 ----a-w c:\windows\system32\drivers\Sunkfilt39.sys
- 2004-08-03 21:14:42 359,040 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2004-08-03 21:07:46 223,616 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 23:22:08 225,920 ----a-w c:\windows\system32\drivers\tcpip6.sys
- 2004-08-03 22:56:44 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2004-08-03 22:56:44 201,728 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2004-08-03 22:56:44 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2004-08-03 22:56:44 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-11-19 20:54:58 321,136 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-07 00:01:06 321,136 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2004-08-03 22:56:44 278,016 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
+ 2003-12-25 00:10:08 139,264 ----a-w c:\windows\system32\hpicon.dll
- 2004-08-03 22:56:44 249,344 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2004-08-03 22:56:44 678,400 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2004-08-03 22:56:44 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\inseng.dll
- 2004-08-03 22:56:44 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
- 2004-08-03 22:56:44 15,872 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2003-12-03 22:51:28 61,440 ----a-w c:\windows\system32\ldamfilt.dll
+ 2004-01-18 04:31:04 49,152 ----a-w c:\windows\system32\ldamfilt39.dll
- 2004-08-03 22:56:52 103,936 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-10 09:31:06 103,936 ----a-w c:\windows\system32\logagent.exe
+ 2005-10-05 23:56:44 86,016 ----a-w c:\windows\system32\mdmxsdk.dll
- 2004-08-03 22:56:44 73,728 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2004-08-03 22:56:44 3,003,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2004-08-03 22:56:44 448,512 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2004-08-03 22:56:44 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\msrating.dll
- 2004-08-03 22:56:44 530,432 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\mstime.dll
- 2004-08-03 22:56:46 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2005-01-25 16:33:00 1,049,088 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2008-01-29 19:32:44 1,230,336 ----a-w c:\windows\system32\msxml4.dll
+ 2008-10-01 00:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2004-08-03 22:56:46 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2004-08-03 23:05:44 2,015,232 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2004-08-03 21:18:32 2,148,352 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 09:58:27 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
- 2009-03-05 04:40:16 58,596 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-07 04:40:56 58,596 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-05 04:40:16 392,296 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-07 04:40:56 392,296 ----a-w c:\windows\system32\perfh009.dat
- 2004-08-03 22:56:46 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2004-08-03 22:56:46 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
- 2004-08-03 22:56:46 1,483,264 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2004-08-03 22:56:46 8,384,000 ----a-w c:\windows\system32\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 ----a-w c:\windows\system32\shell32.dll
- 2004-08-03 22:56:46 473,600 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2005-05-04 22:45:26 13,536 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2004-11-18 18:42:52 22,752 ----a-w c:\windows\system32\spupdsvc.exe
+ 2005-02-25 03:35:05 22,752 ----a-w c:\windows\system32\spupdsvc.exe
- 2004-08-03 22:56:46 246,302 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
+ 2005-11-16 23:41:26 114,688 ----a-w c:\windows\system32\uci32103.dll
- 2004-08-03 22:56:48 601,088 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\urlmon.dll
- 2004-08-03 22:56:48 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
- 2004-08-03 21:17:42 1,835,904 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2004-08-03 22:56:48 656,384 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:37:03 659,456 ----a-w c:\windows\system32\wininet.dll
- 2004-08-03 22:56:48 1,050,624 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-11 02:18:18 1,053,696 ----a-w c:\windows\system32\WMNetmgr.dll
- 2004-08-03 22:57:04 2,105,344 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-11-08 02:32:20 2,109,440 ----a-w c:\windows\system32\WMVCore.dll
+ 2008-10-15 14:00:41 351,744 ------w c:\windows\system32\xpsp3res.dll
+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-02-02 578048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-06 1601304]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]

c:\documents and settings\U_C\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-03-04 917611]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-06 16:36 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Combo-Fix\\NirCmd.cfexe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-06 298264]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2008-11-19 20504]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2008-11-13 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2008-11-13 73856]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2009-03-04 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c78e50d-b1d9-11dd-afd0-0013204ee5da}]
\Shell\AutoRun\command - i:\win\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - c:\program files\ClickClean\ClickClean.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 12:21:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\PRISMAPI.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\PRISMSVR.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-07 12:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-07 20:22:59
ComboFix2.txt 2009-03-06 22:54:36

Pre-Run: 201,641,529,344 bytes free
Post-Run: 201,618,440,192 bytes free

375 --- E O F --- 2009-03-07 00:45:58

--------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/7/2009 12:56:16 PM
mbam-log-2009-03-07 (12-56-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 87591
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mibevilo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:22 PM, on 3/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4653 bytes

