a really bad one! boy do i need help!

R

rtv55

New member
somehow i picked up something nasty. it appears to have erased stuff,added stuff and generally screwed things up. it started off by putting up warning windows of an infection from a program i don't have (sounds like smitfraud)
then opening command windows quickly etc. I have tried the following scans and programs to weed it out:

Spybot
AVG
smitfraudfix
malwarebytes
vundofix
combofix

even though i've runspybot many times to the point where it says i'm clean
the stuff is still in there somewhere.

currently when i boot it will sometimes seem to boot normally with the exception of the blue windows screen comes up with a capital E with an accent above it 2 lines beneath the s in windows!!! very weird!
other times it will hang on a blank blue screen. also occasionally getting the smitfraud/virus warning before completing to boot normally.
i also am getting windows notices that it has to shut down programs to protect my computer- explorer(.which i don't use) and other things.
my publisher program no longer has any printers installed and i get a notice that the print spooler is not active or installed!

Here is a current Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:03, on 9/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wlansta.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\F.tmp
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Ponheg] "C:\Documents and Settings\Administrator\My Documents\?icrosoft\w?crtupd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WLAN network adaptor Wireless LAN Configuration.lnk = ?
O16 - DPF: {466FE5FE-9B04-4BD8-9993-C4FBDAEB7122} (JMWiseCam Control) - http://192.168.1.199/JMWiseCam.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cryptographic Services CryptSvcSwPrv (CryptSvcSwPrv) - Unknown owner - C:\WINDOWS\system32\3.tmp.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: MS Software Shadow Copy Provider SwPrvWebClient (SwPrvWebClient) - Unknown owner - C:\WINDOWS\system32\60ws.exe

Thanks to any expert who might want to tackle this one!!!

RTV
 
thanks Blade! no...like a idiot i did that stuff before i remembered
here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 13:56:42, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\lphc74sj0e34c.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wlansta.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\hij.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc74sj0e34c] C:\WINDOWS\system32\lphc74sj0e34c.exe
O4 - HKCU\..\Run: [Ponheg] "C:\Documents and Settings\Administrator\My Documents\?icrosoft\w?crtupd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WLAN network adaptor Wireless LAN Configuration.lnk = ?
O16 - DPF: {466FE5FE-9B04-4BD8-9993-C4FBDAEB7122} (JMWiseCam Control) - http://192.168.1.199/JMWiseCam.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cryptographic Services CryptSvcSwPrv (CryptSvcSwPrv) - Unknown owner - C:\WINDOWS\system32\3.tmp.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: MS Software Shadow Copy Provider SwPrvWebClient (SwPrvWebClient) - Unknown owner - C:\WINDOWS\system32\60ws.exe
 
Hi

I've got some bad news for you :sad:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
 
Blade...Thanks a million for the info!! i immediately shut down from the net.
and my router started not to work! so i have been delayed in answering.
its back now and i'm on another computer. i'd like to try and clean it if you wouldn't mind. but ...i'll be on the road for a bit. could we pick this up in a few days? one other question...is it likely to migrate through a wireless router
to other computers on the router?? or through email?

Thanks again!!!
RTV55
 
Hi

It's one of these Infostealer.Banker trojans. We can continue cleaning when you arrive. However, if it'll be more than five days let me know beforehand. We archive topics that have been inactive five days.
 
Of course I am :)

Could you post a fresh hjt log? It may be quite similar like the one you posted but since it's been a few days it's better to get the latest one to begin with.
 
Thanks blade!
let me bring you up to date...since i was out on the road for those days and needed my laptop (which was almost unuseable) i figured what have i got to loose? so i ran the malwarebytes a few times and read the problem files it couldn't remove. then booting in safe mode with the command console i deleted them as best i could. it seems they are rewritten after they are deleted! but the good news is that the computer is seemingly usuable as long as i don't go on line. i know that if i go online it will just download all the bad stuff and screw up the computer again. it seems that most of the stuff showed up on the 20th of last month. it wrote gobs of tmp files in the system32 folder and god knows where else! i'll post an HJT file after this but i have to get it to this computer to sent it!!

Thanks for sticking with me!!!

rtv
 
Logfile of HijackThis v1.99.1
Scan saved at 20:49:41, on 10/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wlansta.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\hij.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Ponheg] "C:\Documents and Settings\Administrator\My Documents\?icrosoft\w?crtupd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WLAN network adaptor Wireless LAN Configuration.lnk = ?
O16 - DPF: {466FE5FE-9B04-4BD8-9993-C4FBDAEB7122} (JMWiseCam Control) - http://192.168.1.199/JMWiseCam.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cryptographic Services CryptSvcSwPrv (CryptSvcSwPrv) - Unknown owner - C:\WINDOWS\system32\3.tmp.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: MS Software Shadow Copy Provider SwPrvWebClient (SwPrvWebClient) - Unknown owner - C:\WINDOWS\system32\60ws.exe
 
