Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Win32.TDSS.rtk

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Location
    Duvall, Washington
    Posts
    8

    Default Win32.TDSS.rtk

    I too believe I have the above mentioned malware.
    I've read the posting FAQ and would appreciate any help.

    Thanks.

    Here is the Hijack This log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:53:09 AM, on 8/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    F:\ITunes\iTunesHelper.exe
    C:\Program Files\a la mode\Sched\eSched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Virtual Weather Station Pro\vws.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedaily.com/bikini.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [iTunesHelper] "F:\ITunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://*.lvarmls.com
    O15 - Trusted Zone: http://*.nwmls.com
    O15 - Trusted Zone: http://*.vvmls.com
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
    O16 - DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} (SetTrustedSitesControl.clsReg) - http://locmedia.nwmls.com/tools/MlsT...tesControl.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171565853709
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Filter: text/html - {2d4734f0-5df5-4907-a33f-85b07ab73638} - C:\WINDOWS\system32\mst122.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: MSSQL$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE (file missing)
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SQLAgent$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

  2. #2
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post a log in the HJT forum and wait for help.
    Hi sportsman07 and welcome to Safer Networking

    I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
    • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for this issue on this machine!.
    • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Refrain from running self fixes as this will hinder the malware removal process.
    • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    Security Application Check:

    Please download and save SecurityCheck.exe to your Desktop from one of the links below.

    Link 1
    Link 2

    • Double click SecurityCheck.exe and follow the on screen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt
    • Please post the contents of that document in your next reply.
    Scan with Rooter:

    Please download Rooter to your desktop.
    • Double click on Rooter.exe to start the application.
    • Now click on the Scan button.
    • When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
    • Now click on Close button to exit Rooter.
    Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$

    Scan with RSIT:
    • Please download Random's System Information Tool by random/random from here and save it to your desktop.

    Make sure that RSIT.exe is on the your Desktop before running the application!
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open:
      • log.txt will be opened maximized.
      • info.txt will be opened minimized.
    • Please post the contents of both log.txt and info.txt.
    When completed the above, please post back the following in the order asked for:
    • How is you computer performing now, any further symptoms and or problems encountered?
    • SecurityCheck Log.
    • Rooter Log.
    • Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  3. #3
    Junior Member
    Join Date
    Aug 2009
    Location
    Duvall, Washington
    Posts
    8

    Default

    Hi Dakeyras
    Glad to have your help, thank you.

    As far as current symptoms, I had stopped using the computer and leaving it offline. When it is on line, after a certain amount of time I get a full screen "warning" message that my computer is infected, click here.....etc.

    Here is the items that you asked for:

    Results of screen317's Security Check version 0.98.7
    Windows XP Service Pack 3
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG Free 8.5


    Antivirus up to date!
    ``````````````````````````````
    Anti-malware/Other Utilities Check:

    Ad-Aware
    Out of date HijackThis installed!
    Spybot - Search & Destroy
    Malwarebytes' Anti-Malware
    Norton Ghost 10.0
    Secunia PSI (RC4)
    HijackThis 1.99.1
    Hijackthis 1.99.1
    Java(TM) 6 Update 2
    Out of date Java installed!
    Adobe Flash Player 10
    Adobe Reader 8.1.6
    Out of date Adobe Reader installed!
    ``````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Ad-Aware AAWService.exe is disabled!
    Ad-Aware AAWTray.exe is disabled!
    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgemc.exe
    AVG avgemc.exe


    ``````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Very random)

    `````````End of Log```````````






    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows XP . (5.1.2600) Service Pack 3
    [32_bits] - x86 Family 15 Model 2 Stepping 9, GenuineIntel
    .
    [wscsvc] (Security Center) RUNNING (state:4)
    [SharedAccess] RUNNING (state:4)
    Windows Firewall -> Enabled
    .
    Internet Explorer 7.0.5730.11
    .
    A:\ [Removable]
    C:\ [Fixed-NTFS] .. ( Total:149 Go - Free:111 Go )
    D:\ [CD_Rom]
    E:\ [CD_Rom]
    F:\ [Fixed-NTFS] .. ( Total:232 Go - Free:128 Go )
    .
    Scan : 14:06.01
    Path : C:\Documents and Settings\Jerry\Desktop\Rooter.exe
    User : Jerry ( Administrator -> YES )
    .
    ----------------------\\ Processes
    .
    Locked [System Process] (0)
    ______ System (4)
    ______ \SystemRoot\System32\smss.exe (524)
    ______ \??\C:\WINDOWS\system32\csrss.exe (600)
    ______ \??\C:\WINDOWS\system32\winlogon.exe (624)
    ______ C:\WINDOWS\system32\services.exe (672)
    ______ C:\WINDOWS\system32\lsass.exe (684)
    ______ C:\WINDOWS\system32\svchost.exe (860)
    ______ C:\WINDOWS\system32\svchost.exe (976)
    ______ C:\WINDOWS\System32\svchost.exe (1024)
    ______ C:\WINDOWS\system32\svchost.exe (1152)
    ______ C:\WINDOWS\system32\svchost.exe (1196)
    ______ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (1304)
    ______ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (1320)
    ______ C:\WINDOWS\system32\spoolsv.exe (1456)
    ______ C:\WINDOWS\system32\svchost.exe (1536)
    ______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1572)
    ______ C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (1596)
    ______ C:\WINDOWS\system32\CTsvcCDA.exe (1628)
    ______ C:\WINDOWS\System32\GEARSec.exe (1668)
    ______ C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (1732)
    ______ C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe (1848)
    ______ C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (1908)
    ______ C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe (1956)
    ______ C:\Program Files\Norton Ghost\Agent\VProSvc.exe (1988)
    ______ C:\WINDOWS\system32\nvsvc32.exe (204)
    ______ C:\WINDOWS\system32\svchost.exe (288)
    ______ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (564)
    ______ C:\WINDOWS\system32\MsPMSPSv.exe (1504)
    ______ C:\PROGRA~1\AVG\AVG8\avgemc.exe (1984)
    ______ C:\PROGRA~1\AVG\AVG8\avgrsx.exe (2116)
    ______ C:\WINDOWS\Explorer.EXE (2364)
    ______ C:\Program Files\AVG\AVG8\avgcsrvx.exe (2432)
    ______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (2704)
    ______ C:\Program Files\Norton Ghost\Agent\GhostTray.exe (2712)
    ______ C:\WINDOWS\system32\CTHELPER.EXE (2728)
    ______ C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (2772)
    ______ F:\ITunes\iTunesHelper.exe (2800)
    ______ C:\Program Files\a la mode\Sched\eSched.exe (2852)
    ______ C:\PROGRA~1\AVG\AVG8\avgtray.exe (2868)
    ______ C:\WINDOWS\system32\RUNDLL32.EXE (2888)
    ______ C:\Program Files\Nero\Nero 9\InCD\InCD.exe (2896)
    ______ C:\WINDOWS\system32\ctfmon.exe (3004)
    ______ C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (3060)
    ______ C:\WINDOWS\System32\alg.exe (3684)
    ______ C:\Program Files\iPod\bin\iPodService.exe (3572)
    ______ C:\Program Files\Virtual Weather Station Pro\vws.exe (3908)
    ______ C:\WINDOWS\System32\svchost.exe (2724)
    ______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (1124)
    ______ C:\WINDOWS\system32\wuauclt.exe (1492)
    ______ C:\Documents and Settings\Jerry\Desktop\Rooter.exe (516)
    .
    ----------------------\\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:250056705024)
    .
    ----------------------\\ Scheduled Tasks
    .
    C:\WINDOWS\Tasks\desktop.ini
    C:\WINDOWS\Tasks\Google Software Updater.job
    C:\WINDOWS\Tasks\SA.DAT
    C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    C:\WINDOWS\Tasks\User_Feed_Synchronization-{0D9F3A8A-3216-4642-B983-9D22579AE7A0}.job
    .
    ----------------------\\ Registry
    .
    .
    ----------------------\\ Files & Folders
    .
    ----------------------\\ Scan completed at 14:06.28
    .
    C:\Rooter$\Rooter_1.txt - (12/08/2009 | 14:06.28)




    I'll post the RSIT logs in following posts as instructed.

