Google redirected, Spybot and HJT corrupted

Status
Not open for further replies.
P

pbaker

New member
I'm running XP Pro, service pack 3.

My symptoms are that google search results are often (~50%) redirected to some other site. When I try to run Spybot or HJT after a normal boot, they will crash while scanning, and afterwards the executable is corrupted.

I used msconfig to do a diagnostic startup and ran both Spybot and HJT this way. Spybot found and removed "Fraudload.edt", but this didn't fix the problem. The HJT log, if it's helpful is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:58 PM, on 10/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Avanquest\PowerDesk\PDExplo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215360418046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

--
End of file - 4174 bytes


Any help will be greatly appreciated.

-Phil
 
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Click to expand...
Hi pbaker and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Next:

Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup" to stop something from running. While this is normally OK, it is possible that you have disabled something that will affect how we clean your machine. Please don't change anything in MSConfig yet, these instructions will produce a report of what programs are currently disabled so I can see the entries without requiring any changes:

Go to Start > Run and type Notepad
Copy/paste the following code box into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked.
Code: 
regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt
Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "mslook.bat" (you MUST include the quotes)
Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.
 
Thanks Dakeyras.

FYI, The reason I use msconfig is that HJT crashes if I try to run a scan with a normal boot. So a diagnostic startup is the only way to get any HJT log at all.

Here is the regkey.txt file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"xmlprov"=dword:00000003
"WZCSVC"=dword:00000002
"WudfSvc"=dword:00000003
"wuauserv"=dword:00000002
"wscsvc"=dword:00000002
"WMPNetworkSvc"=dword:00000003
"WmiApSrv"=dword:00000003
"Wmi"=dword:00000003
"WmdmPmSN"=dword:00000003
"winmgmt"=dword:00000002
"WebClient"=dword:00000002
"W3SVC"=dword:00000002
"W32Time"=dword:00000002
"VSS"=dword:00000003
"UPS"=dword:00000003
"upnphost"=dword:00000003
"TrkWks"=dword:00000002
"Themes"=dword:00000002
"TermService"=dword:00000003
"TapiSrv"=dword:00000003
"SysmonLog"=dword:00000003
"SwPrv"=dword:00000003
"stisvc"=dword:00000002
"SSDPSRV"=dword:00000003
"srservice"=dword:00000002
"SQLSERVERAGENT"=dword:00000003
"Spooler"=dword:00000002
"SMTPSVC"=dword:00000002
"ShellHWDetection"=dword:00000002
"SharedAccess"=dword:00000002
"SENS"=dword:00000002
"seclogon"=dword:00000002
"Schedule"=dword:00000002
"SCardSvr"=dword:00000003
"SamSs"=dword:00000002
"RSVP"=dword:00000003
"RichVideo"=dword:00000002
"RemoteRegistry"=dword:00000002
"RDSessMgr"=dword:00000003
"RasAuto"=dword:00000003
"ProtectedStorage"=dword:00000002
"PolicyAgent"=dword:00000002
"PlugPlay"=dword:00000002
"ose"=dword:00000003
"NVSvc"=dword:00000002
"NtmsSvc"=dword:00000003
"NtLmSsp"=dword:00000003
"NMIndexingService"=dword:00000003
"Nla"=dword:00000003
"Netman"=dword:00000003
"Netlogon"=dword:00000003
"napagent"=dword:00000003
"MSSQLSERVER"=dword:00000003
"MSIServer"=dword:00000003
"MSDTC"=dword:00000003
"mnmsrvc"=dword:00000003
"MDM"=dword:00000002
"LmHosts"=dword:00000002
"lanmanworkstation"=dword:00000002
"lanmanserver"=dword:00000002
"JavaQuickStarterService"=dword:00000002
"ImapiService"=dword:00000003
"IISADMIN"=dword:00000002
"idsvc"=dword:00000003
"HTTPFilter"=dword:00000003
"hkmsvc"=dword:00000003
"helpsvc"=dword:00000002
"FontCache3.0.0.0"=dword:00000003
"FLEXnet Licensing Service"=dword:00000003
"FastUserSwitchingCompatibility"=dword:00000003
"EventSystem"=dword:00000003
"Eventlog"=dword:00000002
"ERSvc"=dword:00000002
"EapHost"=dword:00000003
"Dot3svc"=dword:00000003
"Dnscache"=dword:00000002
"dmserver"=dword:00000002
"dmadmin"=dword:00000003
"Dhcp"=dword:00000002
"CryptSvc"=dword:00000003
"COMSysApp"=dword:00000003
"clr_optimization_v2.0.50727_32"=dword:00000003
"CiSvc"=dword:00000003
"CCALib8"=dword:00000003
"Browser"=dword:00000002
"BITS"=dword:00000003
"avg8wd"=dword:00000002
"AudioSrv"=dword:00000002
"aspnet_state"=dword:00000002
"AppMgmt"=dword:00000003
"ALG"=dword:00000003
"Adobe LM Service"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Service Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI6841~1\\80\\Tools\\Binn\\sqlmangr.exe /n"
"item"="Service Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Philip^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Philip\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Philip^Start Menu^Programs^Startup^Dialog Helper.lnk]
"path"="C:\\Documents and Settings\\Philip\\Start Menu\\Programs\\Startup\\Dialog Helper.lnk"
"backup"="C:\\WINDOWS\\pss\\Dialog Helper.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\AVANQU~1\\POWERD~1\\pddlghlp.exe /s"
"item"="Dialog Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Philip^Start Menu^Programs^Startup^MagicDisc.lnk]
"path"="C:\\Documents and Settings\\Philip\\Start Menu\\Programs\\Startup\\MagicDisc.lnk"
"backup"="C:\\WINDOWS\\pss\\MagicDisc.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MAGICD~1\\MAGICD~1.EXE "
"item"="MagicDisc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeARM"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reader_sl"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG8_TRAY]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgtray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTxfiHlp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTXFIHLP"
"hkey"="HKLM"
"command"="CTXFIHLP.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LanguageShortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Language"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Nero\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre6\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000001
"win.ini"=dword:00000001
"bootini"=dword:00000000
"services"=dword:00000001
"startup"=dword:00000001


-Phil
 
Hi. :)

Thanks Dakeyras.