Hi

Disable Spybot's TeaTimer
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
     and OK any prompts.
  • Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
ComboFix 08-09-20.05 - Administrator 2008-10-04 21:24:10.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.940 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ssembl~1
C:\WINDOWS\ssembl~1\?ssembly\
C:\WINDOWS\system32\k86.bin
C:\WINDOWS\system32\netprp.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-01 17:52 . 2008-09-26 08:43 8,512 --a------ C:\WINDOWS\system32\drivers\ati1ttxxx.sys
2008-09-29 10:46 . 2008-09-29 10:46 18 --a------ C:\WINDOWS\system32\6A.tmp
2008-09-28 16:05 . 2008-09-28 16:05 18 --a------ C:\WINDOWS\system32\69.tmp
2008-09-28 16:04 . 2008-09-28 16:05 185,856 --a------ C:\WINDOWS\system32\68.tmp
2008-09-28 16:04 . 2008-09-28 16:04 48 --a------ C:\WINDOWS\system32\67.tmp
2008-09-28 09:03 . 2008-09-28 09:03 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-28 08:53 . 2008-09-28 08:53 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-26 21:30 . 2008-09-26 21:30 18 --a------ C:\WINDOWS\system32\66.tmp
2008-09-26 21:08 . 2008-09-26 21:08 186,368 --a------ C:\WINDOWS\system32\52.tmp
2008-09-26 21:08 . 2008-09-26 21:08 78,848 --a------ C:\WINDOWS\system32\51.tmp
2008-09-26 21:08 . 2008-09-26 21:08 41,984 --a------ C:\WINDOWS\system32\4F.tmp
2008-09-26 21:08 . 2008-09-26 21:08 37,032 --a------ C:\WINDOWS\system32\50.tmp
2008-09-26 21:08 . 2008-09-26 21:08 176 --a------ C:\WINDOWS\system32\4E.tmp
2008-09-26 21:08 . 2008-09-26 21:08 0 --a------ C:\WINDOWS\system32\53.tmp
2008-09-26 20:02 . 2008-09-26 20:02 186,368 --a------ C:\WINDOWS\system32\4C.tmp
2008-09-26 20:02 . 2008-09-26 20:02 78,848 --a------ C:\WINDOWS\system32\4B.tmp
2008-09-26 20:02 . 2008-09-26 20:02 41,984 --a------ C:\WINDOWS\system32\47.tmp
2008-09-26 20:02 . 2008-09-26 20:02 37,032 --a------ C:\WINDOWS\system32\4A.tmp
2008-09-26 20:02 . 2008-09-26 20:02 176 --a------ C:\WINDOWS\system32\36.tmp
2008-09-26 20:02 . 2008-09-26 20:02 18 --a------ C:\WINDOWS\system32\4D.tmp
2008-09-26 18:09 . 2008-09-26 18:09 186,368 --a------ C:\WINDOWS\system32\44.tmp
2008-09-26 18:09 . 2008-09-26 18:09 78,848 --a------ C:\WINDOWS\system32\43.tmp
2008-09-26 18:09 . 2008-09-26 18:09 41,984 --a------ C:\WINDOWS\system32\41.tmp
2008-09-26 18:09 . 2008-09-26 18:09 37,032 --a------ C:\WINDOWS\system32\42.tmp
2008-09-26 18:09 . 2008-09-26 18:09 18 --a------ C:\WINDOWS\system32\45.tmp
2008-09-26 18:08 . 2008-09-26 18:08 186,368 --a------ C:\WINDOWS\system32\34.tmp
2008-09-26 18:08 . 2008-09-26 18:08 78,848 --a------ C:\WINDOWS\system32\33.tmp
2008-09-26 18:08 . 2008-09-26 18:08 41,984 --a------ C:\WINDOWS\system32\31.tmp
2008-09-26 18:08 . 2008-09-26 18:08 37,032 --a------ C:\WINDOWS\system32\32.tmp
2008-09-26 18:08 . 2008-09-26 18:09 176 --a------ C:\WINDOWS\system32\37.tmp
2008-09-26 18:08 . 2008-09-26 18:08 176 --a------ C:\WINDOWS\system32\30.tmp
2008-09-26 18:08 . 2008-09-26 18:08 18 --a------ C:\WINDOWS\system32\35.tmp
2008-09-26 17:06 . 2008-09-26 17:06 186,368 --a------ C:\WINDOWS\system32\3F.tmp
2008-09-26 17:06 . 2008-09-26 17:06 78,848 --a------ C:\WINDOWS\system32\3E.tmp
2008-09-26 17:06 . 2008-09-26 17:06 41,984 --a------ C:\WINDOWS\system32\3C.tmp
2008-09-26 17:06 . 2008-09-26 17:06 37,032 --a------ C:\WINDOWS\system32\3D.tmp
2008-09-26 17:06 . 2008-09-26 17:06 176 --a------ C:\WINDOWS\system32\3B.tmp
2008-09-26 17:06 . 2008-09-26 17:06 18 --a------ C:\WINDOWS\system32\40.tmp
2008-09-26 15:54 . 2008-09-26 15:54 186,368 --a------ C:\WINDOWS\system32\2B.tmp
2008-09-26 15:54 . 2008-09-26 15:54 78,848 --a------ C:\WINDOWS\system32\2A.tmp
2008-09-26 15:54 . 2008-09-26 15:54 41,984 --a------ C:\WINDOWS\system32\28.tmp
2008-09-26 15:54 . 2008-09-26 15:54 37,032 --a------ C:\WINDOWS\system32\29.tmp
2008-09-26 15:54 . 2008-09-26 15:54 176 --a------ C:\WINDOWS\system32\27.tmp
2008-09-26 15:54 . 2008-09-26 15:54 18 --a------ C:\WINDOWS\system32\2F.tmp
2008-09-26 15:46 . 2008-09-26 15:46 186,368 --a------ C:\WINDOWS\system32\25.tmp
2008-09-26 15:46 . 2008-09-26 15:46 78,848 --a------ C:\WINDOWS\system32\21.tmp
2008-09-26 15:46 . 2008-09-26 15:46 41,984 --a------ C:\WINDOWS\system32\1F.tmp
2008-09-26 15:46 . 2008-09-26 15:46 37,032 --a------ C:\WINDOWS\system32\20.tmp
2008-09-26 15:46 . 2008-09-26 15:46 176 --a------ C:\WINDOWS\system32\1A.tmp
2008-09-26 15:46 . 2008-09-26 15:46 18 --a------ C:\WINDOWS\system32\26.tmp
2008-09-26 15:28 . 2008-09-26 15:28 29 --a------ C:\WINDOWS\system32\dswiuwsf.tmp
2008-09-26 15:27 . 2008-09-26 15:27 18 --a------ C:\WINDOWS\system32\24.tmp
2008-09-26 15:27 . 2008-09-26 15:27 18 --a------ C:\WINDOWS\system32\23.tmp
2008-09-26 15:26 . 2008-09-26 15:27 163,840 --a------ C:\WINDOWS\system32\22.tmp
2008-09-26 15:14 . 2008-09-26 15:26 52 --a------ C:\WINDOWS\system32\1B.tmp
2008-09-26 15:08 . 2008-09-26 15:26 52 --a------ C:\WINDOWS\system32\19.tmp
2008-09-26 15:04 . 2008-09-26 15:04 186,368 --a------ C:\WINDOWS\system32\17.tmp
2008-09-26 15:04 . 2008-09-26 15:04 78,848 --a------ C:\WINDOWS\system32\14.tmp
2008-09-26 15:04 . 2008-09-26 15:04 41,984 --a------ C:\WINDOWS\system32\15.tmp
2008-09-26 15:04 . 2008-09-26 15:04 37,032 --a------ C:\WINDOWS\system32\16.tmp
2008-09-26 15:04 . 2008-09-26 15:04 176 --a------ C:\WINDOWS\system32\13.tmp
2008-09-26 15:04 . 2008-09-26 15:04 18 --a------ C:\WINDOWS\system32\18.tmp
2008-09-26 13:19 . 2008-09-26 13:19 186,368 --a------ C:\WINDOWS\system32\C7.tmp