    Thanks

  4. #4
    Junior Member
    Join Date
    Aug 2009
    Location
    Duvall, Washington
    Posts
    8

    Default

    Here is the log.txt


    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Jerry at 2009-08-12 14:08:26
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 114 GB (75%) free of 153 GB
    Total RAM: 2047 MB (65% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:08:41 PM, on 8/12/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    F:\ITunes\iTunesHelper.exe
    C:\Program Files\a la mode\Sched\eSched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Virtual Weather Station Pro\vws.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Jerry\Desktop\RSIT.exe
    C:\Program Files\trend micro\Jerry.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedaily.com/bikini.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [iTunesHelper] "F:\ITunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
    O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.lvarmls.com
    O15 - Trusted Zone: http://*.nwmls.com
    O15 - Trusted Zone: http://*.vvmls.com
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
    O16 - DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} (SetTrustedSitesControl.clsReg) - http://locmedia.nwmls.com/tools/MlsT...tesControl.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171565853709
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Filter hijack: text/html - {2d4734f0-5df5-4907-a33f-85b07ab73638} - C:\WINDOWS\system32\mst122.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 11939 bytes

    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\Google Software Updater.job
    C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
    C:\WINDOWS\tasks\User_Feed_Synchronization-{0D9F3A8A-3216-4642-B983-9D22579AE7A0}.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
    C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-04-19 5722952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-01 668656]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-04-19 5722952]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2007-01-09 58984]
    "Norton Ghost 10.0"=C:\Program Files\Norton Ghost\Agent\GhostTray.exe [2005-09-09 1537648]
    "HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [2002-12-09 188416]
    "CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2003-02-20 28672]
    "CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-11 18944]
    "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-01-15 13680640]
    "nwiz"=nwiz.exe /install []
    "CTSysVol"=C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe [2002-10-29 49152]
    "CTDVDDet"=C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE [2002-09-30 45056]
    "AsioReg"=REGSVR32.EXE /S CTASIO.DLL []
    "iTunesHelper"=F:\ITunes\iTunesHelper.exe [2007-12-11 267048]
    "The Assistant"=C:\Program Files\a la mode\Sched\eSched.exe [2007-04-16 99840]
    "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-06-22 1948440]
    "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
    "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-01-15 86016]
    "InCD"=C:\Program Files\Nero\Nero 9\InCD\InCD.exe [2008-09-19 1111064]
    "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
    "Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe [2009-08-03 419088]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    "SB Audigy 2 Startup Menu"=/L:ENG []
    "Start WingMan Profiler"= []
    "RoboForm"=C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2008-04-19 160592]

    C:\Documents and Settings\Jerry\Start Menu\Programs\Startup
    Secunia PSI (RC4).lnk - C:\Program Files\Secunia\PSI (RC4)\psi.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
    C:\WINDOWS\system32\avgrsstx.dll [2009-06-22 11952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskmgr"=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
    "C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
    "C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
    "C:\Program Files\EA SPORTS\Madden NFL 2004\Updater.exe"="C:\Program Files\EA SPORTS\Madden NFL 2004\Updater.exe:*:Enabled:Updater"
    "C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe"="C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe:*:Enabled:Microsoft Flight Simulator"
    "C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
    "C:\Program Files\papyrus\nascar2003\NR2003.exe"="C:\Program Files\papyrus\nascar2003\NR2003.exe:*:Enabled:NASCAR Racing 2003 Season"
    "C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe"="C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe:*:Enabled:Aurora MSDE Database"
    "C:\Program Files\a la mode\Sched\eSched.exe"="C:\Program Files\a la mode\Sched\eSched.exe:*:Enabled:a la mode Assistant"
    "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
    "F:\ITunes\iTunes.exe"="F:\ITunes\iTunes.exe:*:Enabled:iTunes"
    "C:\Program Files\Bradford\ClickForms\ClickForms.exe"="C:\Program Files\Bradford\ClickForms\ClickForms.exe:*:Enabled:ClickForms.exe"
    "C:\WINDOWS\system32\drivers\svchost.exe"="C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:???????"
    "C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
    "C:\Program Files\Hewlett-Packard\hp deskjet assistant\bin\browser.exe"="C:\Program Files\Hewlett-Packard\hp deskjet assistant\bin\browser.exe:*:Enabled:Hewlett-Packard ® Printer Assistant Browser"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28fb7121-dcd7-11dc-924d-000cf17c9a50}]
    shell\AutoRun\command - setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b4391bc-10d5-11dd-925f-000cf17c9a50}]
    shell\AutoRun\command - ranvrgn.exe
    shell\explore\command - ranvrgn.exe
    shell\open\command - ranvrgn.exe


    ======List of files/folders created in the last 1 months======

    2009-08-12 14:08:26 ----D---- C:\rsit
    2009-08-12 14:08:26 ----D---- C:\Program Files\trend micro
    2009-08-12 14:06:28 ----D---- C:\Rooter$
    2009-08-11 09:52:03 ----D---- C:\WINDOWS\ERDNT
    2009-08-11 09:51:00 ----D---- C:\Program Files\ERUNT
    2009-08-10 10:49:45 ----D---- C:\Program Files\Hijackthis
    2009-08-10 07:36:37 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
    2009-08-10 07:36:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-08-10 07:33:53 ----D---- C:\Program Files\Malwarebytes
    2009-08-09 20:06:49 ----A---- C:\WINDOWS\system32\lsdelete.exe
    2009-08-09 18:22:24 ----HDC---- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-08-09 18:22:20 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2009-08-09 18:18:59 ----D---- C:\Program Files\Lavasoft
    2009-08-09 13:43:15 ----SHD---- C:\WINDOWS\msa.exe
    2009-08-08 17:40:34 ----A---- C:\WINDOWS\alaredun.ini
    2009-07-15 05:47:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
    2009-07-15 05:47:22 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
    2009-07-15 05:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$

    ======List of files/folders modified in the last 1 months======

    2009-08-12 14:08:26 ----RD---- C:\Program Files
    2009-08-12 14:06:07 ----D---- C:\WINDOWS\Prefetch
    2009-08-12 13:57:20 ----D---- C:\WINDOWS\system32
    2009-08-12 13:37:10 ----SD---- C:\WINDOWS\Tasks
    2009-08-12 00:31:39 ----D---- C:\WINDOWS\Temp
    2009-08-11 17:40:32 ----A---- C:\WINDOWS\alamode.ini
    2009-08-11 09:52:03 ----D---- C:\WINDOWS
    2009-08-11 09:47:41 ----D---- C:\WINDOWS\system32\CatRoot2
    2009-08-11 09:44:46 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-08-10 23:03:14 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2009-08-10 14:37:26 ----D---- C:\WINDOWS\system32\drivers
    2009-08-10 14:36:50 ----A---- C:\WINDOWS\ntbtlog.txt
    2009-08-10 09:48:28 ----A---- C:\WINDOWS\wininit.ini
    2009-08-09 18:23:00 ----HD---- C:\WINDOWS\inf
    2009-08-09 18:22:55 ----DC---- C:\WINDOWS\system32\DRVSTORE
    2009-08-09 18:22:24 ----SHD---- C:\WINDOWS\Installer
    2009-08-09 18:22:24 ----SHD---- C:\Config.Msi
    2009-08-09 18:22:18 ----D---- C:\WINDOWS\WinSxS
    2009-08-09 18:16:39 ----D---- C:\Documents and Settings\Jerry\Application Data\Lavasoft
    2009-08-09 18:16:38 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
    2009-08-09 16:29:33 ----D---- C:\Documents and Settings\All Users\Application Data\12100624
    2009-08-09 16:02:18 ----D---- C:\Program Files\Spybot - Search & Destroy
    2009-08-06 09:59:28 ----D---- C:\Program Files\AlaMode
    2009-08-05 13:32:33 ----D---- C:\Documents and Settings\All Users\Application Data\alamode
    2009-07-29 07:00:49 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2009-07-29 07:00:47 ----D---- C:\WINDOWS\system32\en-US
    2009-07-29 07:00:47 ----D---- C:\Program Files\Internet Explorer
    2009-07-29 06:59:46 ----HD---- C:\WINDOWS\$hf_mig$
    2009-07-19 06:33:02 ----A---- C:\WINDOWS\system32\mshtml.dll
    2009-07-19 06:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
    2009-07-18 13:11:49 ----D---- C:\WINDOWS\Help
    2009-07-15 05:47:29 ----A---- C:\WINDOWS\imsins.BAK
    2009-07-14 23:05:08 ----HD---- C:\$AVG8.VAULT$