FYI, The reason I use msconfig is that HJT crashes if I try to run a scan with a normal boot. So a diagnostic startup is the only way to get any HJT log at all.
Click to expand...
You're welcome!

Aye I do realise as to why but I did needed to ask/see for a specific reason. Please follow the below exactly, thank you.

Next:

Please download exeHelper to your desktop.

Do not use this yet!

Enable disabled items with MSConfig:
  • Go to Start> Run type msconfig and click OK.
  • Under the Services tab click Enable All
  • Under the Startup tab click Enable All> Apply> OK> Reboot now.
Next:
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Disable Spybot S&D TeaTimer's Registry Guard:

This is so it does not interfere with the malware removal process, you may re-enable this when I give the all clear.
  • If you have version 1.5 or 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  • Click on Mode > Advanced Mode. When it prompts you, click Yes.
  • On the left hand side, click on Tools.
  • Check this box if it is not yet ticked: Resident.
  • You will notice that Resident is now added under Tools. Click on Resident.
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  • Exit Spybot Search & Destroy.
  • Restart your computer for the changes to take effect.
Note: The above must be completed before proceeding any further!

Scan with RSIT:
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit

When completed the above, please post back the following in the order asked for:
  • How is you computer performing now, any further symptoms and or problems encountered?
  • exehelperlog.txt.
  • Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.
 
Here is the exehelperlog.txt. I'm proceeding with the remaining steps now and will post the logs soon. Hopefully msa.exe was the problem!

exeHelper by Raktor
Build 20091021
Run at 20:07:00 on 10/23/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\msa.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


-Phil
 
How the computer is behaving:

It appears that google results are no longer being redirected, At least they weren't in the 10 or so trials that I made.

But RSIT crashes when I run it under a normal boot, and the executable is corrupted, the same as spybot and HJT.

In addition, two of the 4 times I have done a normal boot since running exeHelper I immediately got a message that Windows was shutting down because c:\windows\system32\services.exe terminated unexpectedly. When the countdown completes, Windows hangs and I have to power the machine down to restart.

I have run RSIT under a diagnostic start up, and will post the logs below.

(I guess this post was supposed to be before the exehelperlog. Sorry.)

-Phil
 
log.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Philip at 2009-10-23 20:24:09
WIN_XP Service Pack 3
System drive C: has 834 GB (87%) free of 954 GB
Total RAM: 3582 MB (88% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:14 PM, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Avanquest\PowerDesk\PDExplo.exe
C:\Documents and Settings\Philip\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Philip.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215360418046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

--
End of file - 4221 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2009-02-27 349576]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-10-17 2025752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
C:\WINDOWS\system32\CTHELPER.EXE [2007-04-09 19456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
C:\WINDOWS\system32\CTXFIHLP.EXE [2007-04-09 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-06-19 570664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
C:\PROGRA~1\MI6841~1\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Philip^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Philip^Start Menu^Programs^Startup^Dialog Helper.lnk]
C:\PROGRA~1\AVANQU~1\POWERD~1\pddlghlp.exe [2008-04-22 46336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Philip^Start Menu^Programs^Startup^MagicDisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2009-02-23 576000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3
"WZCSVC"=2
"WudfSvc"=3
"wuauserv"=2
"wscsvc"=2
"WMPNetworkSvc"=3
"WmiApSrv"=3
"Wmi"=3
"WmdmPmSN"=3
"winmgmt"=2
"WebClient"=2
"W3SVC"=2
"W32Time"=2
"VSS"=3
"UPS"=3
"upnphost"=3
"TrkWks"=2
"Themes"=2
"TermService"=3
"TapiSrv"=3
"SysmonLog"=3
"SwPrv"=3
"stisvc"=2
"SSDPSRV"=3
"srservice"=2
"SQLSERVERAGENT"=3
"Spooler"=2
"SMTPSVC"=2
"ShellHWDetection"=2
"SharedAccess"=2
"SENS"=2
"seclogon"=2
"Schedule"=2
"SCardSvr"=3
"SamSs"=2
"RSVP"=3
"RichVideo"=2
"RemoteRegistry"=2
"RDSessMgr"=3
"RasAuto"=3
"ProtectedStorage"=2
"PolicyAgent"=2
"PlugPlay"=2
"ose"=3
"NVSvc"=2
"NtmsSvc"=3
"NtLmSsp"=3
"NMIndexingService"=3
"Nla"=3
"Netman"=3
"Netlogon"=3
"napagent"=3
"MSSQLSERVER"=3
"MSIServer"=3
"MSDTC"=3
"mnmsrvc"=3
"MDM"=2
"LmHosts"=2
"lanmanworkstation"=2
"lanmanserver"=2
"JavaQuickStarterService"=2
"ImapiService"=3
"IISADMIN"=2
"idsvc"=3
"HTTPFilter"=3
"hkmsvc"=3
"helpsvc"=2
"FontCache3.0.0.0"=3
"FLEXnet Licensing Service"=3
"FastUserSwitchingCompatibility"=3
"EventSystem"=3
"Eventlog"=2
"ERSvc"=2
"EapHost"=3
"Dot3svc"=3
"Dnscache"=2
"dmserver"=2
"dmadmin"=3
"Dhcp"=2
"CryptSvc"=3
"COMSysApp"=3
"clr_optimization_v2.0.50727_32"=3
"CiSvc"=3
"CCALib8"=3
"Browser"=2
"BITS"=3
"avg8wd"=2
"AudioSrv"=2
"aspnet_state"=2
"AppMgmt"=3
"ALG"=3
"Adobe LM Service"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="acaptuser32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-28 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoFolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=
"NoFolderOptions"=
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"D:\CDS\Nero\Installation\SetupX.exe"="D:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"\\Hipserv\FamilyLibrary\FamilyDocuments\D&D\4e\700_DDI_CB-Beta.exe"="\\Hipserv\FamilyLibrary\FamilyDocuments\D&D\4e\700_DDI_CB-Beta.exe:*:Enabled:DD Insider"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.vbs - open - %WINDIR%\System32\CScript.exe //nologo "%1" %*