2008-09-26 13:19 . 2008-09-26 13:19 78,848 --a------ C:\WINDOWS\system32\C4.tmp
2008-09-26 13:19 . 2008-09-26 13:19 41,984 --a------ C:\WINDOWS\system32\C5.tmp
2008-09-26 13:19 . 2008-09-26 13:19 37,032 --a------ C:\WINDOWS\system32\C6.tmp
2008-09-26 13:19 . 2008-09-26 13:19 176 --a------ C:\WINDOWS\system32\C3.tmp
2008-09-26 13:19 . 2008-09-26 13:19 18 --a------ C:\WINDOWS\system32\C8.tmp
2008-09-26 12:13 . 2008-09-26 12:13 186,368 --a------ C:\WINDOWS\system32\B2.tmp
2008-09-26 12:13 . 2008-09-26 12:13 41,984 --a------ C:\WINDOWS\system32\B0.tmp
2008-09-26 12:13 . 2008-09-26 12:13 37,032 --a------ C:\WINDOWS\system32\B1.tmp
2008-09-26 12:13 . 2008-09-26 12:13 18 --a------ C:\WINDOWS\system32\B3.tmp
2008-09-26 12:12 . 2008-09-26 12:13 136 --a------ C:\WINDOWS\system32\AF.tmp
2008-09-26 11:15 . 2008-09-26 11:15 186,368 --a------ C:\WINDOWS\system32\7E.tmp
2008-09-26 11:15 . 2008-09-26 11:15 41,984 --a------ C:\WINDOWS\system32\7C.tmp
2008-09-26 11:15 . 2008-09-26 11:15 37,032 --a------ C:\WINDOWS\system32\7D.tmp
2008-09-26 11:15 . 2008-09-26 11:15 136 --a------ C:\WINDOWS\system32\7B.tmp
2008-09-26 11:15 . 2008-09-26 11:15 0 --a------ C:\WINDOWS\system32\7F.tmp
2008-09-26 10:38 . 2008-09-26 10:38 <DIR> d-------- C:\WINDOWS\Sun
2008-09-26 10:33 . 2008-09-26 10:33 41,984 --a------ C:\WINDOWS\system32\A.tmp
2008-09-26 10:33 . 2008-09-26 10:33 37,032 --a------ C:\WINDOWS\system32\B.tmp
2008-09-26 10:33 . 2008-09-26 10:33 0 --a------ C:\WINDOWS\system32\12.tmp
2008-09-26 10:32 . 2008-09-26 10:33 136 --a------ C:\WINDOWS\system32\3.tmp
2008-09-26 10:28 . 2008-09-26 10:28 <DIR> d-------- C:\Program Files\Sun
2008-09-26 10:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-26 10:27 . 2008-09-26 10:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-26 08:57 . 2008-09-26 08:57 20,480 --ahs---- C:\WINDOWS\system32\1Dr.dll
2008-09-26 08:56 . 2008-09-26 08:55 49,664 -r-hs---- C:\WINDOWS\system32\60ws.exe
2008-09-26 08:43 . 2008-09-26 08:43 186,368 --a------ C:\WINDOWS\system32\F.tmp
2008-09-26 08:43 . 2008-09-26 08:43 41,984 --a------ C:\WINDOWS\system32\C.tmp
2008-09-26 08:43 . 2008-09-26 08:43 8,512 --a------ C:\WINDOWS\system32\netrp.sys
2008-09-26 08:43 . 2008-09-26 08:43 0 --a------ C:\WINDOWS\system32\11.tmp
2008-09-26 08:42 . 2008-09-26 08:43 136 --a------ C:\WINDOWS\system32\9.tmp
2008-09-25 22:08 . 2008-09-25 22:08 16,384 --ahs---- C:\WINDOWS\system32\58c.dll
2008-09-25 21:55 . 2008-09-25 21:55 186,368 --a------ C:\WINDOWS\system32\7.tmp
2008-09-25 21:55 . 2008-09-25 21:55 37,888 --a------ C:\WINDOWS\system32\6.tmp
2008-09-25 21:55 . 2008-09-25 21:55 92 --a------ C:\WINDOWS\system32\4.tmp
2008-09-25 21:55 . 2008-09-25 21:55 18 --a------ C:\WINDOWS\system32\8.tmp
2008-09-25 18:41 . 2008-09-25 18:41 92 --a------ C:\WINDOWS\system32\2.tmp
2008-09-25 18:41 . 2008-09-26 08:57 82 --a-s---- C:\WINDOWS\system32\598619786.dat
2008-09-25 18:41 . 2008-09-25 18:41 18 --a------ C:\WINDOWS\system32\5.tmp
2008-09-21 21:05 . 2008-09-30 18:24 2,296 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 17:50 . 2008-09-21 17:50 <DIR> d-------- C:\VundoFix Backups
2008-09-20 17:04 . 2008-09-20 17:04 199,168 --a------ C:\WINDOWS\system32\60.tmp
2008-09-20 17:04 . 2008-09-20 17:04 48 --a------ C:\WINDOWS\system32\5F.tmp
2008-09-20 17:04 . 2008-09-20 17:04 18 --a------ C:\WINDOWS\system32\61.tmp
2008-09-20 16:47 . 2008-09-20 16:47 199,168 --a------ C:\WINDOWS\system32\57.tmp
2008-09-20 16:47 . 2008-09-20 16:47 48 --a------ C:\WINDOWS\system32\55.tmp
2008-09-20 16:47 . 2008-09-20 16:47 18 --a------ C:\WINDOWS\system32\58.tmp
2008-09-20 15:00 . 2008-09-20 15:00 199,168 --a------ C:\WINDOWS\system32\48.tmp
2008-09-20 15:00 . 2008-09-20 15:00 48 --a------ C:\WINDOWS\system32\46.tmp
2008-09-20 15:00 . 2008-09-20 15:00 18 --a------ C:\WINDOWS\system32\49.tmp
2008-09-20 14:17 . 2008-09-20 14:17 199,168 --a------ C:\WINDOWS\system32\39.tmp
2008-09-20 14:17 . 2008-09-20 14:17 18 --a------ C:\WINDOWS\system32\3A.tmp
2008-09-20 14:16 . 2008-09-20 14:17 48 --a------ C:\WINDOWS\system32\38.tmp
2008-09-20 14:02 . 2008-09-20 14:02 199,168 --a------ C:\WINDOWS\system32\2D.tmp
2008-09-20 14:02 . 2008-09-20 14:02 48 --a------ C:\WINDOWS\system32\2C.tmp
2008-09-20 14:02 . 2008-09-20 14:02 18 --a------ C:\WINDOWS\system32\2E.tmp
2008-09-20 13:39 . 2008-09-20 13:39 199,168 --a------ C:\WINDOWS\system32\1D.tmp
2008-09-20 13:39 . 2008-09-20 13:39 48 --a------ C:\WINDOWS\system32\1C.tmp
2008-09-20 13:39 . 2008-09-20 13:39 18 --a------ C:\WINDOWS\system32\1E.tmp
2008-09-20 13:35 . 2008-09-20 13:35 48 --a------ C:\WINDOWS\system32\D.tmp
2008-09-20 13:35 . 2008-09-20 13:35 18 --a------ C:\WINDOWS\system32\10.tmp
2008-09-20 03:40 . 2008-09-20 03:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 03:40 . 2008-09-20 03:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 01:28 90,112 ----a-w C:\WINDOWS\DUMP9078.tmp
2008-09-26 19:53 90,112 ----a-w C:\WINDOWS\DUMP9c6e.tmp
2008-09-26 19:03 90,112 ----a-w C:\WINDOWS\DUMP82eb.tmp
2008-09-26 14:28 --------- d-----w C:\Program Files\Java
2008-09-25 22:09 --------- d-----w C:\Program Files\TalkPCR
2008-09-20 07:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-29 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 23:33 --------- d-----w C:\Program Files\LandAirSea Systems
2008-07-06 15:10 348,160 ----a-w C:\WINDOWS\MSVCR71.DLL
2008-07-06 15:10 1,060,864 ----a-w C:\WINDOWS\MFC71.DLL
2008-07-06 15:09 40,960 ----a-w C:\WINDOWS\SimTestDll.dll
.