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-07-28 335752]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-06-22 27784]
    R1 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-11 108552]
    R1 GearAspiWDM;GearAspiWDM; C:\WINDOWS\system32\drivers\GearAspiWDM.sys [2008-01-29 16168]
    R1 InCDPass;Nero InCDPass Driver; C:\WINDOWS\system32\DRIVERS\InCDPass.sys [2008-09-19 40216]
    R1 InCDRm;Nero MRW Remapper Driver; C:\WINDOWS\system32\DRIVERS\InCDRm.sys [2008-09-19 41752]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
    R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
    R1 V2IMount;V2IMount; C:\WINDOWS\system32\drivers\V2IMount.sys [2005-09-09 56192]
    R2 cvintdrv;cvintdrv; C:\WINDOWS\system32\drivers\cvintdrv.sys [2001-08-01 7140]
    R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
    R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
    R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
    R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2003-02-20 135040]
    R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2003-03-26 498688]
    R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2003-02-20 6144]
    R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2003-02-20 135248]
    R3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2005-06-29 163840]
    R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2003-02-20 116000]
    R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\System32\drivers\ha10kx2k.sys [2003-03-26 823616]
    R3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\System32\drivers\hap16v2k.sys [2003-03-26 141536]
    R3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2008-04-13 20352]
    R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
    R3 InCDFs;Nero UDF File System Driver; C:\WINDOWS\system32\DRIVERS\InCDFs.sys [2008-09-19 129560]
    R3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
    R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-01-15 6301248]
    R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2003-03-26 189504]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
    R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 10144]
    R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 45504]
    S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
    S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\System32\drivers\ctdvda2k.sys [2003-03-27 287920]
    S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2006-08-11 180224]
    S3 PSI;PSI; C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-10-27 7808]
    S3 sermouse;Serial Mouse Driver; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-08-17 17664]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
    S3 WmFilter;Logitech Gaming HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 22240]
    S3 WmHidLo;Logitech Gaming USB Filter Driver; C:\WINDOWS\system32\drivers\WmHidLo.sys [2005-04-12 17632]
    S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 5600]
    S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
    S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R01000000 papycpu2;papycpu2; C:\WINDOWS\System32\DRIVERS\papycpu2.sys [2003-01-17 1984]
    R01000000 papyjoy;papyjoy; C:\WINDOWS\System32\DRIVERS\papyjoy.sys [2003-01-17 1856]
    R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
    R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-07-28 907032]
    R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-06-22 298776]
    R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2007-01-09 198248]
    R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2007-01-09 181864]
    R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [1999-12-13 44032]
    R2 GEARSecurity;GEARSecurity; C:\WINDOWS\System32\GEARSec.exe [2005-09-09 53248]
    R2 InCDSrv;InCD Helper; C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe [2008-09-19 1483800]
    R2 MSSQL$ALAMODE;MSSQL$ALAMODE; C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [2008-12-18 9158656]
    R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-19 935208]
    R2 NeroRegInCDSrv;Nero Registry InCD Service; C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe [2008-09-19 108568]
    R2 Norton Ghost;Norton Ghost; C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2005-09-09 2066024]
    R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-01-15 163908]
    R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-02-17 822424]
    R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2001-05-01 53248]
    R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-12-11 504104]
    S1 InCDRec;Nero UDF File System Recognizer Driver; C:\WINDOWS\system32\DRIVERS\InCDRec.sys [2008-09-19 19352]
    S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
    S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-01 183280]
    S2 MBAMService;MBAMService; C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe [2009-08-03 232720]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
    S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2007-01-09 79464]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
    S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
    S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2005-05-03 73728]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE; C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [2005-05-03 323584]
    S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
    S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
    S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

    -----------------EOF-----------------

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Location
    Duvall, Washington
    Posts
    8

    Default

    Here is the info.txt.

    Thanks

    info.txt logfile of random's system information tool 1.06 2009-08-12 14:08:43

    ======Uninstall list======

    -->"C:\Program Files\Creative\SBAudigy2\Program\Ctzapxx.EXE" /U /S
    -->MsiExec.exe /I{688A3383-3CE7-4094-9188-9C39D1E4FCB6}
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\Setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
    -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
    Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
    Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 8.1.6-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
    Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
    AI RoboForm (All Users)-->"C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
    Apex Medina v4 Appraiser - HotFix-->C:\PROGRA~1\APEXSO~1\APEXME~1\UNWISE.EXE C:\PROGRA~1\APEXSO~1\APEXME~1\INSTALL.LOG
    Apex Medina v4 Appraiser-->C:\PROGRA~1\APEXSO~1\APEXME~1\UNWISE.EXE C:\PROGRA~1\APEXSO~1\APEXME~1\INSTALL.LOG
    Apple Mobile Device Support-->MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
    Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
    ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
    ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
    AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
    ClickFORMS-->MsiExec.exe /I{3FF21C61-57AC-41C7-AC4F-24ED5B335565}
    Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
    Creative Audio Console-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
    Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
    DVD Decoder Pak for Windows XP-->MsiExec.exe /X{92C5DB3D-9D6F-4324-BB11-57825F4C2635}
    ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
    GEAR 32bit Driver Installer-->MsiExec.exe /X{E89B484C-B913-49A0-959B-89E836001658}
    Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
    Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
    Hijackthis 1.99.1-->"C:\Program Files\Hijackthis\unins000.exe"
    HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
    Hotfix 2050 for SQL Server 2000 ENU (KB948110)-->"C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$\spuninst\spuninst.exe"
    Hotfix 2055 for SQL Server 2000 ENU (KB960082)-->"C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$\spuninst\spuninst.exe"
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
    Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
    Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
    Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
    hp deskjet 5550 series (Remove only)-->C:\Program Files\hp deskjet 5550 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=5550 -huninstall
    hp deskjet 5550 series-->rundll32 hpzcon07.dll,VendorJettison hp deskjet 5550 series
    Intel(R) PRO Network Connections Drivers-->Prounstl.exe
    iTunes-->MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
    J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
    Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
    jv16 PowerTools 2007-->"C:\Program Files\jv16 PowerTools 2007\unins000.exe"
    LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSETUP.EXE /REMOVE
    LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
    Logitech Gaming Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C1DA723-24FC-48AD-93BA-925695C3EF26}\setup.exe" -l0x9 -removeonly
    Madden NFL 2004-->C:\Program Files\EA SPORTS\Madden NFL 2004\EAUninstall.exe
    Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\unins000.exe"
    Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
    Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
    Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
    Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
    Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
    Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
    Microsoft Flight Simulator 2004 A Century of Flight-->"C:\Program Files\Microsoft Games\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
    Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
    Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
    Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
    Microsoft SQL Server Desktop Engine (ALAMODE)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
    Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
    Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Microsoft Works 6-9 Converter-->MsiExec.exe /X{172423F9-522A-483A-AD65-03600CE4CA4F}
    MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
    MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
    MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
    MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
    NASCAR® Racing 2003 Season-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACC2E059-40E9-4464-B18D-C9BDD9A02CED}\SETUP.exe" -l0x9 -uninst
    Nero 9-->C:\Program Files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe REMOVESERIALNUMBER="1M03-0280-K74P-38XH-5HX1-WKXM-5XH2-U3PX"
    neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
    Norton Ghost 10.0-->MsiExec.exe /X{32F720F5-2D0D-4245-A2B0-9EB3CECF8101}
    NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
    PDF-XChange 3-->"C:\Program Files\Apex Software\Apex Medina\PDF Exchange\unins000.exe"
    QuickBooks Pro 2006-->msiexec.exe /I {688A3383-3CE7-4094-9188-9C39D1E4FCB6} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2006" ADDREMOVE=1
    QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
    Secunia PSI (RC4)-->"C:\Program Files\Secunia\PSI (RC4)\uninstall.exe"
    Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
    Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
    ShaPlus Bandwidth Meter 1.2-->C:\Program Files\ShaPlus Bandwidth Meter\uninst.exe
    Sierra 3D Deck-->C:\WINDOWS\IsUninst.exe -f"c:\program files\SIERRA\3DDeck\Uninst.isu"
    Sierra Home Architect-->C:\WINDOWS\IsUninst.exe -f"c:\program files\SIERRA\SHA\Uninst.isu"
    SimCity 3000-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\SimCity 3000\Uninst.isu"
    Sound Blaster Audigy 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E82BF103-904F-49C0-B77F-6EC110B71E87}\SETUP.EXE" -l0x9
    SoundFont Bank Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\Setup.exe" -l0x9 /remove
    Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
    Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
    TuneJack 3.3-->"C:\Program Files\Purple Ghost\TuneJack\unins000.exe"
    Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
    Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
    Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
    Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
    Virtual Weather Station-->MsiExec.exe /X{CD4215A0-AAF4-11D5-8879-0800460222F0}
    Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
    Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
    Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
    Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
    Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
    Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
    Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
    Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

    ======Hosts File======

    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com

    ======Security center information======

    AV: AVG Anti-Virus Free

    ======System event log======

    Computer Name: JERRY-DESKTOP
    Event Code: 1
    Message:
    Record Number: 23800
    Source Name: sermouse
    Time Written: 20090623085654.000000-420
    Event Type: error
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 4226
    Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

    Record Number: 23788
    Source Name: Tcpip
    Time Written: 20090623064901.000000-420
    Event Type: warning
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 1
    Message:
    Record Number: 23751
    Source Name: sermouse
    Time Written: 20090622160105.000000-420
    Event Type: error
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 1003
    Message: Your computer was not able to renew its address from the network (from the
    DHCP Server) for the Network Card with network address 000CF17C9A50. The following
    error occurred:
    The operation was canceled by the user.
    .
    Your computer will continue to try and obtain an address on its own from
    the network address (DHCP) server.