[tiffanyle2000]

After previous fix, my computer look very good. However, while I browsing internet, my computer is infected again with antivirus XP pro. There is a icon on the bottom right notification area. The icon is red base round with a white X in the middle. When I click it, it show me the website of antivirus XP Pro. My screen turn black with the following notes in the center of the screen:

Dangerous Spyware
Many viruses were found on your computer such as: Trojan horse, PassCapture, ect.
Your personal information can fall in the "third hands".
Please check up the computer with a special software.
Thanks

"

This is the latest hijackthis log after infected by antivirus XP Pro.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:32 PM, on 3/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4822 bytes

[peku006]

Hi tiffanyle2000

1 - Run Malwarebytes' Anti-Malware

• Open Malwarebytes' Anti-Malware
• Select the Update tab
• Click Check for Updates
• After the update have been completed, Select the Scanner tab.

• Make sure the "Perform full scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found here:
  
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - download and run RSIT

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006

[tiffanyle2000]

Logfile of random's system information tool 1.05 (written by random/random)
Run by U_C at 2009-03-08 12:19:18
Microsoft Windows XP Professional Service Pack 2
System drive C: has 192 GB (96%) free of 200 GB
Total RAM: 1014 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:24 PM, on 3/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\U_C\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\U_C.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4569 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-06 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-07-25 90112]
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2005-07-25 2806272]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-06 1601304]
"SunKistEM"=C:\Program Files\eMachines Bay Reader\shwiconem.exe [2004-03-11 135168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]
"SMSystemAnalyzer"=C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe [2006-02-02 578048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\Documents and Settings\U_C\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-06 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=cli

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Dell Wireless\PRISMCFG.exe"="C:\Program Files\Dell Wireless\PRISMCFG.exe:*:Enabled:PRISMCFG"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Combo-Fix\NirCmd.cfexe"="C:\Combo-Fix\NirCmd.cfexe:*:Enabled:NirCmd"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c78e50d-b1d9-11dd-afd0-0013204ee5da}]
shell\AutoRun\command - I:\WIN\setup.exe