------- Sigcheck -------

2005-03-13 21:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-03-13 20:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 15:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 20:12 1041408 b0d52f609df94a72b4af3edf477c7c2e C:\WINDOWS\explorer.exe
2007-06-13 07:26 1040896 4580e16e92bb88da525a51e1b03b42e2 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1040896 3225f4663de4cb04858403af116aef98 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 17:00 1039872 8fe830fbff9363952ed533a4022f5291 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1041408 c074c20ff2cd9560706244ff3aad5724 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-08-04 17:00 23040 8cbacd9f0d3d6942fe10d134ed7ed764 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 20:12 23040 1f00a2901ffc1ba48321c06b5f2195f9 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2008-04-13 20:12 23040 d6cdc4fa4980a746a548be5d456ae7e4 C:\WINDOWS\system32\ctfmon.exe

2005-06-10 20:17 65536 ce3605a5b02be13080ad6fc62b00327a C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:53 65536 292419cc59317cc6ced2666a9ffcdde3 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 17:00 65536 53832404a4ae49aea8ad515644b979bc C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 20:12 65536 30721bc166cf511848d7340e167170f3 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2008-04-13 20:12 65536 c09cccb28b2a6307ef7e76e9c97b0e78 C:\WINDOWS\system32\spoolsv.exe

2004-08-04 17:00 32256 37bcdc79f48a0c7a83b48f31d6423247 C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-13 20:12 33792 cdb8fe37d770759da584fa4a3c585666 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2008-04-13 20:12 33792 0d931ad3b3aa2bae592d3ed2d6392aea C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ponheg"="C:\Documents and Settings\Administrator\My Documents\?icrosoft\w?crtupd.exe" [?]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRunOnce"="C:\util\prunonce\PRunOnce.exe" [2004-08-06 118784]
"Panasonic HotKey Manager"="C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-13 983040]
"PCinfo"="C:\Program Files\Panasonic\PCINFO\SetDiag.exe" [2005-06-14 53248]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 393216]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 163840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WLAN network adaptor Wireless LAN Configuration.lnk - C:\WINDOWS\system32\wlansta.exe [2006-05-10 155719]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 14:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= nuvision.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1ttxxx.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Panasonic Hand Writing.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Panasonic Hand Writing.lnk
backup=C:\WINDOWS\pss\Panasonic Hand Writing.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1702912 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2006-05-20 11:49 290816 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2007-06-13 09:16 536576 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--------- 2002-04-26 13:53 19968 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\scroller]
--a------ 2005-04-18 15:18 90112 C:\WINDOWS\system32\FPapli.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\FreeFTP\\FreeFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 GPSFilter;Panasonic GPS Filter Service;C:\WINDOWS\system32\DRIVERS\gpsfilter.sys [2005-09-26 10112]
R1 ati1ttxxx;ati1ttxxx;C:\WINDOWS\system32\drivers\ati1ttxxx.sys [2008-09-26 8512]
R2 brecal;Panasonic Battery Recalibration Driver;C:\Program Files\Panasonic\BRECAL\Brecal.sys [2004-11-15 7168]
R2 pcinfo;Panasonic PC Info. Viewer Driver;C:\Program Files\Panasonic\PCINFO\pcinfo.sys [2004-11-04 7168]
R2 SDKEY;Panasonic SD Misc. Function Driver;C:\Program Files\Panasonic\SDKEY\SDKEY.SYS [2005-04-21 8192]
R3 FIDMOU;Fujitsu touchpad;C:\WINDOWS\system32\DRIVERS\Fidmou.sys [2005-04-18 23463]
R3 HOTKEY;Panasonic Hotkey Driver;C:\WINDOWS\system32\DRIVERS\HOTKEY.SYS [2003-03-17 9216]
R3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys [2006-12-27 9006]
S0 fvac;fvac;C:\WINDOWS\system32\drivers\xlrp.sys [ ]
S0 hwqud;hwqud;C:\WINDOWS\system32\drivers\cjvwgp.sys [ ]
S0 xeljap;xeljap;C:\WINDOWS\system32\drivers\uhktyh.sys [ ]
S2 CryptSvcSwPrv;Cryptographic Services CryptSvcSwPrv;C:\WINDOWS\system32\3.tmp [2008-09-26 136]
S2 NUWNNTWO;NUWNNTWO;C:\WINDOWS\system32\drivers\NUWNNTWO.sys [ ]
S2 SwPrvWebClient;MS Software Shadow Copy Provider SwPrvWebClient;C:\WINDOWS\system32\60ws.exe [2008-09-26 49664]
S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18690]
S2 VRDVC20;Sony VRD-VC20 [Video Capture];C:\WINDOWS\system32\Drivers\VRDVC20X.SYS [2004-11-09 04:02 31104]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 17280]
S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2005-07-08 260144]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 WLAN;IEEE 802.11b WLAN network adaptor Driver;C:\WINDOWS\system32\DRIVERS\WLANNDS.sys [2003-10-17 651776]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-SfKg6wIP - C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\qiwxws.exe
HKU-Default-Run-GetPack21 - C:\Program Files\GetPack\GetPack21.exe
Notify-Identified as: - (no file)
Notify-netprp - netprp.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\264zyfxi.default\
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 21:26:06
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\CryptSvcSwPrv]
"ImagePath"="C:\WINDOWS\system32\3.tmp srv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-04 21:31:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-05 01:31:09
ComboFix2.txt 2008-09-22 00:53:25
ComboFix3.txt 2008-02-03 17:59:13

Pre-Run: 30,844,716,032 bytes free
Post-Run: 30,761,984,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

317 --- E O F --- 2008-09-11 03:34:02
 
Logfile of HijackThis v1.99.1
Scan saved at 21:34:49, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\wlansta.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\hij.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Ponheg] "C:\Documents and Settings\Administrator\My Documents\?icrosoft\w?crtupd.exe"
O4 - Global Startup: WLAN network adaptor Wireless LAN Configuration.lnk = ?
O16 - DPF: {466FE5FE-9B04-4BD8-9993-C4FBDAEB7122} (JMWiseCam Control) - http://192.168.1.199/JMWiseCam.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cryptographic Services CryptSvcSwPrv (CryptSvcSwPrv) - Unknown owner - C:\WINDOWS\system32\3.tmp.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: MS Software Shadow Copy Provider SwPrvWebClient (SwPrvWebClient) - Unknown owner - C:\WINDOWS\system32\60ws.exe
 
blade.
you will notice the combo fix said it ran in reduced functionality mode because it said it (the program) had an expired date but it installed the recovery consolen is this an issue?

rtv
 
Hi

Better get a fresh copy and run it. Recovery console got installed ok so you don't have to install it again.