    Record Number: 23747
    Source Name: Dhcp
    Time Written: 20090622160052.000000-420
    Event Type: warning
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 9
    Message: The device, \Device\Ide\IdePort0, did not respond within the timeout period.

    Record Number: 23741
    Source Name: atapi
    Time Written: 20090622142949.000000-420
    Event Type: error
    User:

    =====Application event log=====

    Computer Name: JERRY-DESKTOP
    Event Code: 19011
    Message:
    Record Number: 6106
    Source Name: MSSQL$ALAMODE
    Time Written: 20090322194605.000000-420
    Event Type: warning
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 19011
    Message:
    Record Number: 6058
    Source Name: MSSQL$ALAMODE
    Time Written: 20090319093305.000000-420
    Event Type: warning
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 8
    Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


    Record Number: 6051
    Source Name: crypt32
    Time Written: 20090318202223.000000-420
    Event Type: error
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 8
    Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


    Record Number: 6050
    Source Name: crypt32
    Time Written: 20090318202223.000000-420
    Event Type: error
    User:

    Computer Name: JERRY-DESKTOP
    Event Code: 19011
    Message:
    Record Number: 6004
    Source Name: MSSQL$ALAMODE
    Time Written: 20090311184812.000000-480
    Event Type: warning
    User:

    ======Environment variables======

    "ComSpec"=%SystemRoot%\system32\cmd.exe
    "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\
    "windir"=%SystemRoot%
    "FP_NO_HOST_CHECK"=NO
    "OS"=Windows_NT
    "PROCESSOR_ARCHITECTURE"=x86
    "PROCESSOR_LEVEL"=15
    "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
    "PROCESSOR_REVISION"=0209
    "NUMBER_OF_PROCESSORS"=1
    "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP"=%SystemRoot%\TEMP
    "TMP"=%SystemRoot%\TEMP
    "ASLOGDIR"=C:\Program Files\Intuit\QuickBooks 2006\
    "WT"=c:\program files\alamode
    "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    "QTJAVA"=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip

    -----------------EOF-----------------

  6. #6
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Hi

    Glad to have your help, thank you.
    You're welcome and thanks for the situation update.

    Next:

    Older versions of both Adobe and Java pose a security risk and a back-door to either infect and or re-infect a system. We will update both in due course.

    Lavasoft Ad-Aware is causing a system conflict and we will remove the out of date Hijackthis also as you have the current version installed.

    Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

    Ad-Aware
    Adobe Reader 8.1.6
    Hijackthis 1.99
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 2


    To do so, click once on each of the above in turn to highlight and then click on the Remove button.

    Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

    Download/Run ComboFix:

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Please include the C:\ComboFix.txt in your next reply for further review.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


    When completed the above, please post back the following in the order asked for:
    • How is you computer performing now, any other symptoms and or problems encountered?
    • ComboFix Log.
    • A new HijackThis Log.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  7. #7
    Junior Member
    Join Date
    Aug 2009
    Location
    Duvall, Washington
    Posts
    8

    Default

    Hi.
    I have performed the steps that you asked me to do. A couple of notes before I post the logs.

    -When running Combo Fix, the following box came up:

    ROOTKIT MESSAGE
    Combo Fix has detected the presence of rootkit activity and needs to reboot the machine. Kindly note down on paper the name of each file. We may need it later:
    C:\windows\system32\drivers\SKYNETmcryoppe.sys
    C:\windows\system32\SKYNETyliotpjp.dll
    C:\windows\system32\SKYNETupjcpuwy.dat
    C:\windows\system32\SKYNETbcmpxmdx.dll
    C:\windows\system32\idwkssov.dat


    Another message that came up when Combo Fix rebooted:
    PEV.CFEXE-CORRUPT FILE
    The file or directory C:\$mft is corrupt and unreadable. Please run the CHKDSC utility.

    Another message:
    MalwareBytes Anti Malware
    mbamservice terminated unexpectedly. See event log for details.


    I turned AVG and Spybot back on after the Combo Fix. I hope this is OK. I didn't want to leave myself more exposed.

    The computer seems basically OK although I haven't used it on or offline while we are going through this process so that I didn't mess up what you are having me do. If you want me to start using it to test it, let me know.

    Combo Fix log:
    ComboFix 09-08-10.06 - Jerry 08/13/2009 6:39.1.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1577 [GMT -7:00]
    Running from: c:\documents and settings\Jerry\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\autorun.inf
    c:\program files\Common
    c:\windows\Installer\42150e9.msp
    c:\windows\Installer\4215191.msp
    c:\windows\Installer\49837705.msp
    c:\windows\Installer\49837716.msp
    c:\windows\Installer\49837728.msp
    c:\windows\Installer\49837731.msp
    c:\windows\Installer\4983773b.msp
    c:\windows\Installer\4983774d.msp
    c:\windows\Installer\beb8295.msp
    c:\windows\Installer\ead6bc8.msp
    c:\windows\Installer\ead6bd2.msp
    c:\windows\Installer\ead6be3.msp
    c:\windows\Installer\ead6bee.msp
    c:\windows\Installer\ead6c00.msp
    c:\windows\Installer\ead6c0a.msp
    c:\windows\msa.exe
    c:\windows\system32\bszip.dll
    c:\windows\system32\drivers\SKYNETmcrydppe.sys
    c:\windows\system32\SKYNETbcmpxmdx.dll
    c:\windows\system32\SKYNETidwkssov.dat
    c:\windows\system32\SKYNETupjcpuwy.dat
    c:\windows\system32\SKYNETyliotpjp.dll
    c:\docume~1\Jerry\LOCALS~1\Temp\spool.tmp . . . . failed to delete
    c:\documents and settings\Jerry\Local Settings\Temp\spool.tmp . . . . failed to delete

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SKYNETddsbofle
    -------\Legacy_SKYNETddsbofle


    ((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
    .