======File associations======

.js - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-03-08 12:19:18 ----D---- C:\rsit
2009-03-07 16:36:00 ----D---- C:\Program Files\SpywareDetector
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\unrar3.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\unacev2.dll
2009-03-07 15:46:08 ----D---- C:\Documents and Settings\U_C\Application Data\Simply Super Software
2009-03-07 15:46:08 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2009-03-07 15:37:53 ----D---- C:\WINDOWS\Minidump
2009-03-07 14:21:01 ----SHD---- C:\RECYCLER
2009-03-07 13:32:28 ----D---- C:\Documents and Settings\U_C\Application Data\Malwarebytes
2009-03-07 13:32:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-07 13:32:24 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-07 13:23:04 ----D---- C:\WINDOWS\temp
2009-03-07 13:23:03 ----A---- C:\ComboFix.txt
2009-03-06 21:46:16 ----D---- C:\Program Files\Windows Installer Clean Up
2009-03-06 21:45:57 ----D---- C:\Program Files\MSECACHE
2009-03-06 20:43:54 ----D---- C:\Program Files\CONEXANT
2009-03-06 20:39:12 ----D---- C:\Program Files\eMachines Bay Reader
2009-03-06 20:39:03 ----D---- C:\WINDOWS\Downloaded Installations
2009-03-06 18:35:25 ----D---- C:\Program Files\Western Digital Technologies
2009-03-06 17:45:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-03-06 17:45:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-03-06 17:45:44 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-03-06 17:45:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-03-06 17:45:32 ----HDC---- C:\WINDOWS\$NtUninstallKB935448$
2009-03-06 17:45:24 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-03-06 17:45:09 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-03-06 17:44:56 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-03-06 17:44:49 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-03-06 17:44:41 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-06 17:44:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-03-06 17:44:24 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2009-03-06 17:36:48 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-06 17:15:13 ----D---- C:\WINDOWS\system32\NtmsData
2009-03-06 17:03:48 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-03-06 16:59:16 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-03-06 16:59:08 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-03-06 16:58:56 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-03-06 16:58:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-03-06 16:58:44 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-03-06 16:58:38 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-03-06 16:58:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-06 16:58:28 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-03-06 16:58:23 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-03-06 16:58:18 ----N---- C:\WINDOWS\system32\xpsp3res.dll
2009-03-06 16:58:16 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2009-03-06 16:58:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-03-06 16:58:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-03-06 16:57:59 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-03-06 16:57:55 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-03-06 16:57:50 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-03-06 16:57:43 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-03-06 16:57:39 ----D---- C:\Program Files\MSXML 4.0
2009-03-06 16:44:14 ----D---- C:\WINDOWS\system32\PreInstall
2009-03-06 16:44:12 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2009-03-06 16:44:12 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-06 15:59:06 ----D---- C:\Program Files\Trend Micro
2009-03-06 15:46:09 ----RASHD---- C:\cmdcons
2009-03-06 15:43:57 ----A---- C:\WINDOWS\zip.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\VFIND.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\SWSC.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\SWREG.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\sed.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\grep.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\fdsv.exe
2009-03-06 15:43:49 ----D---- C:\WINDOWS\ERDNT
2009-03-06 15:43:45 ----D---- C:\Qoobox
2009-03-05 19:44:24 ----HD---- C:\$AVG8.VAULT$
2009-03-05 19:26:53 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-03-05 19:25:38 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-05 15:01:45 ----A---- C:\WINDOWS\SysMech6.INI
2009-03-05 14:07:00 ----A---- C:\WINDOWS\system32\smrgdf.exe
2009-03-05 14:07:00 ----A---- C:\WINDOWS\system32\iolobtdfg.exe
2009-03-05 14:06:59 ----A---- C:\WINDOWS\system32\Incinerator.dll
2009-03-05 14:06:56 ----D---- C:\Program Files\iolo
2009-03-05 11:52:15 ----N---- C:\WINDOWS\system32\avgrsstx.dll.install_backup_2
2009-03-05 11:52:15 ----N---- C:\WINDOWS\system32\avgrsstx.dll.install_backup_1
2009-03-05 11:52:03 ----D---- C:\Program Files\AVG
2009-03-05 11:35:00 ----D---- C:\Documents and Settings\All Users\Application Data\AT&T
2009-03-04 22:40:24 ----N---- C:\WINDOWS\system32\avgrsstx.dll.install_backup
2009-03-04 21:41:21 ----D---- C:\WINDOWS\system32\appmgmt
2009-03-04 21:28:04 ----D---- C:\Documents and Settings\All Users\Application Data\Prism
2009-03-04 21:27:49 ----A---- C:\WINDOWS\system32\PRISMSVR.exe
2009-03-04 21:27:49 ----A---- C:\WINDOWS\system32\PRISMSVC.exe
2009-03-04 21:27:48 ----A---- C:\WINDOWS\system32\PRISMAPI.dll
2009-03-04 21:27:47 ----D---- C:\Program Files\Dell Wireless
2009-03-04 21:27:44 ----RA---- C:\WINDOWS\system32\PRISME5.dll
2009-03-04 20:52:10 ----A---- C:\WINDOWS\system32\CoPrism.dll

======List of files/folders modified in the last 1 months======

2009-03-08 12:17:13 ----D---- C:\WINDOWS\system32\drivers
2009-03-08 12:17:13 ----D---- C:\WINDOWS
2009-03-08 12:16:40 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-08 12:15:44 ----D---- C:\WINDOWS\system32
2009-03-08 11:33:36 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-07 16:37:31 ----D---- C:\WINDOWS\Prefetch
2009-03-07 16:36:06 ----D---- C:\WINDOWS\system
2009-03-07 16:36:00 ----RD---- C:\Program Files
2009-03-07 16:17:40 ----D---- C:\WINDOWS\system32\config
2009-03-07 13:22:19 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-07 13:21:36 ----A---- C:\WINDOWS\system.ini
2009-03-07 13:19:14 ----D---- C:\WINDOWS\AppPatch
2009-03-07 13:19:10 ----D---- C:\Program Files\Common Files
2009-03-06 21:49:11 ----SHD---- C:\WINDOWS\Installer
2009-03-06 21:46:16 ----HD---- C:\Config.Msi
2009-03-06 20:44:10 ----HD---- C:\WINDOWS\inf
2009-03-06 20:40:56 ----D---- C:\cabs
2009-03-06 20:39:02 ----D---- C:\Program Files\Common Files\InstallShield
2009-03-06 18:35:26 ----SD---- C:\Documents and Settings\U_C\Application Data\Microsoft
2009-03-06 17:45:57 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-06 17:45:45 ----D---- C:\Program Files\Messenger
2009-03-06 17:45:14 ----D---- C:\Program Files\Internet Explorer
2009-03-06 17:24:20 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-06 17:16:03 ----D---- C:\WINDOWS\WinSxS
2009-03-06 17:15:31 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-06 17:13:26 ----D---- C:\WINDOWS\twain_32
2009-03-06 17:13:02 ----RSD---- C:\WINDOWS\assembly
2009-03-06 17:13:02 ----D---- C:\Program Files\HP
2009-03-06 17:03:48 ----D---- C:\WINDOWS\Debug
2009-03-06 16:13:09 ----D---- C:\Documents and Settings
2009-03-06 15:46:11 ----RASH---- C:\boot.ini
2009-03-05 19:27:00 ----D---- C:\WINDOWS\SoftwareDistribution
2009-03-05 19:26:59 ----D---- C:\WINDOWS\Help
2009-03-05 15:51:17 ----RD---- C:\WINDOWS\Offline Web Pages
2009-03-05 15:51:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-05 11:55:32 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-03-05 11:33:57 ----A---- C:\WINDOWS\smartkeydiagnostics.txt
2009-03-04 22:40:10 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-04 21:39:10 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2009-03-04 21:27:44 ----HD---- C:\Program Files\InstallShield Installation Information