======List of files/folders created in the last 1 months======

2009-10-23 20:11:10 ----D---- C:\rsit
2009-10-23 16:35:40 ----A---- C:\regkey.txt
2009-10-22 09:59:16 ----SHD---- C:\Config.Msi
2009-10-21 16:52:51 ----D---- C:\Program Files\Trend Micro
2009-10-21 16:50:49 ----D---- C:\Program Files\ERUNT
2009-10-21 11:19:59 ----A---- C:\WINDOWS\entpack.ini
2009-10-20 13:28:26 ----D---- C:\WINDOWS\CSC
2009-10-20 13:28:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-10-20 12:55:35 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-10-20 12:31:29 ----D---- C:\WINDOWS\pss
2009-10-20 12:24:15 ----D---- C:\Program Files\Windows Live Safety Center
2009-10-20 11:01:20 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-10-20 02:27:51 ----D---- C:\Program Files\Spybot - Search & Destroy.bar
2009-10-20 02:03:08 ----HD---- C:\WINDOWS\PIF
2009-10-20 01:47:03 ----A---- C:\WINDOWS\comp.INI
2009-10-20 01:44:37 ----D---- C:\Program Files\Port80
2009-10-17 16:09:07 ----D---- C:\Documents and Settings\Philip\Application Data\com.fox.dollhouse.VirtualEcho.8DB2FB41E3AF9617470F9C3E78FDAAA51EF66383.1
2009-10-17 16:09:03 ----D---- C:\Program Files\VirtualEcho
2009-10-17 16:09:01 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-10-17 02:00:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-17 02:00:53 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-10-17 02:00:51 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-17 02:00:28 ----D---- C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-10-17 02:00:06 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-17 02:00:02 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-17 01:59:56 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-17 01:59:16 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-17 01:58:10 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-17 01:58:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-17 01:57:23 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-17 01:57:15 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-10-15 12:25:40 ----D---- C:\bwinPoker
2009-10-14 18:21:55 ----A---- C:\WINDOWS\system32\dbmsqlgc.dll
2009-10-14 18:21:55 ----A---- C:\WINDOWS\system32\dbmsgnet.dll
2009-10-13 23:55:33 ----A---- C:\WINDOWS\system32\insrepim.exe
2009-10-13 23:55:25 ----A---- C:\WINDOWS\system32\mdt2fw95.dll
2009-10-13 23:55:15 ----A---- C:\WINDOWS\system32\dbmslpcn.dll
2009-10-13 23:44:32 ----D---- C:\WINDOWS\Install
2009-10-13 23:41:36 ----D---- C:\WINDOWS\Cluster
2009-10-13 23:21:03 ----A---- C:\WINDOWS\system32\msrpjt40.dll
2009-10-13 23:20:49 ----A---- C:\WINDOWS\system32\ntwdblib.dll
2009-10-13 23:20:47 ----A---- C:\WINDOWS\system32\dbmsshrn.dll
2009-10-13 18:08:12 ----A---- C:\WINDOWS\system32\athprxy.dll
2009-10-13 13:17:38 ----D---- C:\Program Files\Common Files\Merge Modules
2009-10-13 13:16:59 ----D---- C:\Program Files\Microsoft ACT
2009-10-13 13:16:58 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-10-13 01:11:15 ----HDC---- C:\WINDOWS\$NtUninstallKB970483$
2009-10-13 01:11:12 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$
2009-10-13 01:05:37 ----A---- C:\WINDOWS\frontpg.ini
2009-10-13 01:03:36 ----D---- C:\WINDOWS\IIS Temporary Compressed Files
2009-10-13 01:03:23 ----D---- C:\WINDOWS\system32\Cache
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\snprfdll.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\smtpctrs.ini
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\smtpctrs.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\regtrace.exe
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\ntfsdrct.ini
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\fcachdll.dll
2009-10-13 01:03:19 ----A---- C:\WINDOWS\system32\adsiisex.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3svapi.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3ctrs.ini
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\w3ctrs.dll
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\axperf.ini
2009-10-13 01:03:03 ----A---- C:\WINDOWS\system32\aspperf.dll
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\iisrstap.dll
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\iisreset.exe
2009-10-13 01:03:00 ----A---- C:\WINDOWS\system32\ftpsapi2.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\wamregps.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\inetsloc.dll
2009-10-13 01:02:59 ----A---- C:\WINDOWS\system32\iismui.dll
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\infoctrs.ini
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\infoctrs.dll
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\convlog.exe
2009-10-13 01:02:58 ----A---- C:\WINDOWS\system32\admxprox.dll
2009-10-13 00:57:58 ----D---- C:\Program Files\MagicDisc
2009-10-04 00:22:11 ----D---- C:\Program Files\Pappocom
2009-10-04 00:22:05 ----D---- C:\Program Files\Common Files\MimarSinan

