HJT log (Resolved)

A

andyc

New member
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:35, on 25/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {bf56a325-23f2-42ad-f4e4-00aac39caa53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zrpyfpeew.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {EE31AE88-AE7A-4C52-9330-A0A3B3468C02} - C:\WINDOWS\system32\config\systemprofile\Application Data\pkz.ini
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O23 - Service: BullGuard LiveUpdate (bglivesvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc (bgrasvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8472 bytes

other info:

have installed bullgaurd. it found 50+ infections, all were removed, but the odd one still apears after another scan

also installed spybot S&D. 50+ infections on first scan, all fixed but some are still appearing on further scans

no scans or anything else has been done since the HJT log
 
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------



Disable Teatimer
We need to disable Teatimer as it may interfere with the cleaning.
Please do not re-enable it until I give instructions.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Click Link >>> HERE <<< Link and select "save as" and save it to your desktop
  • Double click TTWipe.bat
  • Reboot your machine for the changes to take effect.

Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
    ( They can also be found in the C:\RSIT folder )


Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.
 
Teatimer has been disabled.

RSIT log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-27 19:37:50
Microsoft Windows XP Professional Service Pack 3
System drive C: has 183 GB (77%) free of 238 GB
Total RAM: 2047 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:53, on 27/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\temp downloaded stuff\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {bf56a325-23f2-42ad-f4e4-00aac39caa53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zrpyfpeew.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {EE31AE88-AE7A-4C52-9330-A0A3B3468C02} - C:\WINDOWS\system32\config\systemprofile\Application Data\pkz.ini
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O23 - Service: BullGuard LiveUpdate (bglivesvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc (bgrasvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8158 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53}]
C:\WINDOWS\system32\tajf83ikdmf.dll - C:\WINDOWS\system32\tajf83ikdmf.dll [2009-08-23 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask.com Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-04-02 809864]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2009-02-25 37888]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-02-26 16125440]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2007-04-23 228088]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-08-23 304464]
"PAC7302_Monitor"=C:\WINDOWS\PixArt\PAC7302\Monitor.exe [2006-11-03 319488]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe []
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe []
"Microsoft Driver Setup"=C:\WINDOWS\msdrive32.exe []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Microsoft Driver Setup"=C:\WINDOWS\msdrive32.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-08-12 21741864]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"DU Meter"=C:\Program Files\DU Meter\DUMeter.exe [2009-08-22 2645528]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-08-23 304464]
"AntiSpyware Service"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zrpyfpeew.exe []
"Windows System Recover!"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe [2009-08-26 22532]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\12CFG214-K641-11SF-N33P]
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1077\vslmq.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware Service]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vezqjg.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qlajesuhelehiz]
C:\WINDOWS\ukucitaqunuhog.dll,e []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-26 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [2009-04-08 251240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows System Recover!]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\system.exe [2009-08-26 22532]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\kill.bat []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^mel.bat183242.bat]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\mel.bat183242.bat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
avgrsstx.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll [2009-08-23 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
nscf31.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\bglivesvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\bgmainsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableStatusMessages"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoResolveTrack"=1
"NoResolveSearch"=1
"NoInstrumentation"=1
"NoStartMenuMFUprogramsList"=1
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\aoesetup.exe /autorun
shell\directx\command - D:\DirectX\dxsetup.exe
shell\dplay\command - D:\DirectX\dplay61a.exe
shell\dxdiag\command - D:\goodies\ar40eng.exe
shell\dxinfo\command - D:\goodies\DirectX\dxinfo.exe
shell\dxtest\command - D:\DirectX\dxdiag.exe
shell\dxtool\command - D:\goodies\DirectX\dxtool.exe
shell\log\command - D:\goodies\machine\machine.exe -l
shell\machine\command - D:\goodies\machine\machine.exe
shell\setup\command - D:\aoesetup.exe /autorun
shell\zone\command - D:\goodies\mszone\zoneA600.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{669eec44-1300-11de-9533-001bfc4adb54}]
shell\autorun\command - K:\RECYCLER\autorun.exe
shell\open\command - K:\RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5b1da9e-3d86-11de-957b-001bfc4adb54}]
shell\AutoRun\command - K:\InstallTomTomHOME.exe


======List of files/folders created in the last 1 months======

2009-08-27 19:37:50 ----D---- C:\rsit
2009-08-25 12:36:27 ----D---- C:\Program Files\Trend Micro
2009-08-24 18:02:41 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-23 23:07:51 ----D---- C:\Program Files\CCleaner
2009-08-23 22:18:18 ----A---- C:\WINDOWS\wininit.ini
2009-08-23 22:06:35 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-23 22:06:35 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 17:39:57 ----A---- C:\AILog.txt
2009-08-23 17:22:51 ----D---- C:\Program Files\Microsoft Games
2009-08-23 16:57:38 ----D---- C:\Program Files\Your Company Name
2009-08-23 13:46:49 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-08-23 10:09:31 ----D---- C:\WINDOWS\pss
2009-08-22 20:27:31 ----D---- C:\Documents and Settings\All Users\Application Data\BullGuard
2009-08-22 20:27:29 ----D---- C:\Documents and Settings\Administrator\Application Data\BullGuard
2009-08-22 19:34:53 ----D---- C:\Program Files\Alwil Software
2009-08-22 18:53:25 ----D---- C:\Program Files\AVG
2009-08-22 18:30:57 ----SHD---- C:\WINDOWS\system32\lowsec
2009-08-22 18:30:54 ----A---- C:\WINDOWS\system32\tajf83ikdmf.dll
2009-08-22 18:30:48 ----ASH---- C:\WINDOWS\E88D4.exe
2009-08-22 18:21:58 ----D---- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2009-08-22 18:21:56 ----D---- C:\Program Files\DU Meter
2009-08-22 18:04:28 ----D---- C:\Program Files\KONAMI
2009-08-03 19:56:22 ----D---- C:\Program Files\Microsoft AutoRoute
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SGRegister.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\Sgdt32.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng90.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng80.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng70.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng100.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\Sgcom32.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\SdoEng110.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\Sdoeng.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\SDOApp.dll
2009-08-01 16:47:46 ----A---- C:\WINDOWS\system32\SdoEng120.dll
2009-08-01 16:47:21 ----D---- C:\Program Files\Clik

======List of files/folders modified in the last 1 months======

2009-08-27 19:37:06 ----D---- C:\Program Files\Mozilla Firefox
2009-08-27 19:34:49 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2009-08-27 19:33:22 ----D---- C:\WINDOWS\Temp
2009-08-27 19:31:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-27 19:20:08 ----D---- C:\WINDOWS\system32
2009-08-27 19:11:04 ----D---- C:\Documents and Settings\Administrator\Application Data\skypePM
2009-08-26 18:21:29 ----D---- C:\WINDOWS\Prefetch
2009-08-25 12:36:27 ----RD---- C:\Program Files
2009-08-24 18:02:41 ----D---- C:\WINDOWS
2009-08-24 17:39:31 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-08-24 17:36:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-23 23:08:53 ----D---- C:\WINDOWS\Debug
2009-08-23 17:23:59 ----RSD---- C:\WINDOWS\Fonts
2009-08-23 17:20:30 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-23 16:57:48 ----SHD---- C:\WINDOWS\Installer
2009-08-23 14:14:59 ----SHD---- C:\RECYCLER
2009-08-23 13:21:30 ----SHD---- C:\WINDOWS\CSC
2009-08-23 10:20:22 ----D---- C:\WINDOWS\system32\drivers
2009-08-23 10:10:42 ----SH---- C:\boot.ini
2009-08-23 10:10:42 ----A---- C:\WINDOWS\win.ini
2009-08-23 10:10:42 ----A---- C:\WINDOWS\system.ini
2009-08-22 20:27:13 ----HD---- C:\WINDOWS\inf
2009-08-22 19:37:10 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-08-22 19:35:10 ----D---- C:\WINDOWS\system32\config
2009-08-22 18:53:24 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-03 19:56:21 ----D---- C:\Program Files\Microsoft Office