    2009-08-13 12:52 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
    2009-08-12 21:08 . 2009-08-12 21:08 -------- d-----w- C:\rsit
    2009-08-12 21:08 . 2009-08-12 21:08 -------- d-----w- c:\program files\trend micro
    2009-08-12 21:06 . 2009-08-12 21:06 -------- d-----w- C:\Rooter$
    2009-08-11 16:51 . 2009-08-11 16:51 -------- d-----w- c:\program files\ERUNT
    2009-08-10 20:56 . 2009-08-10 20:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-08-10 14:36 . 2009-08-10 14:36 -------- d-----w- c:\documents and settings\Jerry\Application Data\Malwarebytes
    2009-08-10 14:36 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-10 14:36 . 2009-08-10 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-08-10 14:36 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-10 14:33 . 2009-08-10 14:36 -------- d-----w- c:\program files\Malwarebytes
    2009-08-10 01:22 . 2009-08-13 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-08-10 01:18 . 2009-08-13 12:45 -------- d-----w- c:\program files\Lavasoft
    2009-08-09 20:43 . 2009-08-09 22:09 -------- d-sh--w- c:\windows\msa.exe
    2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
    2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-13 13:45 . 2007-12-18 22:29 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2009-08-13 13:45 . 2007-12-18 22:29 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
    2009-08-13 12:45 . 2007-02-22 16:37 -------- d-----w- c:\program files\Java
    2009-08-13 08:05 . 2008-12-15 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2009-08-10 01:16 . 2007-02-15 19:10 -------- d-----w- c:\documents and settings\Jerry\Application Data\Lavasoft
    2009-08-09 23:29 . 2009-06-12 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\12100624
    2009-08-09 23:02 . 2009-01-26 13:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-08-06 16:59 . 2008-04-15 01:13 -------- d-----w- c:\program files\AlaMode
    2009-08-05 20:32 . 2008-05-12 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\alamode
    2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-31 01:39 . 2008-10-25 22:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-07-29 03:58 . 2008-08-17 02:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-06-23 04:35 . 2008-08-17 02:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-06-23 04:35 . 2008-08-17 02:26 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-12 15:33 . 2009-06-12 15:32 109 --sha-w- c:\windows\system32\3899905161.dat
    2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
    2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
    2009-06-11 18:29 . 2008-04-15 01:14 2381128 ----a-w- c:\windows\system32\alamapctrl.dll
    2009-06-10 16:19 . 2007-02-15 00:13 2066432 ----a-w- c:\windows\system32\mstscax.dll
    2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
    2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
    2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
    2009-05-26 16:28 . 2008-04-15 01:14 2315512 ----a-w- c:\windows\system32\xsitenet.dll
    2009-05-15 18:17 . 2008-04-15 01:14 713976 ----a-w- c:\windows\system32\aconvert.dll
    2008-01-10 01:43 . 2008-01-10 01:43 2472602 ----a-w- c:\program files\jv16pt_setup.exe
    2007-01-18 19:05 . 2008-04-14 23:51 196608 ------w- c:\program files\CoolInst.dll
    2004-02-03 17:40 . 2008-04-14 23:51 131072 ------w- c:\program files\dzip32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
    @="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
    [HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
    2008-09-20 00:53 98328 ----a-w- c:\program files\Nero\Nero 9\InCD\NBHshx.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SB Audigy 2 Startup Menu"="/L:ENG" [X]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-19 160592]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 58984]
    "Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-10 1537648]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
    "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
    "CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
    "iTunesHelper"="f:\itunes\iTunesHelper.exe" [2007-12-11 267048]
    "The Assistant"="c:\program files\a la mode\Sched\eSched.exe" [2007-04-16 99840]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
    "InCD"="c:\program files\Nero\Nero 9\InCD\InCD.exe" [2008-09-20 1111064]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
    "CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-02-20 28672]
    "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
    "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]
    "AsioReg"="CTASIO.DLL" - c:\windows\system32\CTASIO.DLL [2003-02-20 110592]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-19 160592]

    c:\documents and settings\Jerry\Start Menu\Programs\Startup\
    Secunia PSI (RC4).lnk - c:\program files\Secunia\PSI (RC4)\psi.exe [2008-10-29 695656]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-06-23 04:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
    "c:\\Program Files\\EA SPORTS\\Madden NFL 2004\\Updater.exe"=
    "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\Program Files\\Microsoft SQL Server\\MSSQL$ALAMODE\\Binn\\sqlservr.exe"=
    "c:\\Program Files\\a la mode\\Sched\\eSched.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "f:\\ITunes\\iTunes.exe"=
    "c:\\Program Files\\Bradford\\ClickForms\\ClickForms.exe"=
    "c:\\WINDOWS\\system32\\dxdiag.exe"=
    "c:\\Program Files\\Hewlett-Packard\\hp deskjet assistant\\bin\\browser.exe"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2008 7:26 PM 335752]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2008 7:26 PM 108552]
    R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/16/2008 7:26 PM 907032]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 7:26 PM 298776]
    R2 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [5/4/2005 1:04 AM 9158656]
    R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe [9/19/2008 5:53 PM 108568]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/10/2009 7:36 AM 19096]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [10/27/2008 1:04 AM 7808]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe [8/10/2009 7:36 AM 232720]
    S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [5/3/2005 10:42 PM 323584]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-13 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-15 12:47]

    2009-01-29 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 23:31]

    2009-08-12 c:\windows\Tasks\User_Feed_Synchronization-{0D9F3A8A-3216-4642-B983-9D22579AE7A0}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 19:58]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Start WingMan Profiler - (no file)


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.thedaily.com/bikini.html
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    Trusted Zone: lvarmls.com
    Trusted Zone: nwmls.com
    Trusted Zone: vvmls.com
    DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} - hxxp://locmedia.nwmls.com/tools/MlsToTrusted/rapmls/SetTrustedSitesControl.dll
    .

    **************************************************************************

    disk not found C:\

    please note that you need administrator rights to perform deep scan
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1614895754-1078081533-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3968)
    c:\windows\system32\WININET.dll
    c:\program files\Nero\Nero 9\InCD\NBHshx.dll
    c:\program files\Nero\Nero 9\InCD\NBHStr.dll
    c:\program files\Common Files\Nero\AdvrCntr4\AdvrCntr4.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
    c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\system32\CTSVCCDA.EXE
    c:\windows\system32\gearsec.exe
    c:\program files\Nero\Nero 9\InCD\InCDSrv.exe
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\program files\Norton Ghost\Agent\VProSvc.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\windows\system32\MsPMSPSv.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-08-13 6:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-08-13 13:50

    Pre-Run: 123,891,953,664 bytes free
    Post-Run: 124,265,242,624 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    239 --- E O F --- 2009-08-13 12:56


    Hijack this log to follow in next post.

  8. #8
    Junior Member
    Join Date
    Aug 2009
    Location
    Duvall, Washington
    Posts
    8

    Default

    Here's the current Hijack This log.
    Thanks again for the help.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:15:18 AM, on 8/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    F:\ITunes\iTunesHelper.exe
    C:\Program Files\a la mode\Sched\eSched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Secunia\PSI (RC4)\psi.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedaily.com/bikini.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [iTunesHelper] "F:\ITunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://*.lvarmls.com
    O15 - Trusted Zone: http://*.nwmls.com
    O15 - Trusted Zone: http://*.vvmls.com
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
    O16 - DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} (SetTrustedSitesControl.clsReg) - http://locmedia.nwmls.com/tools/MlsT...tesControl.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171565853709
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: MSSQL$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE (file missing)
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SQLAgent$ALAMODE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

  9. #9
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,167

    Default

    Hi

    Absolutely fine what you have done/mentioned, apart from TeaTimer, we can address this shortly

    Looks like we may have to run some in-depth Hard-Drive maintenance at some point. But we can check that first to verify in due course.

    OK you will need to disable TeaTimer again as it will hinder the malware removal process then please leave it disabled. Your computer is not left without protection I will add as both the installed Anti-Virus and Malwarebytes' Anti-Malware Protection Module are active.

    For peace of mind if you wish, do keep the online activity of this machine at a minimum until I have researced the next set of logs. Probably prudent to do so anyway as the infections we are currently dealing with are quite serious.

    Have you ever used this machine for any online transactions at all?

    DelDomains:

    • Right click Here and select Save Target As... to download WinHelp2002's DelDomains.inf.
    • Please save the file to the desktop.
    • To run the inf file, right click on it and select Install.
    Malwarebytes Anti-Malware:

    • Launch the application, Check for Updates >> Perform a Quick Scan
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Check Hard Disk For Errors:

    Press Start->Run, then copy/paste the following command into the box and press OK:
    cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
    A blank command window will open on your desktop, then close in a few minutes. This is normal.
    A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

    Next:

    Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)
    • Double click once on RSIT.exe
    • RSIT will start running, at the disclaimer click on Continue.
    • When done, 1 log will be produced.
    • Post that in your next reply.
    When completed the above, please post back the following in the order asked for:
    • How is you computer performing now, any other symptoms and or problems encountered?
    • Malwarebytes Anti-Malware Log.
    • checkhd.txt
    • A new RSIT Log.
    Last edited by Dakeyras; 2009-08-13 at 18:00. Reason: typo
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  10. #10
    Junior Member
    Join Date
    Aug 2009
    Location
    Duvall, Washington
    Posts
    8

    Default

    Hi again.

    Yes I have used this machine for online transactions.
    Again, I have not used this machine for anything since we started this process, so I don't have anything to report about how it's acting, other than what comes up during these tests.

    No "show results" at the end of the MBAM scan. Just :no malicious items detected".

    MBAM log:
    Malwarebytes' Anti-Malware 1.40
    Database version: 2615
    Windows 5.1.2600 Service Pack 3

    8/13/2009 8:49:58 AM
    mbam-log-2009-08-13 (08-49-58).txt

    Scan type: Quick Scan
    Objects scanned: 97295
    Time elapsed: 4 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)






    Checkhd.txt log:

    The type of the file system is NTFS.

    WARNING! F parameter not specified.
    Running CHKDSK in read-only mode.