Delete old ComboFix.exe and download a fresh copy from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

Run it and post back its log & a fresh hjt log.
 
ComboFix 08-10-04.07 - Administrator 2008-10-05 11:04:15.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.914 [GMT -4:00]
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Administrator\My Documents\SMBOLS~1
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\60ws.exe
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\F.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CRYPTSVCSWPRV
-------\Legacy_MCHINJDRV
-------\Legacy_SWPRVWEBCLIENT
-------\Service_CryptSvcSwPrv
-------\Service_SwPrvWebClient


((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-01 17:52 . 2008-09-26 08:43 8,512 --a------ C:\WINDOWS\system32\drivers\ati1ttxxx.sys
2008-09-29 10:46 . 2008-09-29 10:46 18 --a------ C:\WINDOWS\system32\6A.tmp
2008-09-28 16:05 . 2008-09-28 16:05 18 --a------ C:\WINDOWS\system32\69.tmp
2008-09-28 16:04 . 2008-09-28 16:05 185,856 --a------ C:\WINDOWS\system32\68.tmp
2008-09-28 16:04 . 2008-09-28 16:04 48 --a------ C:\WINDOWS\system32\67.tmp
2008-09-28 09:03 . 2008-09-28 09:03 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-28 08:53 . 2008-09-28 08:53 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-26 21:30 . 2008-09-26 21:30 18 --a------ C:\WINDOWS\system32\66.tmp
2008-09-26 21:08 . 2008-09-26 21:08 186,368 --a------ C:\WINDOWS\system32\52.tmp
2008-09-26 21:08 . 2008-09-26 21:08 78,848 --a------ C:\WINDOWS\system32\51.tmp
2008-09-26 21:08 . 2008-09-26 21:08 41,984 --a------ C:\WINDOWS\system32\4F.tmp
2008-09-26 21:08 . 2008-09-26 21:08 37,032 --a------ C:\WINDOWS\system32\50.tmp
2008-09-26 21:08 . 2008-09-26 21:08 176 --a------ C:\WINDOWS\system32\4E.tmp
2008-09-26 21:08 . 2008-09-26 21:08 0 --a------ C:\WINDOWS\system32\53.tmp
2008-09-26 20:02 . 2008-09-26 20:02 186,368 --a------ C:\WINDOWS\system32\4C.tmp
2008-09-26 20:02 . 2008-09-26 20:02 78,848 --a------ C:\WINDOWS\system32\4B.tmp
2008-09-26 20:02 . 2008-09-26 20:02 41,984 --a------ C:\WINDOWS\system32\47.tmp
2008-09-26 20:02 . 2008-09-26 20:02 37,032 --a------ C:\WINDOWS\system32\4A.tmp
2008-09-26 20:02 . 2008-09-26 20:02 176 --a------ C:\WINDOWS\system32\36.tmp
2008-09-26 20:02 . 2008-09-26 20:02 18 --a------ C:\WINDOWS\system32\4D.tmp
2008-09-26 18:09 . 2008-09-26 18:09 186,368 --a------ C:\WINDOWS\system32\44.tmp
2008-09-26 18:09 . 2008-09-26 18:09 78,848 --a------ C:\WINDOWS\system32\43.tmp
2008-09-26 18:09 . 2008-09-26 18:09 41,984 --a------ C:\WINDOWS\system32\41.tmp
2008-09-26 18:09 . 2008-09-26 18:09 37,032 --a------ C:\WINDOWS\system32\42.tmp
2008-09-26 18:09 . 2008-09-26 18:09 18 --a------ C:\WINDOWS\system32\45.tmp
2008-09-26 18:08 . 2008-09-26 18:08 186,368 --a------ C:\WINDOWS\system32\34.tmp
2008-09-26 18:08 . 2008-09-26 18:08 78,848 --a------ C:\WINDOWS\system32\33.tmp
2008-09-26 18:08 . 2008-09-26 18:08 41,984 --a------ C:\WINDOWS\system32\31.tmp
2008-09-26 18:08 . 2008-09-26 18:08 37,032 --a------ C:\WINDOWS\system32\32.tmp
2008-09-26 18:08 . 2008-09-26 18:09 176 --a------ C:\WINDOWS\system32\37.tmp
2008-09-26 18:08 . 2008-09-26 18:08 176 --a------ C:\WINDOWS\system32\30.tmp
2008-09-26 18:08 . 2008-09-26 18:08 18 --a------ C:\WINDOWS\system32\35.tmp
2008-09-26 17:06 . 2008-09-26 17:06 186,368 --a------ C:\WINDOWS\system32\3F.tmp
2008-09-26 17:06 . 2008-09-26 17:06 78,848 --a------ C:\WINDOWS\system32\3E.tmp
2008-09-26 17:06 . 2008-09-26 17:06 41,984 --a------ C:\WINDOWS\system32\3C.tmp
2008-09-26 17:06 . 2008-09-26 17:06 37,032 --a------ C:\WINDOWS\system32\3D.tmp
2008-09-26 17:06 . 2008-09-26 17:06 176 --a------ C:\WINDOWS\system32\3B.tmp
2008-09-26 17:06 . 2008-09-26 17:06 18 --a------ C:\WINDOWS\system32\40.tmp
2008-09-26 15:54 . 2008-09-26 15:54 186,368 --a------ C:\WINDOWS\system32\2B.tmp
2008-09-26 15:54 . 2008-09-26 15:54 78,848 --a------ C:\WINDOWS\system32\2A.tmp
2008-09-26 15:54 . 2008-09-26 15:54 41,984 --a------ C:\WINDOWS\system32\28.tmp
2008-09-26 15:54 . 2008-09-26 15:54 37,032 --a------ C:\WINDOWS\system32\29.tmp
2008-09-26 15:54 . 2008-09-26 15:54 176 --a------ C:\WINDOWS\system32\27.tmp
2008-09-26 15:54 . 2008-09-26 15:54 18 --a------ C:\WINDOWS\system32\2F.tmp
2008-09-26 15:46 . 2008-09-26 15:46 186,368 --a------ C:\WINDOWS\system32\25.tmp
2008-09-26 15:46 . 2008-09-26 15:46 78,848 --a------ C:\WINDOWS\system32\21.tmp
2008-09-26 15:46 . 2008-09-26 15:46 41,984 --a------ C:\WINDOWS\system32\1F.tmp
2008-09-26 15:46 . 2008-09-26 15:46 37,032 --a------ C:\WINDOWS\system32\20.tmp
2008-09-26 15:46 . 2008-09-26 15:46 176 --a------ C:\WINDOWS\system32\1A.tmp
2008-09-26 15:46 . 2008-09-26 15:46 18 --a------ C:\WINDOWS\system32\26.tmp
2008-09-26 15:28 . 2008-09-26 15:28 29 --a------ C:\WINDOWS\system32\dswiuwsf.tmp
2008-09-26 15:27 . 2008-09-26 15:27 18 --a------ C:\WINDOWS\system32\24.tmp
2008-09-26 15:27 . 2008-09-26 15:27 18 --a------ C:\WINDOWS\system32\23.tmp
2008-09-26 15:26 . 2008-09-26 15:27 163,840 --a------ C:\WINDOWS\system32\22.tmp
2008-09-26 15:14 . 2008-09-26 15:26 52 --a------ C:\WINDOWS\system32\1B.tmp
2008-09-26 15:08 . 2008-09-26 15:26 52 --a------ C:\WINDOWS\system32\19.tmp
2008-09-26 15:04 . 2008-09-26 15:04 186,368 --a------ C:\WINDOWS\system32\17.tmp
2008-09-26 15:04 . 2008-09-26 15:04 78,848 --a------ C:\WINDOWS\system32\14.tmp
2008-09-26 15:04 . 2008-09-26 15:04 41,984 --a------ C:\WINDOWS\system32\15.tmp
2008-09-26 15:04 . 2008-09-26 15:04 37,032 --a------ C:\WINDOWS\system32\16.tmp
2008-09-26 15:04 . 2008-09-26 15:04 176 --a------ C:\WINDOWS\system32\13.tmp