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-06 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-06 27656]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2004-09-01 16979]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\PRISMA02.sys [2004-09-26 345184]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-07-22 1035008]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2005-07-22 231168]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-07-25 3851264]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter; C:\WINDOWS\System32\Drivers\sskbfd.sys [2007-01-25 21056]
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-07-22 717952]
S1 SDManager;SDManager; \??\C:\Program Files\SpywareDetector\SDManager.sys []
S3 catchme;catchme; \??\C:\Combo-Fix\catchme.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 HPFXBULK;HPFXBULK; C:\WINDOWS\system32\drivers\hpfxbulk.sys [2007-07-16 17432]
S3 HPFXFAX;HPFXFAX; C:\WINDOWS\system32\drivers\hpfxfax.sys [2007-07-16 20504]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2008-03-06 27072]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCTINDIS5.SYS []
S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 sermouse;Serial Mouse Driver; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-08-23 17664]
S3 SunkFilt39;Alcor Micro Corp - 3239; \??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys []
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 swmsflt;swmsflt; C:\WINDOWS\System32\drivers\swmsflt.sys [2008-11-13 26504]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56); C:\WINDOWS\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56); C:\WINDOWS\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-06 298264]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 PRISMSVC;PRISMSVC; C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 57344]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2009-03-08 12:19:25

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Driver Installer-->MsiExec.exe /X{753D852A-D86D-42C9-9978-40AE66FB8985}
eMachines Bay Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
iolo technologies' System Mechanic 6-->"C:\Program Files\iolo\System Mechanic 6\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola Driver Installation-->MsiExec.exe /I{9579E862-5FC7-4337-B1CC-5E37451524C5}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nokia Connectivity Adapter Cable DKU-5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1BA3CD5-89DC-4273-8603-A75F33E9B335}\Setup.exe" -l0x9
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
USB 2.0 Wireless LAN Card Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\setup.exe" -l0x9 -removeonly
WD Diagnostics-->MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}

======Security center information======

AV: AVG Anti-Virus Free

System event log

Computer Name: UNITED-CARGO
Event Code: 7035
Message: The Fast User Switching Compatibility service was successfully sent a start control.

Record Number: 1061
Source Name: Service Control Manager
Time Written: 20081130095225.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: UNITED-CARGO
Event Code: 7036
Message: The Fast User Switching Compatibility service entered the running state.

Record Number: 1060
Source Name: Service Control Manager
Time Written: 20081130095225.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 7036
Message: The Terminal Services service entered the running state.

Record Number: 1059
Source Name: Service Control Manager
Time Written: 20081130095225.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 6005
Message: The Event log service was started.

Record Number: 1058
Source Name: EventLog
Time Written: 20081130095159.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Multiprocessor Free.

Record Number: 1057
Source Name: EventLog
Time Written: 20081130095159.000000-480
Event Type: information
User:

Application event log

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the MSDTC (MSDTC) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 5
Source Name: LoadPerf
Time Written: 20081112091139.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the TermService (Terminal Services) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 4
Source Name: LoadPerf
Time Written: 20081112091136.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the RemoteAccess (Routing and Remote Access) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 3
Source Name: LoadPerf
Time Written: 20081112090917.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the PSched (PSched) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20081112090855.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 1
Source Name: LoadPerf
Time Written: 20081112090854.000000-480
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/8/2009 12:15:45 PM
mbam-log-2009-03-08 (12-15-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 88124
Time elapsed: 16 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.