    CHKDSK is verifying files (stage 1 of 3)...
    from file record segment 11832.
    Deleted corrupt attribute list entry
    with type code 128 in file 12065.
    Deleted corrupt attribute list entry
    with type code 128 in file 12065.
    Deleted corrupt attribute list entry
    with type code 48 in file 12065.
    Deleting corrupt attribute record (48, "")
    from file record segment 12065.
    Deleting corrupt attribute record (128, "")
    from file record segment 12421.
    Deleting corrupt attribute record (128, "")
    from file record segment 108984.
    Deleting corrupt attribute record (128, "")
    from file record segment 12430.
    from file record segment 17959.
    with type code 128 in file 19747.
    Deleting corrupt attribute record (128, "")
    from file record segment 19971.
    from file record segment 21126.
    from file record segment 34143.
    with type code 128 in file 40238.
    Deleting corrupt attribute record (128, "")
    from file record segment 40242.
    Deleting corrupt attribute record (128, "")
    from file record segment 40243.
    Deleting corrupt attribute record (128, "")
    from file record segment 40252.
    from file record segment 41604.
    from file record segment 90985.
    from file record segment 92129.
    Deleted corrupt attribute list entry
    with type code 128 in file 92144.
    Deleted corrupt attribute list entry
    with type code 128 in file 92144.
    Deleting corrupt attribute record (128, "")
    from file record segment 92147.
    Deleting corrupt attribute record (128, "")
    from file record segment 92169.
    from file record segment 93344.
    Deleted corrupt attribute list entry
    with type code 128 in file 93853.
    Deleted corrupt attribute list entry
    with type code 128 in file 93853.
    Deleting corrupt attribute record (128, "")
    from file record segment 93872.
    Deleting corrupt attribute record (128, "")
    from file record segment 93874.
    Deleting corrupt attribute record (128, "")
    from file record segment 93916.
    Deleting corrupt attribute record (128, "")
    from file record segment 94050.
    from file record segment 97471.
    Deleting corrupt attribute record (128, "")
    from file record segment 97659.
    from file record segment 97924.
    Deleting corrupt attribute record (128, "")
    from file record segment 97929.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 99140.
    Deleting corrupt attribute record (128, "")
    from file record segment 99160.
    Deleted corrupt attribute list entry
    with type code 128 in file 99208.
    Deleting corrupt attribute record (128, "")
    from file record segment 99234.
    Deleting corrupt attribute record (128, "")
    from file record segment 99247.
    Deleting corrupt attribute record (128, "")
    from file record segment 99351.
    Deleting corrupt attribute record (128, "")
    from file record segment 99407.
    from file record segment 99887.
    Deleting corrupt attribute record (128, "")
    from file record segment 99908.
    from file record segment 108489.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 108902.
    Deleting corrupt attribute record (128, "")
    from file record segment 108912.
    Deleting corrupt attribute record (128, "")
    from file record segment 108936.
    Deleting corrupt attribute record (128, "")
    from file record segment 109316.
    Deleted corrupt attribute list entry
    with type code 128 in file 109340.
    Deleting corrupt attribute record (128, "")
    from file record segment 109346.
    Deleting corrupt attribute record (128, "")
    from file record segment 109353.
    Deleting corrupt attribute record (128, "")
    from file record segment 109495.
    Deleting corrupt attribute record (128, "")
    from file record segment 109660.
    from file record segment 110444.
    Deleting corrupt attribute record (128, "")
    from file record segment 111063.
    Deleting corrupt attribute record (128, "")
    from file record segment 111065.
    Deleting corrupt attribute record (128, "")
    from file record segment 111069.
    Deleting corrupt attribute record (128, "")
    from file record segment 111172.
    with type code 128 in file 112020.
    Deleted corrupt attribute list entry
    with type code 128 in file 112020.
    Deleting corrupt attribute record (128, "")
    from file record segment 112144.
    Deleting corrupt attribute record (128, "")
    from file record segment 112145.
    Deleting corrupt attribute record (128, "")
    from file record segment 112146.
    Deleted corrupt attribute list entry
    with type code 128 in file 112150.
    Deleting corrupt attribute record (128, "")
    from file record segment 112151.
    Deleting corrupt attribute record (128, "")
    from file record segment 112198.
    Deleted corrupt attribute list entry
    with type code 128 in file 112613.
    Deleting corrupt attribute record (128, "")
    from file record segment 112617.
    Deleting corrupt attribute record (128, "")
    from file record segment 112614.
    with type code 128 in file 114038.
    Deleting corrupt attribute record (128, "")
    from file record segment 115913.
    Deleting corrupt attribute record (128, "")
    from file record segment 114495.
    Deleted corrupt attribute list entry
    with type code 128 in file 114500.
    Deleting corrupt attribute record (128, "")
    from file record segment 114501.
    Deleting corrupt attribute record (128, "")
    from file record segment 114502.
    Deleting corrupt attribute record (128, "")
    from file record segment 114503.
    Deleting corrupt attribute record (128, "")
    from file record segment 114506.
    Deleting corrupt attribute record (128, "")
    from file record segment 114610.
    from file record segment 118711.
    Deleting corrupt attribute record (128, "")
    from file record segment 119693.
    from file record segment 121398.
    from file record segment 121867.
    Deleting corrupt attribute record (128, "")
    from file record segment 122110.
    Deleting corrupt attribute record (128, "")
    from file record segment 122130.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 122158.
    from file record segment 125302.
    Deleting corrupt attribute record (128, "")
    from file record segment 126230.
    with type code 128 in file 145584.
    Deleting corrupt attribute record (128, "")
    from file record segment 145586.
    Deleting corrupt attribute record (128, "")
    from file record segment 145588.
    Deleting corrupt attribute record (128, "")
    from file record segment 145590.
    Deleting corrupt attribute record (128, "")
    from file record segment 145592.
    Deleting corrupt attribute record (128, "")
    from file record segment 145988.
    Deleting corrupt attribute record (128, "")
    from file record segment 145989.
    Deleting corrupt attribute record (128, "")
    from file record segment 145990.
    Deleting corrupt attribute record (128, "")
    from file record segment 146008.
    Deleting corrupt attribute record (128, "")
    from file record segment 146022.
    Deleting corrupt attribute record (128, "")
    from file record segment 146023.
    Deleting corrupt attribute record (128, "")
    from file record segment 146166.
    Deleting corrupt attribute record (128, "")
    from file record segment 146171.
    Deleting corrupt attribute record (128, "")
    from file record segment 146178.
    Deleting corrupt attribute record (128, "")
    from file record segment 146188.
    Deleting corrupt attribute record (128, "")
    from file record segment 146211.
    Deleting corrupt attribute record (128, "")
    from file record segment 146216.
    Deleting corrupt attribute record (128, "")
    from file record segment 146240.
    Deleting corrupt attribute record (128, "")
    from file record segment 146256.
    Deleting corrupt attribute record (128, "")
    from file record segment 146261.
    Deleting corrupt attribute record (128, "")
    from file record segment 146385.
    from file record segment 147051.
    Deleted corrupt attribute list entry
    with type code 128 in file 147069.
    Deleting corrupt attribute record (128, "")
    from file record segment 147075.
    Deleting corrupt attribute record (128, "")
    from file record segment 147123.
    Deleting corrupt attribute record (128, "")
    from file record segment 147146.
    Deleting corrupt attribute record (128, "")
    from file record segment 147147.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 147152.
    Deleting corrupt attribute record (128, "")
    from file record segment 147159.
    from file record segment 151253.
    from file record segment 156439.
    Deleting corrupt attribute record (128, "")
    from file record segment 156525.
    Deleting corrupt attribute record (128, "")
    from file record segment 156534.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 156551.
    Deleting corrupt attribute record (128, "")
    from file record segment 156556.
    Deleted corrupt attribute list entry
    with type code 128 in file 156558.
    Deleting corrupt attribute record (128, "")
    from file record segment 156561.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 156804.
    Deleting corrupt attribute record (128, "")
    from file record segment 156806.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 156878.
    Deleting corrupt attribute record (128, "")
    from file record segment 156924.
    from file record segment 157829.
    Deleting corrupt attribute record (128, "")
    from file record segment 157839.
    Deleting corrupt attribute record (128, "")
    from file record segment 157847.
    Deleting corrupt attribute record (128, "")
    from file record segment 157850.
    Deleted corrupt attribute list entry
    with type code 128 in file 157855.
    Deleting corrupt attribute record (128, "")
    from file record segment 157857.
    Deleting corrupt attribute record (128, "")
    from file record segment 157858.
    Deleting corrupt attribute record (128, "")
    from file record segment 157859.
    Deleting corrupt attribute record (128, "")
    from file record segment 157862.
    Deleting corrupt attribute record (128, "")
    from file record segment 158147.
    Deleting corrupt attribute record (128, "")
    from file record segment 158151.
    Deleting corrupt attribute record (128, "")
    from file record segment 158154.
    Deleted corrupt attribute list entry
    with type code 128 in file 158159.
    Deleted corrupt attribute list entry
    with type code 128 in file 158159.
    Deleting corrupt attribute record (128, "")
    from file record segment 94241.
    Deleting corrupt attribute record (128, "")
    from file record segment 158160.
    Deleting corrupt attribute record (128, "")
    from file record segment 158161.
    Deleting corrupt attribute record (128, "")
    from file record segment 158162.
    Deleting corrupt attribute record (128, "")
    from file record segment 158167.
    Deleting corrupt attribute record (128, "")
    from file record segment 158176.
    Deleting corrupt attribute record (160, $I30)
    from file record segment 158506.
    Deleting corrupt attribute record (128, "")
    from file record segment 158514.
    Deleting corrupt attribute record (128, "")
    from file record segment 158518.
    Deleted corrupt attribute list entry
    with type code 128 in file 158519.
    Deleting corrupt attribute record (128, "")
    from file record segment 158520.
    Deleting corrupt attribute record (128, "")
    from file record segment 158521.
    Deleting corrupt attribute record (128, "")
    from file record segment 158522.
    Deleting corrupt attribute record (128, "")
    from file record segment 158527.
    Deleting corrupt attribute record (128, "")
    from file record segment 158529.
    from file record segment 160020.
    from file record segment 161475.
    Deleting corrupt attribute record (128, "")
    from file record segment 161788.
    Deleting orphan file record segment 12421.
    Deleting orphan file record segment 19971.
    Deleting orphan file record segment 22621.
    Deleting orphan file record segment 23159.
    Deleting orphan file record segment 40242.
    Deleting orphan file record segment 40243.
    Deleting orphan file record segment 40252.
    Deleting orphan file record segment 91050.
    Deleting orphan file record segment 92147.
    Deleting orphan file record segment 92169.
    Deleting orphan file record segment 93872.
    Deleting orphan file record segment 93874.
    Deleting orphan file record segment 93903.
    Deleting orphan file record segment 94241.
    Deleting orphan file record segment 94246.
    Deleting orphan file record segment 99234.
    Deleting orphan file record segment 108984.
    Deleting orphan file record segment 109346.
    Deleting orphan file record segment 112144.
    Deleting orphan file record segment 112145.
    Deleting orphan file record segment 112146.
    Deleting orphan file record segment 112151.
    Deleting orphan file record segment 112617.
    Deleting orphan file record segment 113748.
    Deleting orphan file record segment 114501.
    Deleting orphan file record segment 114502.
    Deleting orphan file record segment 114503.
    Deleting orphan file record segment 115599.
    Deleting orphan file record segment 115643.
    Deleting orphan file record segment 115913.
    Deleting orphan file record segment 117080.
    Deleting orphan file record segment 118115.
    Deleting orphan file record segment 118132.
    Deleting orphan file record segment 145586.
    Deleting orphan file record segment 145588.
    Deleting orphan file record segment 145590.
    Deleting orphan file record segment 145592.
    Deleting orphan file record segment 147075.
    Deleting orphan file record segment 156561.
    Deleting orphan file record segment 157857.
    Deleting orphan file record segment 157858.
    Deleting orphan file record segment 157859.
    Deleting orphan file record segment 158160.
    Deleting orphan file record segment 158161.
    Deleting orphan file record segment 158162.
    Deleting orphan file record segment 158520.
    Deleting orphan file record segment 158521.
    Deleting orphan file record segment 158522.