2008-09-26 15:04 . 2008-09-26 15:04 18 --a------ C:\WINDOWS\system32\18.tmp
2008-09-26 13:19 . 2008-09-26 13:19 186,368 --a------ C:\WINDOWS\system32\C7.tmp
2008-09-26 13:19 . 2008-09-26 13:19 78,848 --a------ C:\WINDOWS\system32\C4.tmp
2008-09-26 13:19 . 2008-09-26 13:19 41,984 --a------ C:\WINDOWS\system32\C5.tmp
2008-09-26 13:19 . 2008-09-26 13:19 37,032 --a------ C:\WINDOWS\system32\C6.tmp
2008-09-26 13:19 . 2008-09-26 13:19 176 --a------ C:\WINDOWS\system32\C3.tmp
2008-09-26 13:19 . 2008-09-26 13:19 18 --a------ C:\WINDOWS\system32\C8.tmp
2008-09-26 12:13 . 2008-09-26 12:13 186,368 --a------ C:\WINDOWS\system32\B2.tmp
2008-09-26 12:13 . 2008-09-26 12:13 41,984 --a------ C:\WINDOWS\system32\B0.tmp
2008-09-26 12:13 . 2008-09-26 12:13 37,032 --a------ C:\WINDOWS\system32\B1.tmp
2008-09-26 12:13 . 2008-09-26 12:13 18 --a------ C:\WINDOWS\system32\B3.tmp
2008-09-26 12:12 . 2008-09-26 12:13 136 --a------ C:\WINDOWS\system32\AF.tmp
2008-09-26 11:15 . 2008-09-26 11:15 186,368 --a------ C:\WINDOWS\system32\7E.tmp
2008-09-26 11:15 . 2008-09-26 11:15 41,984 --a------ C:\WINDOWS\system32\7C.tmp
2008-09-26 11:15 . 2008-09-26 11:15 37,032 --a------ C:\WINDOWS\system32\7D.tmp
2008-09-26 11:15 . 2008-09-26 11:15 136 --a------ C:\WINDOWS\system32\7B.tmp
2008-09-26 11:15 . 2008-09-26 11:15 0 --a------ C:\WINDOWS\system32\7F.tmp
2008-09-26 10:38 . 2008-09-26 10:38 <DIR> d-------- C:\WINDOWS\Sun
2008-09-26 10:33 . 2008-09-26 10:33 37,032 --a------ C:\WINDOWS\system32\B.tmp
2008-09-26 10:33 . 2008-09-26 10:33 0 --a------ C:\WINDOWS\system32\12.tmp
2008-09-26 10:28 . 2008-09-26 10:28 <DIR> d-------- C:\Program Files\Sun
2008-09-26 10:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-26 10:27 . 2008-09-26 10:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-26 08:57 . 2008-09-26 08:57 20,480 --ahs---- C:\WINDOWS\system32\1Dr.dll
2008-09-26 08:43 . 2008-09-26 08:43 8,512 --a------ C:\WINDOWS\system32\netrp.sys
2008-09-26 08:43 . 2008-09-26 08:43 0 --a------ C:\WINDOWS\system32\11.tmp
2008-09-26 08:42 . 2008-09-26 08:43 136 --a------ C:\WINDOWS\system32\9.tmp
2008-09-25 22:08 . 2008-09-25 22:08 16,384 --ahs---- C:\WINDOWS\system32\58c.dll
2008-09-25 21:55 . 2008-09-25 21:55 92 --a------ C:\WINDOWS\system32\4.tmp
2008-09-25 21:55 . 2008-09-25 21:55 18 --a------ C:\WINDOWS\system32\8.tmp
2008-09-25 18:41 . 2008-09-25 18:41 92 --a------ C:\WINDOWS\system32\2.tmp
2008-09-25 18:41 . 2008-09-26 08:57 82 --a-s---- C:\WINDOWS\system32\598619786.dat
2008-09-25 18:41 . 2008-09-25 18:41 18 --a------ C:\WINDOWS\system32\5.tmp
2008-09-21 21:05 . 2008-09-30 18:24 2,296 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 17:50 . 2008-09-21 17:50 <DIR> d-------- C:\VundoFix Backups
2008-09-20 17:04 . 2008-09-20 17:04 199,168 --a------ C:\WINDOWS\system32\60.tmp
2008-09-20 17:04 . 2008-09-20 17:04 48 --a------ C:\WINDOWS\system32\5F.tmp
2008-09-20 17:04 . 2008-09-20 17:04 18 --a------ C:\WINDOWS\system32\61.tmp
2008-09-20 16:47 . 2008-09-20 16:47 199,168 --a------ C:\WINDOWS\system32\57.tmp
2008-09-20 16:47 . 2008-09-20 16:47 48 --a------ C:\WINDOWS\system32\55.tmp
2008-09-20 16:47 . 2008-09-20 16:47 18 --a------ C:\WINDOWS\system32\58.tmp
2008-09-20 15:00 . 2008-09-20 15:00 199,168 --a------ C:\WINDOWS\system32\48.tmp
2008-09-20 15:00 . 2008-09-20 15:00 48 --a------ C:\WINDOWS\system32\46.tmp
2008-09-20 15:00 . 2008-09-20 15:00 18 --a------ C:\WINDOWS\system32\49.tmp
2008-09-20 14:17 . 2008-09-20 14:17 199,168 --a------ C:\WINDOWS\system32\39.tmp
2008-09-20 14:17 . 2008-09-20 14:17 18 --a------ C:\WINDOWS\system32\3A.tmp
2008-09-20 14:16 . 2008-09-20 14:17 48 --a------ C:\WINDOWS\system32\38.tmp
2008-09-20 14:02 . 2008-09-20 14:02 199,168 --a------ C:\WINDOWS\system32\2D.tmp
2008-09-20 14:02 . 2008-09-20 14:02 48 --a------ C:\WINDOWS\system32\2C.tmp
2008-09-20 14:02 . 2008-09-20 14:02 18 --a------ C:\WINDOWS\system32\2E.tmp
2008-09-20 13:39 . 2008-09-20 13:39 199,168 --a------ C:\WINDOWS\system32\1D.tmp
2008-09-20 13:39 . 2008-09-20 13:39 48 --a------ C:\WINDOWS\system32\1C.tmp
2008-09-20 13:39 . 2008-09-20 13:39 18 --a------ C:\WINDOWS\system32\1E.tmp
2008-09-20 13:35 . 2008-09-20 13:35 48 --a------ C:\WINDOWS\system32\D.tmp
2008-09-20 13:35 . 2008-09-20 13:35 18 --a------ C:\WINDOWS\system32\10.tmp
2008-09-20 03:40 . 2008-09-20 03:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 03:40 . 2008-09-20 03:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 03:40 . 2008-09-20 03:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-20 03:40 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-20 03:40 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-19 21:46 . 2008-09-19 21:46 <DIR> d-------- C:\Program Files\uTorrent
2008-09-19 21:45 . 2008-09-19 21:45 <DIR> d-------- C:\WINDOWS\system32\p
2008-09-19 21:45 . 2008-09-19 21:45 <DIR> d-------- C:\WINDOWS\system32\np5
2008-09-19 21:45 . 2008-09-21 20:49 <DIR> d-------- C:\WINDOWS\system32\inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 01:28 90,112 ----a-w C:\WINDOWS\DUMP9078.tmp
2008-09-26 19:53 90,112 ----a-w C:\WINDOWS\DUMP9c6e.tmp
2008-09-26 19:03 90,112 ----a-w C:\WINDOWS\DUMP82eb.tmp
2008-09-26 14:28 --------- d-----w C:\Program Files\Java
2008-09-25 22:09 --------- d-----w C:\Program Files\TalkPCR
2008-09-20 07:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-29 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 23:33 --------- d-----w C:\Program Files\LandAirSea Systems
2008-07-06 15:10 348,160 ----a-w C:\WINDOWS\MSVCR71.DLL
2008-07-06 15:10 1,060,864 ----a-w C:\WINDOWS\MFC71.DLL
2008-07-06 15:09 40,960 ----a-w C:\WINDOWS\SimTestDll.dll
.