======List of files/folders modified in the last 1 months======

2009-10-23 20:19:46 ----D---- C:\WINDOWS\system32\inetsrv
2009-10-23 20:19:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-23 20:19:39 ----A---- C:\WINDOWS\{00000003-00000000-00000007-00001102-00000008-10211102}.BAK
2009-10-23 20:19:21 ----SH---- C:\boot.ini
2009-10-23 20:19:21 ----A---- C:\WINDOWS\win.ini
2009-10-23 20:19:21 ----A---- C:\WINDOWS\system.ini
2009-10-23 20:18:01 ----D---- C:\Program Files\FireFox
2009-10-23 20:17:55 ----D---- C:\WINDOWS\Temp
2009-10-23 20:17:48 ----D---- C:\WINDOWS
2009-10-23 20:11:15 ----D---- C:\WINDOWS\Prefetch
2009-10-23 16:55:38 ----D---- C:\Program Files\PokerStars.NET
2009-10-23 16:37:35 ----SHD---- C:\System Volume Information
2009-10-23 16:37:35 ----D---- C:\WINDOWS\system32\Restore
2009-10-23 11:03:55 ----D---- C:\WINDOWS\Registration
2009-10-22 18:19:14 ----SHD---- C:\WINDOWS\Installer
2009-10-22 18:19:13 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-10-22 09:59:11 ----D---- C:\WINDOWS\system32
2009-10-21 23:30:53 ----HD---- C:\WINDOWS\inf
2009-10-21 23:30:51 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-21 16:52:51 ----RD---- C:\Program Files
2009-10-21 16:52:42 ----D---- C:\Downloads
2009-10-21 11:28:21 ----A---- C:\WINDOWS\lviewpro.ini
2009-10-21 11:11:54 ----D---- C:\Documents and Settings
2009-10-20 15:00:40 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-20 15:00:23 ----D---- C:\Program Files\Internet Explorer
2009-10-20 14:35:53 ----D---- C:\Program Files\Spybot - Search & Destroy.foo
2009-10-20 14:25:08 ----D---- C:\WINDOWS\system32\en-us
2009-10-20 14:16:17 ----SD---- C:\WINDOWS\Tasks
2009-10-20 12:55:44 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-20 12:24:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-20 11:21:26 ----D---- C:\WINDOWS\Media
2009-10-20 11:21:26 ----D---- C:\WINDOWS\Help
2009-10-20 11:03:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-20 11:03:47 ----A---- C:\WINDOWS\imsins.BAK
2009-10-20 03:09:32 ----HD---- C:\$AVG8.VAULT$
2009-10-20 01:12:30 ----D---- C:\WINDOWS\system32\config
2009-10-20 01:12:30 ----D---- C:\WINDOWS\SxsCaPendDel
2009-10-20 01:12:30 ----D---- C:\WINDOWS\Connection Wizard
2009-10-20 01:12:30 ----D---- C:\WINDOWS\Config
2009-10-20 01:12:30 ----D---- C:\WINDOWS\addins
2009-10-17 20:10:20 ----D---- C:\WINSOCK
2009-10-17 16:09:07 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-10-17 16:09:01 ----D---- C:\Program Files\Common Files
2009-10-17 16:08:35 ----D---- C:\Documents and Settings\Philip\Application Data\Adobe
2009-10-17 10:06:40 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-17 10:06:39 ----RSD---- C:\WINDOWS\assembly
2009-10-17 02:02:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-17 02:02:27 ----D---- C:\WINDOWS\WinSxS
2009-10-17 01:57:17 ----D---- C:\WINDOWS\system32\drivers
2009-10-17 01:32:30 ----D---- C:\keep
2009-10-14 13:44:18 ----SD---- C:\Documents and Settings\Philip\Application Data\Microsoft
2009-10-13 23:41:32 ----D---- C:\Program Files\Common Files\System
2009-10-13 23:20:47 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-13 23:20:22 ----HD---- C:\Program Files\Uninstall Information
2009-10-13 16:32:46 ----D---- C:\Program Files\MSDN
2009-10-13 13:16:59 ----D---- C:\Program Files\Microsoft Visual Studio .NET 2003
2009-10-13 00:59:52 ----D---- C:\WINDOWS\security
2009-10-02 11:01:58 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-28 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-28 27784]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-04-03 1333152]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 COMMONFX.DLL;COMMONFX.DLL; C:\WINDOWS\system32\COMMONFX.DLL [2007-04-18 98600]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2007-04-10 511272]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2007-04-10 520488]
R3 CTAUDFX.DLL;CTAUDFX.DLL; C:\WINDOWS\system32\CTAUDFX.DLL [2007-04-12 546048]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2007-04-10 14632]
R3 CTSBLFX.DLL;CTSBLFX.DLL; C:\WINDOWS\system32\CTSBLFX.DLL [2007-04-12 560384]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2007-04-10 157480]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2007-04-10 92968]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2007-04-10 797992]
R3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2007-04-10 189736]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2007-04-10 126760]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 CT20XUT.DLL;CT20XUT.DLL; C:\WINDOWS\system32\CT20XUT.DLL [2007-04-12 164608]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2007-04-10 347128]
S3 CTEAPSFX.DLL;CTEAPSFX.DLL; C:\WINDOWS\system32\CTEAPSFX.DLL [2007-04-12 168192]
S3 CTEDSPFX.DLL;CTEDSPFX.DLL; C:\WINDOWS\system32\CTEDSPFX.DLL [2007-04-12 280320]
S3 CTEDSPIO.DLL;CTEDSPIO.DLL; C:\WINDOWS\system32\CTEDSPIO.DLL [2007-04-12 128768]
S3 CTEDSPSY.DLL;CTEDSPSY.DLL; C:\WINDOWS\system32\CTEDSPSY.DLL [2007-04-12 323328]
S3 CTERFXFX.DLL;CTERFXFX.DLL; C:\WINDOWS\system32\CTERFXFX.DLL [2007-04-12 94976]
S3 CTEXFIFX.DLL;CTEXFIFX.DLL; C:\WINDOWS\system32\CTEXFIFX.DLL [2007-04-12 1317632]
S3 CTHWIUT.DLL;CTHWIUT.DLL; C:\WINDOWS\system32\CTHWIUT.DLL [2007-04-12 66816]
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2007-04-10 163112]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S4 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-10-11 72704]
S4 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S4 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]
S4 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe []
S4 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S4 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-01 651720]
S4 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S4 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 335872]
S4 MSSQLSERVER;MSSQLSERVER; C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe [2008-12-18 9158656]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-06-24 537896]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-05-13 272024]
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S4 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe [2005-05-03 323584]
S4 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-14 15360]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------
 
info.txt:

info.txt logfile of random's system information tool 1.06 2009-10-23 20:24:15

======Uninstall list======

-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACE Mega CoDecS Pack-->"C:\Program Files\ACE Mega CoDecS Pack\unins000.exe"
Acrobat.com-->msiexec /qb /x {77DCDCE3-2DED-62F3-8154-05E745472D07}
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch-->msiexec /I {AC76BA86-1033-F400-7761-000000000004}
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch-->msiexec /I {AC76BA86-1033-F400-7761-000000000004}
Adobe Acrobat 9.2.0 - CPSID_50026-->msiexec /I {AC76BA86-1033-F400-7761-000000000004}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
bwin Poker-->"C:\bwinPoker\unins000.exe"
Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Character Builder-->MsiExec.exe /I{626C034B-50B8-47BD-AF93-EEFD0FA78FF4}
Civilization III - Play the World v1.21F-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E6F6DA9-E466-429B-8AA7-E066DB203781}\Setup.exe"
Civilization III Play the World-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E8650C8D-CCB2-496E-816C-ECC54A7EE411}\setup.exe"
Civilization III-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}\setup.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ffdshow [rev 2880] [2009-04-15]-->"C:\Program Files\ffdshow\unins000.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Downloads\HijackThis.exe" /uninstall
Hotfix 2055 for SQL Server 2000 ENU (KB960082)-->"C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$\spuninst\spuninst.exe"
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Java 2 Runtime Environment, SE v1.4.2_17-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142170}
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
JMB36X Raid Configurer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x9 -removeonly
Magic ISO Maker v5.5 (build 0273)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.7.106-->C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2000-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL\sqlsun.dll" -msql.mif i=MSSQLSERVER
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual Studio .NET Enterprise Architect 2003 - English-->"C:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual Studio .NET Enterprise Architect 2003 - English\setup.exe" /MaintMode
MOVAVI VideoSuite 3.5-->C:\Program Files\MOVAVI VideoSuite 3.5\uninst.exe
Mozilla Firefox (2.0.0.15)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (3.5.3)-->C:\Program Files\FireFox\uninstall\helper.exe
MSDN Library - October 2003-->MsiExec.exe /I{F95B340A-67A5-419C-843B-949406A357D2}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 8 Ultra Edition HD-->MsiExec.exe /X{D6C9AF27-9414-46C8-B9D8-D878BA041033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Pegasus Mail-->C:\WINSOCK\winpmail\DeSetup.exe C:\WINSOCK\winpmail
PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net
PowerDesk 7-->MsiExec.exe /X{B93251B5-9209-4DAB-867C-AA98D91584CD}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Real Alternative 1.8.0-->"C:\Program Files\Real Alternative\unins000.exe"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953155)-->"C:\WINDOWS\$NtUninstallKB953155$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970483)-->"C:\WINDOWS\$NtUninstallKB970483$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sudoku-->"C:\Program Files\Common Files\MimarSinan\Installation Information\{FB5055E4-9BE1-425F-B40A-33E43E9460DA}\{3467282D-9B9E-4495-B1FA-0AEE614CD395}\SudokuSetup.exe" REMOVE=TRUE MODIFY=FALSE
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoLAN VLC media player 0.8.6f-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Virtual Echo-->msiexec /qb /x {E870AB6B-2586-E9E6-8EF2-7BAA5353B2C0}
Virtual Echo-->MsiExec.exe /I{E870AB6B-2586-E9E6-8EF2-7BAA5353B2C0}
w3compiler-->C:\PROGRA~1\Port80\W3COMP~1\\UNWISE.EXE C:\PROGRA~1\Port80\W3COMP~1\\INSTALL.LOG
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

Securitycenter WMI appears to be broken

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Microsoft SQL Server\80\Tools\BINN
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.VBS
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"INCLUDE"=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
"LIB"=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
"VS71COMNTOOLS"=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\

-----------------EOF-----------------
 
Hi. :)

If something fails please do not put the machine back into a diagnostic startup, just inform myself please.

Enable disabled items with MSConfig

Go to Start> Run type msconfig and click OK.

Under the Services tab click Enable All

Under the Startup tab click Enable All> Apply> OK> Reboot now.

Next:
  • Please download WUS_Fix.exe
  • Double click on it to run the small application.
  • A command window will appear briefly, this is normal.
FixPolicies:

Please download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here.
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close.
  • Leave FixPolicies on your desktop please until I otherwise advise, thank you.
Scan with GMER:

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

When completed the above, please post back the following in the order asked for:
  • How is you computer performing now, any further symptoms and or problems encountered?
  • GMER Log.
 
GMER also terminated during the file scan and as usual the executable was corrupted.

It did display several red messages during an earlier part of the scan, which I could could save for you if it would be helpful.

-Phil
 
Hi. :)

It did display several red messages during an earlier part of the scan, which I could could save for you if it would be helpful.
Click to expand...
By all means please do so.

Next:

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
 
Here is the log from GMER, produced with "files" unchecked as well as the boxes you originally instructed me to uncheck:


GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-24 14:30:42
Windows 5.1.2600 Service Pack 3
Running: 5h3w5lwv.exe; Driver: C:\DOCUME~1\Philip\LOCALS~1\Temp\kfecrkoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [132] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [528] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1084] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1124] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [1200] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1228] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1304] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\inetsrv\inetinfo.exe [1392] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1420] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1524] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1968] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2768] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\WINSOCK\winpmail\winpm-32.exe [2964] 0x35670000
Library \\?\globalroot\Device\__max++>\79BC09C4.x86.dll (*** hidden *** ) @ C:\Program Files\FireFox\firefox.exe [2996] 0x35670000

---- EOF - GMER 1.0.15 ----


-Phil
 
And here is the Win32kDiag.txt file:

Running from: C:\Documents and Settings\Philip\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Philip\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP120.tmp\ZAP120.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BB.tmp\ZAP1BB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF2.tmp\ZAPF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cluster\Cluster

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\nvcpl\nvcpl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IIS Temporary Compressed Files\IIS Temporary Compressed Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7716000000000040\9.0.0\9.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\pr\c957fe1f\caba86c6\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2007-07-27 08:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 05:42:22 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-14 05:42:22 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\7e08dede92a04e75c1faf75d2825e500\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2007-07-27 08:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 05:41:54 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 05:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-10-02 11:01:58 25198016 C:\WINDOWS\system32\MRT.exe ()



Found mount point : C:\WINDOWS\Temp\FrontPageTempDir\FrontPageTempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\NDP1.1sp1-KB953297-X86\NDP1.1sp1-KB953297-X86

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\_isTmp_{8675309}\_isTmp_{8675309}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!


-Phil
 
Hi. :)

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
Code: 
"%userprofile%\desktop\win32kdiag.exe" -f -r
When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
 
Here it is:

Running from: C:\Documents and Settings\Philip\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Philip\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP120.tmp\ZAP120.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP120.tmp\ZAP120.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BB.tmp\ZAP1BB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BB.tmp\ZAP1BB.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF2.tmp\ZAPF2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF2.tmp\ZAPF2.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cluster\Cluster

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cluster\Cluster

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Help\nvcpl\nvcpl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\nvcpl\nvcpl

Found mount point : C:\WINDOWS\IIS Temporary Compressed Files\IIS Temporary Compressed Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IIS Temporary Compressed Files\IIS Temporary Compressed Files

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7716000000000040\9.0.0\9.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7716000000000040\9.0.0\9.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\pr\c957fe1f\caba86c6\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\pr\c957fe1f\caba86c6\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\4a70167257b9ec465806ced7f92b65d8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\7e08dede92a04e75c1faf75d2825e500\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\7e08dede92a04e75c1faf75d2825e500\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2007-07-27 08:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 05:41:54 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 05:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 05:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\Temp\FrontPageTempDir\FrontPageTempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\FrontPageTempDir\FrontPageTempDir

Found mount point : C:\WINDOWS\Temp\NDP1.1sp1-KB953297-X86\NDP1.1sp1-KB953297-X86

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\NDP1.1sp1-KB953297-X86\NDP1.1sp1-KB953297-X86

Found mount point : C:\WINDOWS\Temp\_isTmp_{8675309}\_isTmp_{8675309}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_isTmp_{8675309}\_isTmp_{8675309}

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!



-Phil
 
Hi. :)

Getting somewhere now.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Click to expand...
Please include the C:\ComboFix.txt in your next reply for further review.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper

When completed the above, please post back the following in the order asked for:
  • How is you computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
  • A new HijackThis Log.
 
The computer is behaving much better now.

I have rebooted a few times without trouble. Google search results are not being redirected. And Spybot and HJT now run without a problem.

The only problem I have is that my SQL Server 2000 developer edition will not start. Barring any further instructions from you I will reinstall that tomorrow.

Thanks for all your time and effort on this. It's been greatly appreciated!

-Phil
 
Here is the combofix log:


ComboFix 09-10-23.01 - Philip 10/24/2009 16:06.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3136 [GMT -4:00]
Running from: c:\documents and settings\Philip\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
I:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-24 00:11 . 2009-10-24 00:24 -------- d-----w- C:\rsit
2009-10-22 00:01 . 2009-10-22 00:51 445 ----a-w- c:\windows\EntPack.dat
2009-10-21 20:52 . 2009-10-21 20:52 -------- d-----w- c:\program files\Trend Micro
2009-10-21 20:50 . 2009-10-21 20:50 -------- d-----w- c:\program files\ERUNT
2009-10-20 17:35 . 2009-10-20 17:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-20 17:34 . 2009-10-20 17:34 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-20 16:55 . 2009-10-20 17:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-20 16:24 . 2009-10-20 16:27 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-20 15:34 . 2009-10-20 15:34 -------- d-sh--w- c:\documents and settings\Philip\IECompatCache
2009-10-20 15:34 . 2009-10-20 15:34 -------- d-sh--w- c:\documents and settings\Philip\PrivacIE
2009-10-20 15:22 . 2009-10-20 15:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-20 15:21 . 2009-10-20 15:21 -------- d-sh--w- c:\documents and settings\Philip\IETldCache
2009-10-20 15:03 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-20 15:03 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-20 15:03 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-20 15:00 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-20 06:27 . 2009-10-20 16:53 -------- d-----w- c:\program files\Spybot - Search & Destroy.bar
2009-10-20 06:03 . 2009-10-24 18:52 -------- d--h--w- c:\windows\PIF
2009-10-20 05:44 . 2009-10-20 05:44 -------- d-----w- c:\program files\Port80
2009-10-20 05:12 . 2009-10-24 14:44 0 ----a-r- c:\windows\win32k.sys
2009-10-20 05:02 . 2009-10-20 05:02 -------- d-----w- c:\documents and settings\Philip\Local Settings\Application Data\FreeSoft
2009-10-17 20:09 . 2009-10-17 20:09 -------- d-----w- c:\documents and settings\Philip\Application Data\com.fox.dollhouse.VirtualEcho.8DB2FB41E3AF9617470F9C3E78FDAAA51EF66383.1
2009-10-17 20:09 . 2009-10-17 20:09 -------- d-----w- c:\program files\VirtualEcho
2009-10-17 20:09 . 2009-10-17 20:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-17 06:00 . 2009-10-17 06:00 -------- d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-10-15 16:25 . 2009-10-15 16:25 -------- d-----w- c:\documents and settings\Philip\Local Settings\Application Data\P5
2009-10-15 16:25 . 2009-10-15 16:25 -------- d-----w- C:\bwinPoker
2009-10-14 22:21 . 2002-12-17 21:23 33340 ----a-w- c:\windows\system32\dbmsqlgc.dll
2009-10-14 22:21 . 2002-10-20 19:05 24576 ----a-w- c:\windows\system32\dbmsgnet.dll
2009-10-14 17:42 . 2009-10-14 17:42 145 ----a-w- c:\documents and settings\OWNER-B459ED82B\ASPNET\Local Settings\Application Data\fusioncache.dat
2009-10-14 07:01 . 2009-10-14 07:01 -------- d-----w- c:\documents and settings\Philip\VSWebCache
2009-10-14 03:55 . 2000-08-06 05:50 36939 ----a-w- c:\windows\system32\insrepim.exe
2009-10-14 03:55 . 2000-07-07 16:20 81920 ----a-w- c:\windows\system32\mdt2fw95.dll
2009-10-14 03:55 . 2005-05-04 04:02 20480 ----a-w- c:\windows\system32\dbmslpcn.dll
2009-10-14 03:44 . 2009-10-14 03:44 -------- d-----w- c:\windows\Install
2009-10-14 03:41 . 2009-10-24 18:52 -------- d-----w- c:\windows\Cluster
2009-10-14 03:21 . 2004-04-25 23:26 188473 ----a-w- c:\windows\system32\msrpjt40.dll
2009-10-14 03:20 . 2005-05-04 04:02 290816 ----a-w- c:\windows\system32\ntwdblib.dll
2009-10-14 03:20 . 2005-05-04 04:02 21504 ----a-w- c:\windows\system32\dbmsshrn.dll
2009-10-13 22:08 . 2009-10-14 01:25 32768 ----a-w- c:\windows\system32\athprxy.dll
2009-10-13 17:44 . 2009-10-13 17:44 129 ----a-w- c:\documents and settings\Philip\Local Settings\Application Data\fusioncache.dat
2009-10-13 17:44 . 2009-10-13 17:44 -------- d-----w- c:\documents and settings\Philip\Local Settings\Application Data\Microsoft Help
2009-10-13 17:17 . 2009-10-13 17:17 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-13 17:16 . 2009-10-13 17:17 -------- d-----w- c:\program files\Microsoft ACT
2009-10-13 17:16 . 2009-10-14 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 05:02 . 2007-07-27 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-10-13 05:02 . 2007-07-27 12:00 7168 ----a-w- c:\windows\system32\wamregps.dll
2009-10-13 05:02 . 2007-07-27 12:00 3584 -c--a-w- c:\windows\system32\dllcache\iismui.dll
2009-10-13 05:02 . 2007-07-27 12:00 3584 ----a-w- c:\windows\system32\iismui.dll
2009-10-13 05:02 . 2007-07-27 12:00 22016 -c--a-w- c:\windows\system32\dllcache\logscrpt.dll
2009-10-13 05:02 . 2007-07-27 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-10-13 05:02 . 2007-07-27 12:00 19968 ----a-w- c:\windows\system32\inetsloc.dll
2009-10-13 05:02 . 2007-07-27 12:00 8704 -c--a-w- c:\windows\system32\dllcache\infoctrs.dll
2009-10-13 05:02 . 2007-07-27 12:00 8704 ----a-w- c:\windows\system32\infoctrs.dll
2009-10-13 05:02 . 2007-07-27 12:00 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll
2009-10-13 05:02 . 2007-07-27 12:00 6144 ----a-w- c:\windows\system32\admxprox.dll
2009-10-13 05:02 . 2007-07-27 12:00 56320 -c--a-w- c:\windows\system32\dllcache\convlog.exe
2009-10-13 05:02 . 2007-07-27 12:00 56320 ----a-w- c:\windows\system32\convlog.exe
2009-10-13 04:57 . 2009-10-13 04:58 -------- d-----w- c:\program files\MagicDisc
2009-10-13 04:57 . 2009-02-24 22:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-10-04 04:22 . 2009-10-04 04:22 -------- d-----w- c:\program files\Pappocom
2009-10-04 04:22 . 2009-10-04 04:22 -------- d-----w- c:\program files\Common Files\MimarSinan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 14:44 . 2008-07-05 21:35 -------- d-----w- c:\program files\FireFox
2009-10-24 02:03 . 2008-07-05 21:40 -------- d-----w- c:\program files\PokerStars.NET
2009-10-20 18:35 . 2008-07-05 21:40 -------- d-----w- c:\program files\Spybot - Search & Destroy.foo
2009-10-20 16:55 . 2008-07-05 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-13 20:32 . 2008-07-05 21:53 -------- d-----w- c:\program files\MSDN
2009-10-13 17:16 . 2008-07-05 22:07 -------- d-----w- c:\program files\Microsoft Visual Studio .NET 2003
2009-09-11 14:18 . 2007-07-27 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:02 . 2009-09-10 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-04 21:03 . 2007-07-27 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 13:12 . 2009-01-31 00:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:12 . 2008-10-12 03:25 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:12 . 2008-10-12 03:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:00 . 2007-07-27 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 03:50 . 2009-03-01 21:24 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-08-20 03:50 . 2009-03-01 21:24 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2009-08-06 23:24 . 2008-07-05 15:28 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-07-05 15:28 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-07-05 15:28 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2007-07-30 23:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-07-05 15:28 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2007-07-27 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-07-05 15:28 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-07-07 05:59 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2008-07-05 15:28 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2007-07-27 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2007-07-27 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-09-15 22:26 . 2008-07-05 21:39 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-06-23 18:08 . 2008-07-05 21:39 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-06-23 18:08 . 2008-07-05 21:39 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-06-23 18:08 . 2008-07-06 00:23 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-06-23 18:08 . 2008-07-06 00:23 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-06-23 18:08 . 2008-07-05 21:39 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

c:\documents and settings\Philip\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-5 113664]
Dialog Helper.lnk - c:\program files\Avanquest\PowerDesk\pddlghlp.exe [2008-4-22 46336]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-13 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-7-5 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"\\\\Hipserv\\FamilyLibrary\\FamilyDocuments\\D&D\\4e\\700_DDI_CB-Beta.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/11/2008 11:25 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/30/2009 8:26 PM 297752]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\Philip\Application Data\Mozilla\Firefox\Profiles\gcwltfty.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\FireFox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 16:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1572)
c:\windows\system32\WININET.dll
c:\program files\Avanquest\PowerDesk\pddlghlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF4250.exe
c:\windows\system32\RUNDLL32.EXE
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 20:24

Pre-Run: 874,313,273,344 bytes free
Post-Run: 874,174,849,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 84833B2C5E3F5E42E1922389F2F5E22A
 
And the new HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:33 PM, on 10/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\FireFox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avanquest\PowerDesk\PDExplo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1215360418046
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7288 bytes
 
Hi Phil. :)

Thanks for all your time and effort on this. It's been greatly appreciated!
Click to expand...
Not a problem and you're welcome!

The only problem I have is that my SQL Server 2000 developer edition will not start. Barring any further instructions from you I will reinstall that tomorrow.
Click to expand...
My advice is to uninstall the application...........and wait until I deem it safe to re-install OK.

Your machine was(still) seriously infected, one or more of the identified infections is a Root-Kit.

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Be prepared as I might advise a reformat and reinstallation of the Windows operating system. At this stage I will continue with the malware removal process but my above advice is not to be taken lightly. Be rest assured if at this time I thought a lost cause I would be advising a reformat and reinstallation of the Windows operating system as I take very seriously the support I advise and my free assistance for individuals such as your good self.

Disable Spybot S&D TeaTimer's Registry Guard:

This is so it does not interfere with the malware removal process, you may re-enable this when I give the all clear.

  • If you have version 1.5 or 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  • Click on Mode > Advanced Mode. When it prompts you, click Yes.
  • On the left hand side, click on Tools.
  • Check this box if it is not yet ticked: Resident.
  • You will notice that Resident is now added under Tools. Click on Resident.
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  • Exit Spybot Search & Destroy.
  • Restart your computer for the changes to take effect.
Note: The above must be completed before proceeding any further!

Next:

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)

  • Double click once on RSIT.exe
  • RSIT will start running, at the disclaimer click on Continue.
  • When done, 1 log will be produced.
  • Post that in your next reply.
When completed the above, please post back the following in the order asked for:
  • How is you computer performing now, any further symptoms and or problems encountered?
  • Malwarebytes' Anti-Malware Log.
  • A new RSIT Log.
 
Status
Not open for further replies.
Back
Top