    Errors found. CHKDSK cannot continue in read-only mode.






    I ran the RSIT.exe. At the completion, when the log file came up, a message in the system tray also came up:"the file or directory C:|WINDOWS\msa.exe is corrupt and unreadable-please run the chkdsk utility".

    RSIT Log:
    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Jerry at 2009-08-13 08:55:15
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 119 GB (78%) free of 153 GB
    Total RAM: 2047 MB (61% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:55:21 AM, on 8/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    F:\ITunes\iTunesHelper.exe
    C:\Program Files\a la mode\Sched\eSched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Secunia\PSI (RC4)\psi.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Virtual Weather Station Pro\vws.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Jerry\Desktop\RSIT.exe
    C:\Program Files\trend micro\Jerry.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedaily.com/bikini.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [iTunesHelper] "F:\ITunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 9\InCD\InCD.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
    O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
    O16 - DPF: {6DE617B8-49C0-40F8-8118-D2C3741F1C28} (SetTrustedSitesControl.clsReg) - http://locmedia.nwmls.com/tools/MlsT...tesControl.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171565853709
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 11432 bytes

    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\Google Software Updater.job
    C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
    C:\WINDOWS\tasks\User_Feed_Synchronization-{0D9F3A8A-3216-4642-B983-9D22579AE7A0}.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
    C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-04-19 5722952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-04-01 668656]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-04-19 5722952]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2007-01-09 58984]
    "Norton Ghost 10.0"=C:\Program Files\Norton Ghost\Agent\GhostTray.exe [2005-09-09 1537648]
    "HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [2002-12-09 188416]
    "CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2003-02-20 28672]
    "CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-11 18944]
    "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-01-15 13680640]
    "nwiz"=nwiz.exe /install []
    "CTSysVol"=C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe [2002-10-29 49152]
    "CTDVDDet"=C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE [2002-09-30 45056]
    "AsioReg"=REGSVR32.EXE /S CTASIO.DLL []
    "iTunesHelper"=F:\ITunes\iTunesHelper.exe [2007-12-11 267048]
    "The Assistant"=C:\Program Files\a la mode\Sched\eSched.exe [2007-04-16 99840]
    "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-06-22 1948440]
    "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
    "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-01-15 86016]
    "InCD"=C:\Program Files\Nero\Nero 9\InCD\InCD.exe [2008-09-19 1111064]
    "Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe [2009-08-03 419088]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "SB Audigy 2 Startup Menu"=/L:ENG []
    "RoboForm"=C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2008-04-19 160592]

    C:\Documents and Settings\Jerry\Start Menu\Programs\Startup
    Secunia PSI (RC4).lnk - C:\Program Files\Secunia\PSI (RC4)\psi.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
    C:\WINDOWS\system32\avgrsstx.dll [2009-06-22 11952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=323
    "NoDriveAutoRun"=67108863
    "NoDrives"=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=
    "NoDriveAutoRun"=
    "NoDriveTypeAutoRun"=
    "NoDrives"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
    "C:\Program Files\EA SPORTS\Madden NFL 2004\Updater.exe"="C:\Program Files\EA SPORTS\Madden NFL 2004\Updater.exe:*:Enabled:Updater"
    "C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe"="C:\Program Files\Microsoft Games\Flight Simulator 9\fs9.exe:*:Enabled:Microsoft Flight Simulator"
    "C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
    "C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe"="C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe:*:Enabled:Aurora MSDE Database"
    "C:\Program Files\a la mode\Sched\eSched.exe"="C:\Program Files\a la mode\Sched\eSched.exe:*:Enabled:a la mode Assistant"
    "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
    "F:\ITunes\iTunes.exe"="F:\ITunes\iTunes.exe:*:Enabled:iTunes"
    "C:\Program Files\Bradford\ClickForms\ClickForms.exe"="C:\Program Files\Bradford\ClickForms\ClickForms.exe:*:Enabled:ClickForms.exe"
    "C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
    "C:\Program Files\Hewlett-Packard\hp deskjet assistant\bin\browser.exe"="C:\Program Files\Hewlett-Packard\hp deskjet assistant\bin\browser.exe:*:Enabled:Hewlett-Packard ® Printer Assistant Browser"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    ======List of files/folders created in the last 1 months======