------- Sigcheck -------

2005-03-13 21:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 06:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-03-13 20:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 15:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 C:\WINDOWS\system32\drivers\tcpip.sys

2008-04-13 20:12 1041408 b0d52f609df94a72b4af3edf477c7c2e C:\WINDOWS\explorer.exe
2007-06-13 07:26 1040896 4580e16e92bb88da525a51e1b03b42e2 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1040896 3225f4663de4cb04858403af116aef98 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 17:00 1039872 8fe830fbff9363952ed533a4022f5291 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1041408 c074c20ff2cd9560706244ff3aad5724 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-08-04 17:00 23040 8cbacd9f0d3d6942fe10d134ed7ed764 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 20:12 23040 1f00a2901ffc1ba48321c06b5f2195f9 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2008-04-13 20:12 23040 d6cdc4fa4980a746a548be5d456ae7e4 C:\WINDOWS\system32\ctfmon.exe

2005-06-10 20:17 65536 ce3605a5b02be13080ad6fc62b00327a C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:53 65536 292419cc59317cc6ced2666a9ffcdde3 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 17:00 65536 53832404a4ae49aea8ad515644b979bc C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 20:12 65536 30721bc166cf511848d7340e167170f3 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2008-04-13 20:12 65536 c09cccb28b2a6307ef7e76e9c97b0e78 C:\WINDOWS\system32\spoolsv.exe

2004-08-04 17:00 32256 37bcdc79f48a0c7a83b48f31d6423247 C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-13 20:12 33792 cdb8fe37d770759da584fa4a3c585666 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2008-04-13 20:12 33792 0d931ad3b3aa2bae592d3ed2d6392aea C:\WINDOWS\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ponheg"="C:\Documents and Settings\Administrator\My Documents\?icrosoft\w?crtupd.exe" [?]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRunOnce"="C:\util\prunonce\PRunOnce.exe" [2004-08-06 118784]
"Panasonic HotKey Manager"="C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-13 983040]
"PCinfo"="C:\Program Files\Panasonic\PCINFO\SetDiag.exe" [2005-06-14 53248]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 393216]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 163840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WLAN network adaptor Wireless LAN Configuration.lnk - C:\WINDOWS\system32\wlansta.exe [2006-05-10 155719]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 14:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= nuvision.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1ttxxx.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Panasonic Hand Writing.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Panasonic Hand Writing.lnk
backup=C:\WINDOWS\pss\Panasonic Hand Writing.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1702912 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2006-05-20 11:49 290816 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2007-06-13 09:16 536576 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--------- 2002-04-26 13:53 19968 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\scroller]
--a------ 2005-04-18 15:18 90112 C:\WINDOWS\system32\FPapli.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\FreeFTP\\FreeFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 GPSFilter;Panasonic GPS Filter Service;C:\WINDOWS\system32\DRIVERS\gpsfilter.sys [2005-09-26 10112]
R1 ati1ttxxx;ati1ttxxx;C:\WINDOWS\system32\drivers\ati1ttxxx.sys [2008-09-26 8512]
R2 brecal;Panasonic Battery Recalibration Driver;C:\Program Files\Panasonic\BRECAL\Brecal.sys [2004-11-15 7168]
R2 pcinfo;Panasonic PC Info. Viewer Driver;C:\Program Files\Panasonic\PCINFO\pcinfo.sys [2004-11-04 7168]
R2 SDKEY;Panasonic SD Misc. Function Driver;C:\Program Files\Panasonic\SDKEY\SDKEY.SYS [2005-04-21 8192]
R3 FIDMOU;Fujitsu touchpad;C:\WINDOWS\system32\DRIVERS\Fidmou.sys [2005-04-18 23463]
R3 HOTKEY;Panasonic Hotkey Driver;C:\WINDOWS\system32\DRIVERS\HOTKEY.SYS [2003-03-17 9216]
R3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys [2006-12-27 9006]
S0 fvac;fvac;C:\WINDOWS\system32\drivers\xlrp.sys [ ]
S0 hwqud;hwqud;C:\WINDOWS\system32\drivers\cjvwgp.sys [ ]
S0 xeljap;xeljap;C:\WINDOWS\system32\drivers\uhktyh.sys [ ]
S2 NUWNNTWO;NUWNNTWO;C:\WINDOWS\system32\drivers\NUWNNTWO.sys [ ]
S2 USBHSB;GeneLink File Transfer Driver;C:\WINDOWS\system32\Drivers\usbhsb.sys [2001-12-17 18690]
S2 VRDVC20;Sony VRD-VC20 [Video Capture];C:\WINDOWS\system32\Drivers\VRDVC20X.SYS [2004-11-09 04:02 31104]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 17280]
S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2005-07-08 260144]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 WLAN;IEEE 802.11b WLAN network adaptor Driver;C:\WINDOWS\system32\DRIVERS\WLANNDS.sys [2003-10-17 651776]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\264zyfxi.default\
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 11:08:38
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-05 11:13:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-05 15:13:12
ComboFix2.txt 2008-10-05 01:31:15
ComboFix3.txt 2008-09-22 00:53:25
ComboFix4.txt 2008-02-03 17:59:13

Pre-Run: 30,612,865,536 bytes free
Post-Run: 30,583,459,328 bytes free

312 --- E O F --- 2008-09-11 03:34:02
 
Logfile of HijackThis v1.99.1
Scan saved at 11:16:29, on 10/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\wlansta.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\hij.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l0hnf070.slt\prefs.js)
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Ponheg] "C:\Documents and Settings\Administrator\My Documents\?icrosoft\w?crtupd.exe"
O4 - Global Startup: WLAN network adaptor Wireless LAN Configuration.lnk = ?
O16 - DPF: {466FE5FE-9B04-4BD8-9993-C4FBDAEB7122} (JMWiseCam Control) - http://192.168.1.199/JMWiseCam.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
 
Hi

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
BitTorrent


I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\uTorrent
C:\Program Files\BitTorrent

Empty Recycle Bin.

After that:


Start hjt, do a system scan, check (if found):
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Driver::
ati1ttxxx
fvac
hwqud
xeljap
NUWNNTWO

File::
C:\WINDOWS\system32\drivers\ati1ttxxx.sys
C:\WINDOWS\system32\6A.tmp
C:\WINDOWS\system32\69.tmp
C:\WINDOWS\system32\68.tmp
C:\WINDOWS\system32\67.tmp
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\66.tmp
C:\WINDOWS\system32\52.tmp
C:\WINDOWS\system32\51.tmp
C:\WINDOWS\system32\4F.tmp
C:\WINDOWS\system32\50.tmp
C:\WINDOWS\system32\4E.tmp
C:\WINDOWS\system32\53.tmp
C:\WINDOWS\system32\4C.tmp
C:\WINDOWS\system32\4B.tmp
C:\WINDOWS\system32\47.tmp
C:\WINDOWS\system32\4A.tmp
C:\WINDOWS\system32\36.tmp
C:\WINDOWS\system32\4D.tmp
C:\WINDOWS\system32\44.tmp
C:\WINDOWS\system32\43.tmp
C:\WINDOWS\system32\41.tmp
C:\WINDOWS\system32\42.tmp
C:\WINDOWS\system32\45.tmp
C:\WINDOWS\system32\34.tmp
C:\WINDOWS\system32\33.tmp
C:\WINDOWS\system32\31.tmp
C:\WINDOWS\system32\32.tmp
C:\WINDOWS\system32\37.tmp
C:\WINDOWS\system32\30.tmp
C:\WINDOWS\system32\35.tmp
C:\WINDOWS\system32\3F.tmp
C:\WINDOWS\system32\3E.tmp
C:\WINDOWS\system32\3C.tmp
C:\WINDOWS\system32\3D.tmp
C:\WINDOWS\system32\3B.tmp
C:\WINDOWS\system32\40.tmp
C:\WINDOWS\system32\2B.tmp
C:\WINDOWS\system32\2A.tmp
C:\WINDOWS\system32\28.tmp
C:\WINDOWS\system32\29.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\2F.tmp
C:\WINDOWS\system32\25.tmp
C:\WINDOWS\system32\21.tmp
C:\WINDOWS\system32\1F.tmp
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\system32\26.tmp
C:\WINDOWS\system32\dswiuwsf.tmp
C:\WINDOWS\system32\24.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\22.tmp
C:\WINDOWS\system32\1B.tmp
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\17.tmp
C:\WINDOWS\system32\14.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\16.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\18.tmp
C:\WINDOWS\system32\C7.tmp
C:\WINDOWS\system32\C4.tmp
C:\WINDOWS\system32\C5.tmp
C:\WINDOWS\system32\C6.tmp
C:\WINDOWS\system32\C3.tmp
C:\WINDOWS\system32\C8.tmp
C:\WINDOWS\system32\B2.tmp
C:\WINDOWS\system32\B0.tmp
C:\WINDOWS\system32\B1.tmp
C:\WINDOWS\system32\B3.tmp
C:\WINDOWS\system32\AF.tmp
C:\WINDOWS\system32\7E.tmp
C:\WINDOWS\system32\7C.tmp
C:\WINDOWS\system32\7D.tmp
C:\WINDOWS\system32\7B.tmp
C:\WINDOWS\system32\7F.tmp
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\1Dr.dll
C:\WINDOWS\system32\netrp.sys
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\58c.dll
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\598619786.dat
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\60.tmp
C:\WINDOWS\system32\5F.tmp
C:\WINDOWS\system32\61.tmp
C:\WINDOWS\system32\57.tmp
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\58.tmp
C:\WINDOWS\system32\48.tmp
C:\WINDOWS\system32\46.tmp
C:\WINDOWS\system32\49.tmp
C:\WINDOWS\system32\39.tmp
C:\WINDOWS\system32\3A.tmp
C:\WINDOWS\system32\38.tmp
C:\WINDOWS\system32\2D.tmp
C:\WINDOWS\system32\2C.tmp
C:\WINDOWS\system32\2E.tmp
C:\WINDOWS\system32\1D.tmp
C:\WINDOWS\system32\1C.tmp
C:\WINDOWS\system32\1E.tmp
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\DUMP9078.tmp
C:\WINDOWS\DUMP9c6e.tmp
C:\WINDOWS\DUMP82eb.tmp
C:\WINDOWS\system32\FPapli.exe
C:\WINDOWS\system32\drivers\xlrp.sys
C:\WINDOWS\system32\drivers\cjvwgp.sys
C:\WINDOWS\system32\drivers\uhktyh.sys
C:\WINDOWS\system32\drivers\NUWNNTWO.sys

Folder::
C:\VundoFix Backups
C:\Program Files\uTorrent
C:\WINDOWS\system32\p
C:\WINDOWS\system32\np5
C:\WINDOWS\system32\inf

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ponheg"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1ttxxx.sys]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\scroller]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Uninstall all old Java versions (below Java Runtime Environment (JRE) 6 Update 7)

Uninstall old Adobe Reader and get the latest one here or get Foxit Reader here.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
 
do you think it safe for me to put this computer online now? i have been doing everything on a different computer and transferring w an sd card
to avoid it going out and getting/sending bad stuff.
the kasperski i think i would have to connect!
 
You must log in or register to reply here.
Back
Top