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2006-02-25 16877]
R2 bdfilespy;BullGuard File Monitor Driver; \??\C:\WINDOWS\system32\drivers\BdFileSpy.sys []
R2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2008-05-29 62848]
R3 afw;Agnitum firewall driver; C:\WINDOWS\system32\DRIVERS\afw.sys [2009-03-23 31128]
R3 afwcore;afwcore; C:\WINDOWS\system32\DRIVERS\afwcore.sys [2009-03-23 257304]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-01 4484608]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 NVENETFD;NVIDIA nForce 10/100 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-12-30 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-12-30 22016]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2008-04-14 5888]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-24 30336]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-02-26 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 PAC7302;PAC7302 VGA USB Camera; C:\WINDOWS\system32\DRIVERS\PAC7302.SYS [2007-06-14 457856]
S3 profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys []
S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys [2006-11-07 22272]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 atapi;atapi; C:\WINDOWS\system32\drivers\atapi.sys [2008-04-14 96512]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 bglivesvc;BullGuard LiveUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2009-04-06 300368]
R2 bgmainsvc;BullGuard Main Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 bsfilescan;BullGuard File Scan Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 bsfire;BullGuard Firewall Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 DUMeterSvc;DU Meter Service; C:\Program Files\DU Meter\DUMeterSvc.exe [2009-08-22 1386008]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-26 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
R2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-08 92008]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 bsmailproxy;BullGuard Email Monitoring Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-04-22 359160]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-04-23 310008]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-04-23 166648]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 bgrasvc;BGRaSvc; C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [2009-06-01 79184]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-04-22 88824]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-04-23 1010424]

-----------------EOF-----------------


RSIT info


info.txt logfile of random's system information tool 1.06 2009-08-27 19:37:54

======Uninstall list======

-->C:\Program Files\InstallShield Installation Information\{F0B2D11F-E4D9-4C17-A195-B8BADEAE9C40}\setup.exe -runfromtemp -l0x0009 -removeonly
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
-->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
-->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
-->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
-->MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Audacity 1.3.3 (Unicode)-->"C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
BitLord 1.1-->C:\Program Files\BitLord\uninst.exe
BlackBerry Desktop Software 4.2.2-->MsiExec.exe /i{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
BlackBerry Desktop Software 4.2.2-->MsiExec.exe /I{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
Brother P-touch Editor 5.0-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DF9A6075-9308-4572-8932-A4316243C4D9}
BullGuard 8.5-->C:\Program Files\BullGuard Ltd\BullGuard\uninst.exe
Cable-Mate 3.3-->C:\WINDOWS\SSEUninstaller.exe C:\Program Files\Cable-Mate 3.3\SSEun.dat
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Clik 3-->C:\PROGRA~1\Clik\BM\UNWISE.EXE C:\PROGRA~1\Clik\BM\INSTALL.LOG
Contractor Pro-->MsiExec.exe /I{60C18308-6FD1-47AF-8185-B4AFEF2E24EF}
Crystal reports 9.0 for Contractor Pro-->MsiExec.exe /X{5C57D058-8EEE-4C8D-81A9-1D8D11F4A48F}
DU Meter-->"C:\Program Files\DU Meter\unins000.exe"
EAGLE 5.6.0-->cmd.exe /c start "EAGLE Uninstaller" /min "C:\Program Files\EAGLE-5.6.0\bin\uninstall.bat" C:\Program Files\EAGLE-5.6.0\bin
EasyCert-->"C:\Program Files\EasyCert\uninstall.exe"
File Scavenger 3.2 (English)-->"C:\Program Files\File Scavenger 3.2\unins000.exe"
FileZilla Client 3.2.6-->C:\Program Files\FileZilla FTP Client\uninstall.exe
GetDataBack for NTFS-->"C:\Program Files\Runtime Software\GetDataBack for NTFS\Uninstall.exe" "C:\Program Files\Runtime Software\GetDataBack for NTFS\install.log" -u
Grand Theft Auto Vice City-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\Setup.exe" -l0x9
GTA San Andreas-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
LAME v3.98.2 for Audacity-->"C:\Program Files\Lame for Audacity\unins000.exe"
MetalGearSolid2 Substance-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2184D9EA-4E5B-43FD-914E-4563CF028C94}\setup.exe" -l0x9
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Age of Empires II-->"C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft AutoRoute 2005-->MsiExec.exe /I{67E4EE98-59F4-4220-89A6-A20AF5BEC689}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
ML-1510_700 Series-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC411126-8CDE-4B7C-950F-4197C931B0C8}\Setup.exe"
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
PDF Editor 2-->C:\WINDOWS\cadkasdeinst01e.exe "C:\Program Files\PDF Editor 2\"
Philips Product Selector 1.0.2-->C:\Program Files\InstallShield Installation Information\{BC35DF5E-7682-40F9-8FF0-737D8C568F7D}\setup.exe -runfromtemp -l0x0409
PhotoLux-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E670CC9A-7CD2-4BB8-9485-6324EFAC137C}\setup.exe" -l0x9 anything -uninst
PrimoPDF-->"C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Roxio Media Manager-->MsiExec.exe /X{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}
Samsung CLX-216x Series-->C:\Program Files\Samsung\Samsung CLX-216x Series\Install\Setup.exe /R
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Thermal Analysis Tool-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B2C675E-8040-431B-99C4-137DF4FBF75A}\setup.exe" -l0x9 -removeonly
Thorn - Product Explorer 6.0-->MsiExec.exe /I{B8EE8264-238C-430A-9D5F-DB9139B09364}
TomTom HOME 2.6.2.1586-->C:\Program Files\TomTom HOME 2\Uninstall TomTom HOME.exe
TomTom HOME Visual Studio Merge Modules-->MsiExec.exe /I{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}
Tysoft PDF (novaPDF 6.2 printer)-->"C:\Program Files\Softland\novaPDF 6\unins000.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Zumtobel - Product Explorer 6.0-->MsiExec.exe /I{4F6F5C1E-F109-4A58-8F43-9A1039CDAFC9}

Hosts File Missing
Securitycenter WMI appears to be broken

======System event log======

Computer Name: HOME
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 001BFC4ADB54. The IP address being used is 169.254.116.103.

Record Number: 25
Source Name: Dhcp
Time Written: 20090307162705.000000+000
Event Type: warning
User:

Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC4ADB54. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 24
Source Name: Dhcp
Time Written: 20090307162659.000000+000
Event Type: warning
User:

Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC4ADB54. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 23
Source Name: Dhcp
Time Written: 20090307162630.000000+000
Event Type: warning
User:

Computer Name: HOME
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 001BFC4ADB54. The IP address being used is 169.254.116.103.

Record Number: 15
Source Name: Dhcp
Time Written: 20090307161019.000000+000
Event Type: warning
User:

Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC4ADB54. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 10
Source Name: Dhcp
Time Written: 20090304210332.000000+000
Event Type: warning
User:

=====Application event log=====

Computer Name: HOME
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 1795
Source Name: EventSystem
Time Written: 20090823184334.000000+060
Event Type: error
User:

Computer Name: HOME
Event Code: 1001
Message:
Record Number: 1783
Source Name: MsiInstaller
Time Written: 20090823165714.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME
Event Code: 1004
Message:
Record Number: 1782
Source Name: MsiInstaller
Time Written: 20090823165714.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME
Event Code: 8193
Message: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Record Number: 1773
Source Name: VSS
Time Written: 20090823132027.000000+060
Event Type: error
User:

Computer Name: HOME
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 1772
Source Name: EventSystem
Time Written: 20090823132027.000000+060
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
"PROCESSOR_REVISION"=4303
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\

-----------------EOF-----------------


i installed GMER, and opened it. it does say about rootkit activity, but after a few mins, i get a blue screen


aujasnkj.sys

attempt to write to read only memory

technical info

0x000000BE (0XF747B0CB4, 0X0A3D8161, 0XB50C7B74, 0X0000000B)

aujasnkj.sys - Address B4FE3670 BASE AT B4FD8000 DATESTAMP 4A891380
 
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Click to expand...



Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If requested, please reboot
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
 
unable to do combofix due to bluescreen. it goes as far is scanning, thn blue screen

error message is something attempted to write to read only. no names with this one

tech info:

STOP: 0X000000BE (0X804E13A7, 0X004E1161, 0XF78DECD0, 0X0000000B)

malwarebytes log #1

Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 5.1.2600 Service Pack 3

27/08/2009 22:35:40
mbam-log-2009-08-27 (22-35-40).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 308923
Time elapsed: 22 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 9
Registry Data Items Infected: 8
Folders Infected: 3
Files Infected: 41

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\services.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\nscf31.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\glaide32 (Rootkit.Rustok) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpyware Service (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Worm.Palevo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: nscf31.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\twext.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (TrojanProxy.Slenugga) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.

Files Infected:
C:\WINDOWS\nscf31.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\services.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1533926148.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1570129124.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1728515536.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1928446482.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\72977732.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\mdm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\notepad.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\853581186.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\smss.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\system.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\kbiwkmdccrnsplwq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\kbiwkmgptvkpylby.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\2013264930.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\2740931964.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\2818849868.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3457196482.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3467926996.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3645238262.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\4013479428.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\win.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winamp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\debug.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX1\install.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX2\install.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (TrojanProxy.Slenugga) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\glaide32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.


i re-booted and ran scan again. this is log from second scan


Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 5.1.2600 Service Pack 3

27/08/2009 23:03:33
mbam-log-2009-08-27 (23-03-33).txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 308867
Time elapsed: 22 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
SysProt Antirootkit

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
 
SysProt log


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmsdjnkvxf.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 89C1971A
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 89C1A6E2
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89C1871C
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 89C196E4
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 89C1C6F3
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 89C1A71B
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied
 
Try running ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /stepdel

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


If that doesn't work, reboot and then rename Combofix to CleanMe and double click it then
 
blue screen again

first attempt, combofix said there was an update. update downloaded.

both methods:

ran program, came up with disclaimer and started scan, then bluescreen. same tech info as previous attempt
 
Avenger

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Code: 
    Drivers to disable:
kbiwkmpkbmwnli
  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
 
done that


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "kbiwkmpkbmwnli" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)


Completed script processing.

*******************

Finished! Terminate.
 
We need to use GMER to delete a service and remove the file:
  • Open the gmer folder and double click gmer.exe to run the program
  • On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.
  • Click on the > > > tab to open the menus
GMER1.jpg
  • Click on the Services tab
GMER_Services_Tab.jpg
  • Scroll down until you find the following Service (Note: This may be highlighted in red)

    kbiwkmpkbmwnli
  • Click on the Service Name to Highlight it, then right click and choose Delete...
    GMER_Delete_Service.jpg
  • Click OK at the first confirmation dialog to remove the service
  • Click OK to the second confirmation dialog to remove the file
  • Click OK to exit the program


Download and Run ComboFix

Delete any copy of Combofix that you have

Download Combofix from the link below. Save it to your desktop.

> Link Removed <

(I have renamed the file)

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Click to expand...

Try double clicking the renamed file.
 
Last edited:
still getting bluescreen when i run combofix. something obviously doesnt want it to run! (is this turning out to be an awkward fix for you?)
 
things may have just went from bad to worse....

ran sysprot, and whilst it was doing its thing, a 'program' appeared called 'windows antivirus pro' saying computer is infected, and to purchase. when i click to open firefox, i get a message saying its infected and it wont open a new window.

then, another 'program' appears called 'windows security centre'. says firewall and automatic updates are on, virus protection not found.

then i get a message saying svchost.exe has encountered a problem and needs to close. option are debug, send error report and fit it.

just as im typing this, i got another window saying 'warning! 3 infection found' - its also from windows antivirus pro.





sysprot log

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmsdjnkvxf.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 89C4A6E2
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 89C4A71A
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89C496E4
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 89C4971C
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 892D6C9B
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 89C4B6DB
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied
 
I've had a word with the developer of Combofix, and we want to make sure that Avast isn't interfering.

Right click on the avast! icon in system tray and choose (Stop On-Access Protection)
Then try running Combofix
 
i think i uninstalled avast before i came here. i tried a few different programs, and once i was finished with somethng, it was removed. i have a folder in c: program files called alwil software, in that avast4, in that setup and 1 file in there called setup (0KB). and thats it. there is no icon anywhere, no desktop icon, nothing in start menu or anything
 
Please run MalwareBytes again (Quick Scan) , and then post a fresh RSIT log
 
katana said:
Please run MalwareBytes again (Quick Scan) , and then post a fresh RSIT log
Click to expand...

cant do that. cant open any program. when i try, i get a message in bottom right corner saying

'Warning!

Running of application impossible. the file c:/program files/malwarebytes' anti-malware/mbam.exe is infected. please activate your antivirus program'


this applies to any program.

i tried start run and c:/program files... mbam.exe, but i got the same message
(i know the / should be the other way - but keyboard layout is different on my laptop)
i can open folders but thats it
 
Let's try running in safe mode.


Reboot in safe mode
You will now need to reboot in safe mode, you will not have internet access whilst you do the next part
Please copy/paste or print the following instructions.

To reboot in safe mode
You can boot in Safe Mode by restarting your computer, then continually tapping F5 OR F8 until a menu appears.
Use your up arrow key to highlight Safe Mode, then hit enter.


Now try the following programs

MalwareBytes
RSIT
Combofix
 
You must log in or register to reply here.
Back
Top