    2009-08-13 06:50:25 ----A---- C:\ComboFix.txt
    2009-08-13 06:29:28 ----A---- C:\Boot.bak
    2009-08-13 06:29:24 ----RASHD---- C:\cmdcons
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\zip.exe
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\SWXCACLS.exe
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\SWSC.exe
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\SWREG.exe
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\sed.exe
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\PEV.exe
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\NIRCMD.exe
    2009-08-13 06:26:11 ----A---- C:\WINDOWS\grep.exe
    2009-08-13 06:25:42 ----D---- C:\Qoobox
    2009-08-13 05:55:47 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
    2009-08-13 05:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
    2009-08-13 05:55:23 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
    2009-08-13 05:55:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
    2009-08-13 05:55:14 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
    2009-08-13 05:55:10 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
    2009-08-13 05:55:05 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
    2009-08-13 05:54:59 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
    2009-08-13 05:53:50 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
    2009-08-12 17:40:31 ----A---- C:\WINDOWS\alaredun.ini
    2009-08-12 14:08:26 ----D---- C:\rsit
    2009-08-12 14:08:26 ----D---- C:\Program Files\trend micro
    2009-08-12 14:06:28 ----D---- C:\Rooter$
    2009-08-11 09:52:03 ----D---- C:\WINDOWS\ERDNT
    2009-08-11 09:51:00 ----D---- C:\Program Files\ERUNT
    2009-08-10 10:49:45 ----D---- C:\Program Files\Hijackthis
    2009-08-10 07:36:37 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
    2009-08-10 07:36:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-08-10 07:33:53 ----D---- C:\Program Files\Malwarebytes
    2009-08-09 18:22:20 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2009-08-09 18:18:59 ----D---- C:\Program Files\Lavasoft
    2009-08-09 13:43:15 ----SHD---- C:\WINDOWS\msa.exe
    2009-07-15 05:47:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
    2009-07-15 05:47:22 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
    2009-07-15 05:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$

    ======List of files/folders modified in the last 1 months======

    2009-08-13 08:53:20 ----D---- C:\WINDOWS\Prefetch
    2009-08-13 08:39:55 ----D---- C:\WINDOWS\Temp
    2009-08-13 06:50:27 ----D---- C:\WINDOWS\system32\drivers
    2009-08-13 06:50:27 ----D---- C:\WINDOWS\system32
    2009-08-13 06:49:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2009-08-13 06:49:20 ----D---- C:\WINDOWS\system32\CatRoot2
    2009-08-13 06:46:43 ----D---- C:\WINDOWS
    2009-08-13 06:46:43 ----A---- C:\WINDOWS\system.ini
    2009-08-13 06:46:13 ----SD---- C:\WINDOWS\Tasks
    2009-08-13 06:44:13 ----SHD---- C:\WINDOWS\Installer
    2009-08-13 06:44:13 ----RD---- C:\Program Files
    2009-08-13 06:43:01 ----D---- C:\WINDOWS\AppPatch
    2009-08-13 06:42:59 ----D---- C:\Program Files\Common Files
    2009-08-13 06:39:46 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-08-13 06:29:29 ----RASH---- C:\boot.ini
    2009-08-13 05:56:01 ----SHD---- C:\Config.Msi
    2009-08-13 05:55:49 ----HD---- C:\WINDOWS\inf
    2009-08-13 05:55:29 ----A---- C:\WINDOWS\imsins.BAK
    2009-08-13 05:55:18 ----HD---- C:\WINDOWS\$hf_mig$
    2009-08-13 05:55:07 ----D---- C:\Program Files\Outlook Express
    2009-08-13 05:45:55 ----D---- C:\Program Files\Java
    2009-08-13 05:45:01 ----DC---- C:\WINDOWS\system32\DRVSTORE
    2009-08-13 05:44:43 ----D---- C:\WINDOWS\WinSxS
    2009-08-13 05:44:12 ----D---- C:\Program Files\Adobe
    2009-08-13 05:44:11 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
    2009-08-13 01:05:14 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
    2009-08-12 17:40:31 ----A---- C:\WINDOWS\alamode.ini
    2009-08-10 14:36:50 ----A---- C:\WINDOWS\ntbtlog.txt
    2009-08-10 09:48:28 ----A---- C:\WINDOWS\wininit.ini
    2009-08-09 18:16:39 ----D---- C:\Documents and Settings\Jerry\Application Data\Lavasoft
    2009-08-09 18:16:38 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
    2009-08-09 16:29:33 ----D---- C:\Documents and Settings\All Users\Application Data\12100624
    2009-08-09 16:02:18 ----D---- C:\Program Files\Spybot - Search & Destroy
    2009-08-06 09:59:28 ----D---- C:\Program Files\AlaMode
    2009-08-05 13:32:33 ----D---- C:\Documents and Settings\All Users\Application Data\alamode
    2009-08-05 02:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
    2009-07-29 17:49:14 ----A---- C:\WINDOWS\system32\MRT.exe
    2009-07-29 07:00:47 ----D---- C:\WINDOWS\system32\en-US
    2009-07-29 07:00:47 ----D---- C:\Program Files\Internet Explorer
    2009-07-19 06:33:02 ----A---- C:\WINDOWS\system32\mshtml.dll
    2009-07-19 06:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
    2009-07-18 13:11:49 ----D---- C:\WINDOWS\Help
    2009-07-17 12:01:06 ----A---- C:\WINDOWS\system32\atl.dll
    2009-07-14 23:05:08 ----HD---- C:\$AVG8.VAULT$

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-07-28 335752]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-06-22 27784]
    R1 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-11 108552]
    R1 GearAspiWDM;GearAspiWDM; C:\WINDOWS\system32\drivers\GearAspiWDM.sys [2008-01-29 16168]
    R1 InCDPass;Nero InCDPass Driver; C:\WINDOWS\system32\DRIVERS\InCDPass.sys [2008-09-19 40216]
    R1 InCDRm;Nero MRW Remapper Driver; C:\WINDOWS\system32\DRIVERS\InCDRm.sys [2008-09-19 41752]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
    R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
    R1 V2IMount;V2IMount; C:\WINDOWS\system32\drivers\V2IMount.sys [2005-09-09 56192]
    R2 cvintdrv;cvintdrv; C:\WINDOWS\system32\drivers\cvintdrv.sys [2001-08-01 7140]
    R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
    R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
    R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
    R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2003-02-20 135040]
    R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2003-03-26 498688]
    R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2003-02-20 6144]
    R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2003-02-20 135248]
    R3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2005-06-29 163840]
    R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2003-02-20 116000]
    R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\System32\drivers\ha10kx2k.sys [2003-03-26 823616]
    R3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\System32\drivers\hap16v2k.sys [2003-03-26 141536]
    R3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2008-04-13 20352]
    R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
    R3 InCDFs;Nero UDF File System Driver; C:\WINDOWS\system32\DRIVERS\InCDFs.sys [2008-09-19 129560]
    R3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
    R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
    R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-01-15 6301248]
    R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2003-03-26 189504]
    R3 PSI;PSI; C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-10-27 7808]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
    R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 10144]
    R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 45504]
    S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
    S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\System32\drivers\ctdvda2k.sys [2003-03-27 287920]
    S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2006-08-11 180224]
    S3 sermouse;Serial Mouse Driver; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-08-17 17664]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
    S3 WmFilter;Logitech Gaming HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 22240]
    S3 WmHidLo;Logitech Gaming USB Filter Driver; C:\WINDOWS\system32\drivers\WmHidLo.sys [2005-04-12 17632]
    S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 5600]
    S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
    S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R01000000 papycpu2;papycpu2; C:\WINDOWS\System32\DRIVERS\papycpu2.sys [2003-01-17 1984]
    R01000000 papyjoy;papyjoy; C:\WINDOWS\System32\DRIVERS\papyjoy.sys [2003-01-17 1856]
    R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
    R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-07-28 907032]
    R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-06-22 298776]
    R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2007-01-09 198248]
    R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2007-01-09 181864]
    R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [1999-12-13 44032]
    R2 GEARSecurity;GEARSecurity; C:\WINDOWS\System32\GEARSec.exe [2005-09-09 53248]
    R2 InCDSrv;InCD Helper; C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe [2008-09-19 1483800]
    R2 MSSQL$ALAMODE;MSSQL$ALAMODE; C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [2008-12-18 9158656]
    R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-19 935208]
    R2 NeroRegInCDSrv;Nero Registry InCD Service; C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe [2008-09-19 108568]
    R2 Norton Ghost;Norton Ghost; C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2005-09-09 2066024]
    R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-01-15 163908]
    R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-02-17 822424]
    R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2001-05-01 53248]
    R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-12-11 504104]
    S1 InCDRec;Nero UDF File System Recognizer Driver; C:\WINDOWS\system32\DRIVERS\InCDRec.sys [2008-09-19 19352]
    S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
    S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-01 183280]
    S2 MBAMService;MBAMService; C:\Program Files\Malwarebytes\Malwarebytes' Anti-Malware\mbamservice.exe [2009-08-03 232720]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
    S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2007-01-09 79464]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
    S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
    S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
    S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
    S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2005-05-03 73728]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE; C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [2005-05-03 323584]
    S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
    S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
    S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

    -----------------EOF-----------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •