Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I can't remove this malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I can't remove this malware

Unread postby Zedman2k » April 7th, 2010, 11:08 pm

When I click on a google search link FireFox opens a different search engine with junk info. I have ran Ad-Aware, Avast, Malwarebytes, Microsoft Security Essentials, and Spybot with no luck.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:18 PM, on 4/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 3467 bytes

Anything will help.

Thanks guys.
Zedman2k
Active Member
 
Posts: 10
Joined: April 7th, 2010, 10:51 pm
Advertisement
Register to Remove

Re: I can't remove this malware

Unread postby Wingman » April 10th, 2010, 12:51 pm

Hello... Zedman2k ... Welcome to the forum.
I apologize for the delay getting to your log but as you can see the forum is very busy.

My name is Wingman, and I'll be helping you with any malware problems.
The logs I request can take a while to research, so please be patient.

Please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. DO NOT run any other fix or removal tools unless instructed to do so!
  3. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  4. Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  5. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  6. Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean"
Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Before we start:
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care, not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

For your safety and protection, I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.


Step 1.
ERUNT - Emergency Recovery Utility NT
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
If you already have this installed, please skip to the Run: portion of the instructions.

ERUNT utility program
Download:

  1. Please download ERUNT...by Lars Hederer. Save it to your desktop.
  2. Double-click erunt-setup-exe to run the install process. Install ERUNT by following the prompts.
  3. Use the default install settings...
  4. Make sure the first two check boxes -> (Create ERUNT and NTREGOPT desktop icons) are checked.
    Say "NO" if prompted or asked if you want to add ERUNT to the Start-Up folder. You can enable this later.
  5. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  6. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is fine.
  7. Click on OK ... then click on "YES" to create the folder.
Run:
This will create a full backup of your registry... ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
RSIT (Random's System Information Tool)
Please download RSIT by random/random... save it to your desktop.
  1. Double click on RSIT.exe to run it... read the disclaimer... click on Continue.
  2. RSIT will start running. When done... 2 logs files...will be produced.
    The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
    These log files can be found in the C:\RSIT folder
  3. Please post both... "log.txt" and "info.txt", file contents in your next reply.

Step 3.
GMER
The downloaded file will have a random name... this prevents malware from detecting and blocking it.
Please download GMER... random file name.exe by GMER. An alternate (zip file) download site.
Note: Do not run any programs while Gmer is running.
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
  2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO <--- Important!
  3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (see image below)
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <-- don't miss this one

    Image
    Click on image to enlarge

  4. If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
  5. Click the Scan button.
  6. Once the scan has finished... click Save. The Save... window will open.
  7. Save the scan results as gmerroot.log, save it to your Desktop.
  8. Double click on the desktop "gmerroot.log" file, to open in Notepad.
  9. Copy and paste the contents of the file gmerroot.log in your next reply.
    Note: If GMER hangs or crashes your computer, Re-runit and UNCHECK "Devices" along with the other items mentioned.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. RSIT log.txt and info.txt file contents.
  3. GMER - gmerroot.log file contents.
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: I can't remove this malware

Unread postby Zedman2k » April 10th, 2010, 8:43 pm

Hello Wingman, thank you for your time as I can see you are very busy.

I have included the logs you requested.

I have reran Malwarebytes since my first post as I was infected with a one of those fake virus software programs that would not let me open Firefox. When I do a Google search, if I click on one of the links it will open a new search type page. It will also just open a new tab every so often to either a "random" site or to one that Avast stops as an attempt to download a Trojan.

Thank you,
Zedman2K


Logfile of random's system information tool 1.06 (written by random/random)
Run by Jerry at 2010-04-10 19:47:12
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 19 GB (55%) free of 34 GB
Total RAM: 2814 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:13 PM, on 4/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
D:\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Jerry.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 2198 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCU]
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBTUpd]
C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
C:\Program Files\Microsoft Security Essentials\msseces.exe [2010-02-21 1093208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
d:\Program Files\PowerISO\PWRISOVM.EXE [2009-11-08 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2009-08-14 18702336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
d:\program files\steam\steam.exe [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3
"PnkBstrA"=2
"ose"=3
"odserv"=3
"Microsoft Office Groove Audit Service"=3
"JavaQuickStarterService"=2
"idsvc"=3
"IDriverT"=3
"ES lite Service"=2
"BCUService"=2
"Ati HotKey Poller"=2
"uvnc_service"=3
"PnkBstrB"=2
"MsMpSvc"=2
"EPSON_PM_RPCV4_01"=2
"CrossLoopService"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-07-29 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12

2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapp

lications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe"="C:\Program

Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\Gigabyte\GBTUpd\RunUpd.exe"="C:\Program Files\Gigabyte\GBTUpd\RunUpd.exe:*:Enabled:RunUpd"
"C:\Program Files\Gigabyte\GBTUpd\GBTUpd.exe"="C:\Program Files\Gigabyte\GBTUpd\GBTUpd.exe:*:Enabled:GBTUpd.exe"
"C:\Program Files\Gigabyte\EasySaver\UpdExe.exe"="C:\Program Files\Gigabyte\EasySaver\UpdExe.exe:*:Enabled:Exe File"
"C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe"="C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe:*:Enabled:GBTUpd.exe"
"D:\Program Files\Steam\Steam.exe"="D:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"D:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe"="D:\Program

Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe:*:Enabled:hl2"
"D:\Program Files\Steam\steamapps\zedmanmmiv\day of defeat source\hl2.exe"="D:\Program

Files\Steam\steamapps\zedmanmmiv\day of defeat source\hl2.exe:*:Enabled:hl2"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft

Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft

Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft

Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\Program Files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe"="D:\Program

Files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe:*:Disabled:America's Army 3"
"C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\vncviewer.exe"="C:\Documents and

Settings\Jerry\Local Settings\Application Data\CrossLoop\vncviewer.exe:*:Enabled:vncviewer.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedappli

cations\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15725b98-0bed-11df-adc5-806d6172696f}]
shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54757af8-0b4a-11df-9178-806d6172696f}]
shell\AutoRun\command - D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fbe7920-1451-11df-96cf-0012179fe30e}]
shell\AutoRun\command - G:\USBAutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f855c47c-20cf-11df-96d8-0012179fe30e}]
shell\AutoRun\command - G:\StartPortableApps.exe


======File associations======

.scr - open - "%1" /S "%3"

======List of files/folders created in the last 1 months======

2010-04-10 19:39:21 ----DC---- C:\rsit
2010-04-10 19:37:50 ----D---- C:\WINDOWS\ERDNT
2010-04-10 19:36:48 ----D---- C:\Program Files\ERUNT
2010-04-07 22:16:39 ----D---- C:\Program Files\Trend Micro
2010-04-07 20:04:46 ----DC---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 18:48:37 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-04-07 17:39:00 ----HDC---- C:\Documents and Settings\All Users\Application

Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 17:38:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-04-07 17:38:54 ----D---- C:\Program Files\Lavasoft
2010-04-07 14:10:37 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-04-07 14:08:34 ----D---- C:\Program Files\Microsoft Security Essentials
2010-04-07 13:56:21 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-06 23:44:54 ----DC---- C:\spoolerlogs
2010-04-03 00:13:17 ----D---- C:\Documents and Settings\Jerry\Application Data\UltraVNC
2010-03-31 14:45:22 ----HDC---- C:\WINDOWS\$NtUninstallKB980182$
2010-03-28 23:24:45 ----D---- C:\Documents and Settings\Jerry\Application Data\bfgbar
2010-03-28 18:08:34 ----D---- C:\Program Files\Turtix
2010-03-28 18:02:27 ----ADC---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-28 18:01:46 ----D---- C:\Program Files\Big Fish Games Toolbar Installer
2010-03-28 17:59:53 ----D---- C:\Program Files\bfgclient
2010-03-28 17:58:48 ----DC---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2010-03-28 00:54:02 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2010-03-28 00:53:56 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\Help
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\gtk-2.0
2010-03-18 00:54:52 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
2010-03-18 00:54:47 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-18 00:54:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-11 21:32:17 ----D---- C:\Documents and Settings\Jerry\Application Data\Ubisoft
2010-03-11 21:31:57 ----A---- C:\WINDOWS\system32\XAudio2_5.dll
2010-03-11 21:31:57 ----A---- C:\WINDOWS\system32\xactengine3_5.dll
2010-03-11 21:31:57 ----A---- C:\WINDOWS\system32\D3DCompiler_42.dll
2010-03-11 21:31:54 ----A---- C:\WINDOWS\system32\d3dcsx_42.dll
2010-03-11 21:31:53 ----A---- C:\WINDOWS\system32\D3DX9_42.dll
2010-03-11 21:31:53 ----A---- C:\WINDOWS\system32\d3dx11_42.dll
2010-03-11 21:31:53 ----A---- C:\WINDOWS\system32\d3dx10_42.dll
2010-03-11 21:31:52 ----A---- C:\WINDOWS\system32\XAPOFX1_3.dll
2010-03-11 21:31:52 ----A---- C:\WINDOWS\system32\D3DX9_41.dll
2010-03-11 21:31:52 ----A---- C:\WINDOWS\system32\d3dx10_41.dll
2010-03-11 21:31:52 ----A---- C:\WINDOWS\system32\D3DCompiler_41.dll
2010-03-11 21:31:51 ----A---- C:\WINDOWS\system32\XAudio2_4.dll
2010-03-11 21:31:51 ----A---- C:\WINDOWS\system32\xactengine3_4.dll
2010-03-11 21:31:51 ----A---- C:\WINDOWS\system32\X3DAudio1_6.dll
2010-03-11 21:31:50 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2010-03-11 21:31:50 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2010-03-11 21:31:50 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2010-03-11 21:31:50 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2010-03-11 21:31:50 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2010-03-11 21:31:49 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2010-03-11 21:31:49 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2010-03-11 21:31:49 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2010-03-11 21:31:49 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2010-03-11 21:31:48 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2010-03-11 21:31:47 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2010-03-11 21:31:47 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2010-03-11 21:31:47 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2010-03-11 21:31:46 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2010-03-11 21:31:46 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2010-03-11 21:31:46 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2010-03-11 21:31:46 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2010-03-11 21:31:45 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2010-03-11 21:31:45 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2010-03-11 21:31:44 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2010-03-11 21:31:44 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2010-03-11 21:31:44 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2010-03-11 21:31:44 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2010-03-11 21:31:43 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2010-03-11 21:31:43 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2010-03-11 21:31:43 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2010-03-11 21:31:42 ----A---- C:\WINDOWS\system32\d3dx9_36.dll

======List of files/folders modified in the last 1 months======

2010-04-10 19:45:25 ----RD---- C:\Program Files
2010-04-10 19:39:23 ----D---- C:\WINDOWS\Prefetch
2010-04-10 19:37:50 ----D---- C:\WINDOWS
2010-04-10 18:46:37 ----D---- C:\WINDOWS\Temp
2010-04-10 06:48:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-10 00:24:43 ----D---- C:\WINDOWS\system32
2010-04-10 00:24:42 ----D---- C:\WINDOWS\system32\drivers
2010-04-09 18:56:37 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-09 18:47:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-09 18:42:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-09 17:12:36 ----HD---- C:\WINDOWS\inf
2010-04-07 22:34:28 ----RSHC---- C:\boot.ini
2010-04-07 22:34:28 ----A---- C:\WINDOWS\win.ini
2010-04-07 22:34:28 ----A---- C:\WINDOWS\system.ini
2010-04-07 22:27:31 ----SD---- C:\WINDOWS\Tasks
2010-04-07 22:19:47 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-04-07 20:40:32 ----D---- C:\Program Files\Mozilla Firefox
2010-04-07 20:31:29 ----SHDC---- C:\Config.Msi
2010-04-07 20:31:29 ----SHD---- C:\WINDOWS\Installer
2010-04-07 20:31:10 ----D---- C:\WINDOWS\WinSxS
2010-04-07 20:29:31 ----HD---- C:\Program Files\InstallShield Installation Information
2010-04-07 20:29:31 ----D---- C:\Program Files\Common Files
2010-04-07 20:28:51 ----D---- C:\Program Files\Gigabyte
2010-04-07 17:43:21 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-04-07 17:25:00 ----D---- C:\WINDOWS\msapps
2010-04-07 14:21:49 ----RSD---- C:\WINDOWS\Fonts
2010-04-07 14:08:42 ----SDC---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-04-06 23:49:57 ----D---- C:\WINDOWS\system32\config
2010-04-06 23:49:40 ----D---- C:\WINDOWS\system32\wbem
2010-04-06 23:49:39 ----D---- C:\WINDOWS\Registration
2010-04-06 23:48:57 ----D---- C:\Documents and Settings\Jerry\Application Data\BitTorrent
2010-03-31 07:24:06 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-29 19:45:03 ----D---- C:\WINDOWS\Debug
2010-03-20 03:25:23 ----D---- C:\WINDOWS\system32\LogFiles
2010-03-20 02:29:21 ----D---- C:\WINDOWS\system32\DirectX
2010-03-20 02:28:23 ----D---- C:\Program Files\File Scavenger 3.2
2010-03-20 02:25:39 ----D---- C:\Program Files\Movie Maker
2010-03-20 00:58:26 ----SD---- C:\Documents and Settings\Jerry\Application Data\Microsoft
2010-03-18 01:36:22 ----D---- C:\WINDOWS\Config
2010-03-14 05:29:49 ----DC---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-03-13 20:38:26 ----D---- C:\WINDOWS\Help
2010-03-11 21:31:29 ----RSD---- C:\WINDOWS\assembly

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2010-03-09 28880]
R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2010-03-09 162640]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2010-03-09 46672]
R1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2009-12-02 149040]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2009-11-08 59388]
R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2010-02-22 223440]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2010-03-09 19024]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2010-03-09 100432]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2010-03-09 23376]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-07-29 4411392]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13

144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-08-18 5884416]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2005-10-20 243328]
R3 RTHDMIAzAudService;Service for HDMI; C:\WINDOWS\system32\drivers\RtKHDMI.sys [2009-06-24 3734976]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13

30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 AODDriver;AODDriver; \??\C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 cpuz130;cpuz130; \??\C:\DOCUME~1\Jerry\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 etdrv;etdrv; \??\C:\WINDOWS\etdrv.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 pbfilter;pbfilter; \??\D:\Program Files\PeerBlock\pbfilter.sys []
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2009-06-29

142592]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-07-23 12416]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-07-23 19840]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-07-23 21632]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys

[2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-07

1265264]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86;

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;

c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-07-29 602112]
S4 CrossLoopService;CrossLoop Service; C:\Documents and Settings\Jerry\Local Settings\Application

Data\CrossLoop\CrossLoopService.exe [2010-03-15 560792]
S4 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3

SSRP\E_S40RP7.EXE [2007-01-11 113664]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

[2005-04-04 69632]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

[2008-07-29 881664]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-28 153376]
S4 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft

Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S4 MsMpSvc;Microsoft Antimalware Service; C:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-12-09 17904]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication

Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

[2008-11-04 441712]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2010-03-28 75064]
S4 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2010-04-04 189480]
S4 uvnc_service;uvnc_service; C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\winvnc.exe

[2009-12-06 1590216]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-04-10 19:47:15

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall

{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall

{F580DDD5-8D37-4998-968E-EBB76BB86787}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall

{187308AB-5FA7-4F14-9AB9-D290383A10D9}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall

{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall

{DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall

{DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall

{2FC4457D-409E-466F-861F-FB0CB796B53E}
7-Zip 4.65-->"d:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware Email Scanner for Outlook-->MsiExec.exe /I{338F08AB-C262-42C7-B000-34DE1A475273}
Ad-Aware-->"C:\Documents and Settings\All Users\Application

Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application

Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall

/IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.3.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
AMD Processor Driver-->C:\Program Files\InstallShield Installation

Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
America's Army 3-->"D:\Program Files\Steam\steam.exe" steam://uninstall/13140
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup

"C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart

-flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
avast! Free Antivirus-->C:\Program Files\Alwil Software\Avast5\aswRunDll.exe "C:\Program Files\Alwil

Software\Avast5\Setup\setiface.dll" RunSetup
Big Fish Games: Game Manager-->C:\Program Files\bfgclient\Uninstall.exe
BitTorrent-->"C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
CCleaner-->"d:\Program Files\CCleaner\uninst.exe"
Counter-Strike: Source-->"D:\Program Files\Steam\steam.exe" steam://uninstall/240
CrossLoop 2.72-->"C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\unins000.exe"
Day of Defeat: Source-->"D:\Program Files\Steam\steam.exe" steam://uninstall/300
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
GIMP 2.6.8-->"d:\Program Files\GIMP-2.0\setup\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package

{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package

{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
IrfanView (remove only)-->d:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
K-Lite Codec Pack 5.7.0 (Full)-->"d:\Program Files\K-Lite Codec Pack\unins000.exe"
LG USB Modem Drivers-->MsiExec.exe /I{FA02ACAC-9E14-4878-A257-92A22A647C2C}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Antimalware-->MsiExec.exe /X{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup

Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Security Essentials-->C:\Program Files\Microsoft Security Essentials\setup.exe /x
Microsoft Security Essentials-->MsiExec.exe /I{EF98A02A-1748-4762-9B7D-5ED1600520D5}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
OpenOffice.org 3.1-->MsiExec.exe /I{A16B3EA2-8798-4960-8D8B-18D3149AD617}
PowerISO-->"d:\Program Files\PowerISO\uninstall.exe"
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation

Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\Setup.Exe -runfromtemp -removeonly
Realtek High Definition Audio Driver-->RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield

Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x9 -removeonly
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {667A88D1-0369-4070-A62A-70672D68A9BF}
Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {6DE3DABF-0203-426B-B330-7287D1003E86}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package

{90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE}

/uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe

C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Spybot - Search & Destroy-->"d:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
TrueCrypt-->"C:\Program Files\TrueCrypt\TrueCrypt Setup.exe" /u
Turtix-->"C:\Program Files\Turtix\Uninstall.exe"
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall

{C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall

{432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Outlook 2007 Junk Email Filter (kb979895)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall

{D45674C6-9127-4C84-8826-93FBC552DF53}
Update for Windows XP (KB980182)-->"C:\WINDOWS\$NtUninstallKB980182$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27}

/qb+ REBOOTPROMPT=""
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-07]
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft

Office\Office12\GrooveShellExtensions.dll [2010-04-07]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [2010-04-07]
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

[2010-04-09]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft

Office\Office12\GrooveSystemServices.dll [2010-04-09]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-09]
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe [2010-04-09]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft

Office\Office12\ONBttnIE.dll [2010-04-09]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe (file missing) [2010-04-09]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank [2010-04-09]
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft

Office\Office12\ONBttnIE.dll [2010-04-09]
O4 - HKLM\..\Run: [Total PC Defender 2010] C:\Program Files\Total PC Defender 2010\Total PC Defender 2010.exe [2010-04-09]
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll [2010-04-09]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file

missing) [2010-04-09]

======Security center information======

AV: avast! Antivirus
AV: Microsoft Security Essentials (disabled)

======System event log======

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3765
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3764
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3763
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3762
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3761
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: ZED
Event Code: 1000
Message: Faulting application firefox.exe, version 1.9.2.3667, faulting module unknown, version 0.0.0.0, fault address

0x00000008.

Record Number: 762
Source Name: Application Error
Time Written: 20100301222734.000000-300
Event Type: error
User:

Computer Name: ZED
Event Code: 1001
Message: Fault bucket 1667465332.

Record Number: 758
Source Name: Application Error
Time Written: 20100225223708.000000-300
Event Type: error
User:

Computer Name: ZED
Event Code: 1000
Message: Faulting application firefox.exe, version 1.9.2.3667, faulting module jvm.dll, version 16.0.0.13, fault address

0x000c7cf2.

Record Number: 757
Source Name: Application Error
Time Written: 20100225223633.000000-300
Event Type: error
User:

Computer Name: ZED
Event Code: 63
Message: A provider, OffProv12, has been registered in the WMI namespace, Root\MSAPPS12, to use the LocalSystem account.

This account is privileged and the provider may cause a security violation if it does not correctly impersonate user

requests.

Record Number: 682
Source Name: WinMgmt
Time Written: 20100223181307.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZED
Event Code: 1000
Message: Faulting application hl2.exe, version 0.0.0.0, faulting module datacache.dll, version 0.0.0.0, fault address

0x0000b423.

Record Number: 635
Source Name: Application Error
Time Written: 20100213003740.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=x86 Family 16 Model 5 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0502
"NUMBER_OF_PROCESSORS"=4
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-10 19:54:56
Windows 5.1.2600 Service Pack 3
Running: zkwqpzpd.exe; Driver: C:\DOCUME~1\Jerry\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose

[0xA83CDC56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey

[0xA83CDB12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey

[0xA83CE0C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey

[0xA83CDFF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject

[0xA83CD6E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey

[0xA83CDBEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess

[0xA83CD628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread

[0xA83CD68C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey

[0xA83CDD0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey

[0xA83CE194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey

[0xA83CDCCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey

[0xA83CDE4C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx

[0xA83DA4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection

[0xA83DA322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver

[0xA83DA45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast!

self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast!

File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast!

TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A9FCAC8

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 10:

rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 32:

rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33:

rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of

MBR
Disk \Device\Harddisk0\DR0 sector 63:

rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious

modification

---- EOF - GMER 1.0.15 ----
Zedman2k
Active Member
 
Posts: 10
Joined: April 7th, 2010, 10:51 pm

Re: I can't remove this malware

Unread postby Wingman » April 11th, 2010, 11:24 am

Hello Zedman2k

Running Fix Programs
I understand your desire to get your computer secure and it's a good thing to do... but I must ask that you not run any "fix" programs , unless specifically requested by me. You may remove files that I need to see in order to determine the best removal approach. If you have problems, please just post the issue and we'll work together, to resolve it. If you feel that you can't wait and have to run programs on your own, that's your decision but you will no longer recieve my help and this topic will be closed.

I would suggest you minimize the use of this computer, until we are finished. This will help keep the system "stable" while we clean it.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
GMER - MBR.EXE
Please download MBR.EXE by GMER. Save it to your desktop.
  1. Double click on mbr.exe to execute.
    If you recieve the "Publisher could not be verified" security warning, please press Run.
  2. A black CMD prompt window will open and close quickly, this is expected and normal.
    Upon completion, a file will be created on your desktop named "mbr.log"
  3. Double click the "mbr.log" file and Notepad should open.
  4. Copy and paste the contents of the files mbr.log in your next reply.

Step 3.
Re-run - RSIT (Random's System Information Tool)
Please locate the previous RSIT output logs C:\RSIT\log.txt and C:\RSIT\info.txt
Open each in Notepad... click on the "Format" command and UNCHECK Wordwrap... then
Please post both... "log.txt" and "info.txt", file contents in your next reply.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. MBAM - log file from last run.
  3. GMER - mbr.log
  4. RSIT - Log and info.txt file contants (with Wordwrap turned off)
  5. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: I can't remove this malware

Unread postby Zedman2k » April 11th, 2010, 4:23 pm

Hi Wingman

The issues with the computer has not changed, links from Google are redirected and tabs are opened randomly to unwanted sites.

The logs you requested follows.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Logfile of random's system information tool 1.06 (written by random/random)
Run by Jerry at 2010-04-11 15:41:23
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 19 GB (55%) free of 34 GB
Total RAM: 2814 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:24 PM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
D:\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Jerry.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 2231 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCU]
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBTUpd]
C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
C:\Program Files\Microsoft Security Essentials\msseces.exe [2010-02-21 1093208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
d:\Program Files\PowerISO\PWRISOVM.EXE [2009-11-08 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2009-08-14 18702336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
d:\program files\steam\steam.exe [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3
"PnkBstrA"=2
"ose"=3
"odserv"=3
"Microsoft Office Groove Audit Service"=3
"JavaQuickStarterService"=2
"idsvc"=3
"IDriverT"=3
"ES lite Service"=2
"BCUService"=2
"Ati HotKey Poller"=2
"uvnc_service"=3
"PnkBstrB"=2
"MsMpSvc"=2
"EPSON_PM_RPCV4_01"=2
"CrossLoopService"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-07-29 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\Gigabyte\GBTUpd\RunUpd.exe"="C:\Program Files\Gigabyte\GBTUpd\RunUpd.exe:*:Enabled:RunUpd"
"C:\Program Files\Gigabyte\GBTUpd\GBTUpd.exe"="C:\Program Files\Gigabyte\GBTUpd\GBTUpd.exe:*:Enabled:GBTUpd.exe"
"C:\Program Files\Gigabyte\EasySaver\UpdExe.exe"="C:\Program Files\Gigabyte\EasySaver\UpdExe.exe:*:Enabled:Exe File"
"C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe"="C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe:*:Enabled:GBTUpd.exe"
"D:\Program Files\Steam\Steam.exe"="D:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"D:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe"="D:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe:*:Enabled:hl2"
"D:\Program Files\Steam\steamapps\zedmanmmiv\day of defeat source\hl2.exe"="D:\Program Files\Steam\steamapps\zedmanmmiv\day of defeat source\hl2.exe:*:Enabled:hl2"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\Program Files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe"="D:\Program Files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe:*:Disabled:America's Army 3"
"C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\vncviewer.exe"="C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\vncviewer.exe:*:Enabled:vncviewer.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15725b98-0bed-11df-adc5-806d6172696f}]
shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54757af8-0b4a-11df-9178-806d6172696f}]
shell\AutoRun\command - D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fbe7920-1451-11df-96cf-0012179fe30e}]
shell\AutoRun\command - G:\USBAutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f855c47c-20cf-11df-96d8-0012179fe30e}]
shell\AutoRun\command - G:\StartPortableApps.exe


======File associations======

.scr - open - "%1" /S "%3"

======List of files/folders created in the last 1 months======

2010-04-10 19:39:21 ----DC---- C:\rsit
2010-04-10 19:37:50 ----D---- C:\WINDOWS\ERDNT
2010-04-10 19:36:48 ----D---- C:\Program Files\ERUNT
2010-04-07 22:16:39 ----D---- C:\Program Files\Trend Micro
2010-04-07 20:04:46 ----DC---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 18:48:37 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-04-07 17:39:00 ----HDC---- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 17:38:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-04-07 17:38:54 ----D---- C:\Program Files\Lavasoft
2010-04-07 14:10:37 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-04-07 14:08:34 ----D---- C:\Program Files\Microsoft Security Essentials
2010-04-07 13:56:21 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-06 23:44:54 ----DC---- C:\spoolerlogs
2010-04-03 00:13:17 ----D---- C:\Documents and Settings\Jerry\Application Data\UltraVNC
2010-03-31 14:45:22 ----HDC---- C:\WINDOWS\$NtUninstallKB980182$
2010-03-28 23:24:45 ----D---- C:\Documents and Settings\Jerry\Application Data\bfgbar
2010-03-28 18:08:34 ----D---- C:\Program Files\Turtix
2010-03-28 18:02:27 ----ADC---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-28 18:01:46 ----D---- C:\Program Files\Big Fish Games Toolbar Installer
2010-03-28 17:59:53 ----D---- C:\Program Files\bfgclient
2010-03-28 17:58:48 ----DC---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2010-03-28 00:54:02 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2010-03-28 00:53:56 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\Help
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\gtk-2.0
2010-03-18 00:54:52 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
2010-03-18 00:54:47 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-18 00:54:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

======List of files/folders modified in the last 1 months======

2010-04-11 15:38:20 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-11 15:38:16 ----D---- C:\WINDOWS\Prefetch
2010-04-11 14:51:12 ----D---- C:\WINDOWS\system32
2010-04-11 14:51:12 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-11 14:51:11 ----D---- C:\WINDOWS\Temp
2010-04-11 14:46:09 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-10 20:00:22 ----SD---- C:\WINDOWS\Tasks
2010-04-10 19:45:25 ----RD---- C:\Program Files
2010-04-10 19:37:50 ----D---- C:\WINDOWS
2010-04-10 06:48:24 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-10 00:24:42 ----D---- C:\WINDOWS\system32\drivers
2010-04-09 17:12:36 ----HD---- C:\WINDOWS\inf
2010-04-07 22:34:28 ----RSHC---- C:\boot.ini
2010-04-07 22:34:28 ----A---- C:\WINDOWS\win.ini
2010-04-07 22:34:28 ----A---- C:\WINDOWS\system.ini
2010-04-07 22:19:47 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-04-07 20:40:32 ----D---- C:\Program Files\Mozilla Firefox
2010-04-07 20:31:29 ----SHDC---- C:\Config.Msi
2010-04-07 20:31:29 ----SHD---- C:\WINDOWS\Installer
2010-04-07 20:31:10 ----D---- C:\WINDOWS\WinSxS
2010-04-07 20:29:31 ----HD---- C:\Program Files\InstallShield Installation Information
2010-04-07 20:29:31 ----D---- C:\Program Files\Common Files
2010-04-07 20:28:51 ----D---- C:\Program Files\Gigabyte
2010-04-07 17:43:21 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-04-07 17:25:00 ----D---- C:\WINDOWS\msapps
2010-04-07 14:21:49 ----RSD---- C:\WINDOWS\Fonts
2010-04-07 14:08:42 ----SDC---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-04-06 23:49:57 ----D---- C:\WINDOWS\system32\config
2010-04-06 23:49:40 ----D---- C:\WINDOWS\system32\wbem
2010-04-06 23:49:39 ----D---- C:\WINDOWS\Registration
2010-04-06 23:48:57 ----D---- C:\Documents and Settings\Jerry\Application Data\BitTorrent
2010-03-31 07:24:06 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-29 19:45:03 ----D---- C:\WINDOWS\Debug
2010-03-20 03:25:23 ----D---- C:\WINDOWS\system32\LogFiles
2010-03-20 02:29:21 ----D---- C:\WINDOWS\system32\DirectX
2010-03-20 02:28:23 ----D---- C:\Program Files\File Scavenger 3.2
2010-03-20 02:25:39 ----D---- C:\Program Files\Movie Maker
2010-03-20 00:58:26 ----SD---- C:\Documents and Settings\Jerry\Application Data\Microsoft
2010-03-18 01:36:22 ----D---- C:\WINDOWS\Config
2010-03-14 05:29:49 ----DC---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-03-13 20:38:26 ----D---- C:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2010-03-09 28880]
R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2010-03-09 162640]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2010-03-09 46672]
R1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2009-12-02 149040]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2009-11-08 59388]
R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2010-02-22 223440]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2010-03-09 19024]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2010-03-09 100432]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2010-03-09 23376]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-07-29 4411392]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-08-18 5884416]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2005-10-20 243328]
R3 RTHDMIAzAudService;Service for HDMI; C:\WINDOWS\system32\drivers\RtKHDMI.sys [2009-06-24 3734976]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 AODDriver;AODDriver; \??\C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 cpuz130;cpuz130; \??\C:\DOCUME~1\Jerry\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 etdrv;etdrv; \??\C:\WINDOWS\etdrv.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 mbr;mbr; \??\C:\DOCUME~1\Jerry\LOCALS~1\Temp\mbr.sys []
S3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 pbfilter;pbfilter; \??\D:\Program Files\PeerBlock\pbfilter.sys []
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2009-06-29 142592]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-07-23 12416]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-07-23 19840]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-07-23 21632]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-07 1265264]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-07-29 602112]
S4 CrossLoopService;CrossLoop Service; C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [2010-03-15 560792]
S4 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE [2007-01-11 113664]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-28 153376]
S4 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S4 MsMpSvc;Microsoft Antimalware Service; C:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-12-09 17904]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2010-03-28 75064]
S4 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2010-04-04 189480]
S4 uvnc_service;uvnc_service; C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\winvnc.exe [2009-12-06 1590216]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-04-11 15:41:25

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
7-Zip 4.65-->"d:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware Email Scanner for Outlook-->MsiExec.exe /I{338F08AB-C262-42C7-B000-34DE1A475273}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.3.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
AMD Processor Driver-->C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
America's Army 3-->"D:\Program Files\Steam\steam.exe" steam://uninstall/13140
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
avast! Free Antivirus-->C:\Program Files\Alwil Software\Avast5\aswRunDll.exe "C:\Program Files\Alwil Software\Avast5\Setup\setiface.dll" RunSetup
Big Fish Games: Game Manager-->C:\Program Files\bfgclient\Uninstall.exe
BitTorrent-->"C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
CCleaner-->"d:\Program Files\CCleaner\uninst.exe"
Counter-Strike: Source-->"D:\Program Files\Steam\steam.exe" steam://uninstall/240
CrossLoop 2.72-->"C:\Documents and Settings\Jerry\Local Settings\Application Data\CrossLoop\unins000.exe"
Day of Defeat: Source-->"D:\Program Files\Steam\steam.exe" steam://uninstall/300
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
GIMP 2.6.8-->"d:\Program Files\GIMP-2.0\setup\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
IrfanView (remove only)-->d:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
K-Lite Codec Pack 5.7.0 (Full)-->"d:\Program Files\K-Lite Codec Pack\unins000.exe"
LG USB Modem Drivers-->MsiExec.exe /I{FA02ACAC-9E14-4878-A257-92A22A647C2C}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Antimalware-->MsiExec.exe /X{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Security Essentials-->C:\Program Files\Microsoft Security Essentials\setup.exe /x
Microsoft Security Essentials-->MsiExec.exe /I{EF98A02A-1748-4762-9B7D-5ED1600520D5}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
OpenOffice.org 3.1-->MsiExec.exe /I{A16B3EA2-8798-4960-8D8B-18D3149AD617}
PowerISO-->"d:\Program Files\PowerISO\uninstall.exe"
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\Setup.Exe -runfromtemp -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x9 -removeonly
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {667A88D1-0369-4070-A62A-70672D68A9BF}
Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6DE3DABF-0203-426B-B330-7287D1003E86}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Spybot - Search & Destroy-->"d:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
TrueCrypt-->"C:\Program Files\TrueCrypt\TrueCrypt Setup.exe" /u
Turtix-->"C:\Program Files\Turtix\Uninstall.exe"
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Outlook 2007 Junk Email Filter (kb979895)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {D45674C6-9127-4C84-8826-93FBC552DF53}
Update for Windows XP (KB980182)-->"C:\WINDOWS\$NtUninstallKB980182$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-07]
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2010-04-07]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [2010-04-07]
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2010-04-09]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2010-04-09]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-09]
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2010-04-09]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll [2010-04-09]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) [2010-04-09]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank [2010-04-09]
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll [2010-04-09]
O4 - HKLM\..\Run: [Total PC Defender 2010] C:\Program Files\Total PC Defender 2010\Total PC Defender 2010.exe [2010-04-09]
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-09]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) [2010-04-09]

======Security center information======

AV: avast! Antivirus
AV: Microsoft Security Essentials (disabled)

======System event log======

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3787
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3786
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3785
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3784
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

Computer Name: ZED
Event Code: 51
Message: An error was detected on device \Device\Harddisk2\D during a paging operation.

Record Number: 3783
Source Name: Disk
Time Written: 20100302223147.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: ZED
Event Code: 1000
Message: Faulting application firefox.exe, version 1.9.2.3667, faulting module unknown, version 0.0.0.0, fault address 0x00000008.

Record Number: 762
Source Name: Application Error
Time Written: 20100301222734.000000-300
Event Type: error
User:

Computer Name: ZED
Event Code: 1001
Message: Fault bucket 1667465332.

Record Number: 758
Source Name: Application Error
Time Written: 20100225223708.000000-300
Event Type: error
User:

Computer Name: ZED
Event Code: 1000
Message: Faulting application firefox.exe, version 1.9.2.3667, faulting module jvm.dll, version 16.0.0.13, fault address 0x000c7cf2.

Record Number: 757
Source Name: Application Error
Time Written: 20100225223633.000000-300
Event Type: error
User:

Computer Name: ZED
Event Code: 63
Message: A provider, OffProv12, has been registered in the WMI namespace, Root\MSAPPS12, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 682
Source Name: WinMgmt
Time Written: 20100223181307.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: ZED
Event Code: 1000
Message: Faulting application hl2.exe, version 0.0.0.0, faulting module datacache.dll, version 0.0.0.0, fault address 0x0000b423.

Record Number: 635
Source Name: Application Error
Time Written: 20100213003740.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=x86 Family 16 Model 5 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0502
"NUMBER_OF_PROCESSORS"=4
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/7/2010 5:23:39 PM
mbam-log-2010-04-07 (17-23-39).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 172061
Time elapsed: 40 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Intern) Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\_VOIDylnkbidbwu (Rootkit.TDSS) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Jerry\Local Settings\Temp\MdSchedb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\I12L45FG\n2ivc[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\_VOIDylnkbidbwu\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


Thank you for your time.

Jerry
Zedman2k
Active Member
 
Posts: 10
Joined: April 7th, 2010, 10:51 pm

Re: I can't remove this malware

Unread postby Wingman » April 12th, 2010, 6:35 am

Hello Zedman2k

I'm sorry but I jave some bad news for you. :(

Rootkit Warning
One or more of the identified infections you had was related to a rootkit component.
Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker.
Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install.
Remote attackers use rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, Paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.
Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and appears to have been removed, your PC may be compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure.
Further, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice we cannot guarantee your computer to be trustworthy or that the malware removal has been completely successful.

Please let me know what you decide?

Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: I can't remove this malware

Unread postby Wingman » April 13th, 2010, 8:26 am

Hello Zedman2K,

Have you decided what you're going to do?
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: I can't remove this malware

Unread postby Zedman2k » April 14th, 2010, 2:46 am

Hello Wingman,

Wow, that really sucks.

I've changed my passwords by a live boot into Ubuntu (I only have this one computer) and have installed zonealarm.

ZoneAlarm and avast has not shown any odd connections. My only problems are the Google redirects and the new tabs opening. I'm hoping that the removal of the rootkit did the job and this will be a simple(I hope) thing.

You said with a rootkit I'm most likely screwed, but if you think you can help I can only thank you for your time.

So lets see what we can do.

Thank you for your time.

Jerry
Zedman2k
Active Member
 
Posts: 10
Joined: April 7th, 2010, 10:51 pm

Re: I can't remove this malware

Unread postby Wingman » April 14th, 2010, 2:28 pm

Hello Zedman2k

If you want , I can try to remedy the current problem you have but there is no guarantee that the computer has not been compromised to a point where it can not be trusted again. Additionally, if at anytime, I feel that continuing my efforts is simply wasting your time as well as mine, I will let you know and request this topic be closed. There are times when throwing all the tools I have at something still does not resolve the problem due to system files possibly being corrupted.

Let's continue...

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
TDSSKiller
Please download TDSSKiller.zip... by Kaspersky Lab and save it on your desktop.
  1. Extract (unzip) its contents to your Desktop.
  2. Double-click the TDSSKiller Folder on your desktop.
  3. Right-click on TDSSKiller.exe ... then click Copy then Paste it directly to your Desktop. <<--- Important!
  4. Highlight and copy all the text (including the quote marks) in the box below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt" -v
  5. Click Start, click Run... and paste the (above) copied text, into the opened text box... then click OK.
    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    TDSSKiller will prompt to reboot the PC, to complete the disinfection procedure, if malicious files or services were found.
    Please reboot if prompted.
    After reboot, TDSSKiller will delete malicious registry keys and files, as well as remove itself from the services list.
    When finished a log file should be created on your desktop named "tdsskiller.txt"
  6. Please post the entire contents of the tdsskiller.txt file in your next reply.

Step 3.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced.<<will be maximized
  3. Please post ONLY the "log.txt", file contents in your next reply.


Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. tdsskiller.txt
  3. RSIT log.txt file contents.
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: I can't remove this malware

Unread postby Zedman2k » April 14th, 2010, 5:26 pm

Hi Wingman

Here is what I have.

16:56:27:968 4156 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
16:56:27:968 4156 ================================================================================
16:56:27:968 4156 SystemInfo:

16:56:27:968 4156 OS Version: 5.1.2600 ServicePack: 3.0
16:56:27:968 4156 Product type: Workstation
16:56:27:968 4156 ComputerName: ZED
16:56:27:968 4156 UserName: Jerry
16:56:27:968 4156 Windows directory: C:\windows
16:56:27:968 4156 Processor architecture: Intel x86
16:56:27:968 4156 Number of processors: 4
16:56:27:968 4156 Page size: 0x1000
16:56:27:984 4156 Boot type: Normal boot
16:56:27:984 4156 ================================================================================
16:56:27:984 4156 UnloadDriverW: NtUnloadDriver error 2
16:56:27:984 4156 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:56:28:015 4156 wfopen_ex: Trying to open file C:\windows\system32\config\system
16:56:28:015 4156 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:56:28:015 4156 wfopen_ex: Trying to KLMD file open
16:56:28:015 4156 wfopen_ex: File opened ok (Flags 2)
16:56:28:015 4156 wfopen_ex: Trying to open file C:\windows\system32\config\software
16:56:28:015 4156 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:56:28:015 4156 wfopen_ex: Trying to KLMD file open
16:56:28:015 4156 wfopen_ex: File opened ok (Flags 2)
16:56:28:015 4156 Initialize success
16:56:28:015 4156
16:56:28:015 4156 Scanning Services ...
16:56:28:515 4156 Raw services enum returned 342 services
16:56:28:531 4156
16:56:28:531 4156 Scanning Kernel memory ...
16:56:28:531 4156 Devices to scan: 9
16:56:28:531 4156
16:56:28:531 4156 Driver Name: Disk
16:56:28:531 4156 IRP_MJ_CREATE : BA10EBB0
16:56:28:531 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:531 4156 IRP_MJ_CLOSE : BA10EBB0
16:56:28:531 4156 IRP_MJ_READ : BA108D1F
16:56:28:531 4156 IRP_MJ_WRITE : BA108D1F
16:56:28:531 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:531 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:531 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:531 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:531 4156 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:56:28:531 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:531 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:531 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:531 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:531 4156 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:56:28:531 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:56:28:531 4156 IRP_MJ_SHUTDOWN : BA1092E2
16:56:28:531 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:531 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:531 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:531 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:531 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:531 4156 IRP_MJ_POWER : BA10AC82
16:56:28:531 4156 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:56:28:531 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:531 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:531 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:562 4156 C:\windows\system32\DRIVERS\disk.sys - Verdict: 1
16:56:28:562 4156
16:56:28:562 4156 Driver Name: USBSTOR
16:56:28:562 4156 IRP_MJ_CREATE : BA46D218
16:56:28:562 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:562 4156 IRP_MJ_CLOSE : BA46D218
16:56:28:562 4156 IRP_MJ_READ : BA46D23C
16:56:28:562 4156 IRP_MJ_WRITE : BA46D23C
16:56:28:562 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:562 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:562 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:562 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:562 4156 IRP_MJ_FLUSH_BUFFERS : 804F4562
16:56:28:562 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:562 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:562 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:562 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:562 4156 IRP_MJ_DEVICE_CONTROL : BA46D180
16:56:28:562 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4689E6
16:56:28:562 4156 IRP_MJ_SHUTDOWN : 804F4562
16:56:28:562 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:562 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:562 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:562 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:562 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:562 4156 IRP_MJ_POWER : BA46C5F0
16:56:28:562 4156 IRP_MJ_SYSTEM_CONTROL : BA46AA6E
16:56:28:562 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:562 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:562 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:593 4156 C:\windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
16:56:28:593 4156
16:56:28:593 4156 Driver Name: Disk
16:56:28:593 4156 IRP_MJ_CREATE : BA10EBB0
16:56:28:593 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:593 4156 IRP_MJ_CLOSE : BA10EBB0
16:56:28:593 4156 IRP_MJ_READ : BA108D1F
16:56:28:593 4156 IRP_MJ_WRITE : BA108D1F
16:56:28:593 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:593 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:593 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:593 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:593 4156 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:56:28:593 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:593 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:593 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:593 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:593 4156 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:56:28:593 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:56:28:593 4156 IRP_MJ_SHUTDOWN : BA1092E2
16:56:28:593 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:593 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:593 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:593 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:593 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:593 4156 IRP_MJ_POWER : BA10AC82
16:56:28:593 4156 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:56:28:593 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:593 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:593 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:609 4156 C:\windows\system32\DRIVERS\disk.sys - Verdict: 1
16:56:28:609 4156
16:56:28:609 4156 Driver Name: Disk
16:56:28:609 4156 IRP_MJ_CREATE : BA10EBB0
16:56:28:609 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:609 4156 IRP_MJ_CLOSE : BA10EBB0
16:56:28:609 4156 IRP_MJ_READ : BA108D1F
16:56:28:609 4156 IRP_MJ_WRITE : BA108D1F
16:56:28:609 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:609 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:609 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:609 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:609 4156 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:56:28:609 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:609 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:609 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:609 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:609 4156 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:56:28:609 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:56:28:609 4156 IRP_MJ_SHUTDOWN : BA1092E2
16:56:28:609 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:609 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:609 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:609 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:609 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:609 4156 IRP_MJ_POWER : BA10AC82
16:56:28:609 4156 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:56:28:609 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:609 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:609 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:625 4156 C:\windows\system32\DRIVERS\disk.sys - Verdict: 1
16:56:28:625 4156
16:56:28:625 4156 Driver Name: Disk
16:56:28:625 4156 IRP_MJ_CREATE : BA10EBB0
16:56:28:625 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:625 4156 IRP_MJ_CLOSE : BA10EBB0
16:56:28:625 4156 IRP_MJ_READ : BA108D1F
16:56:28:625 4156 IRP_MJ_WRITE : BA108D1F
16:56:28:625 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:625 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:625 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:625 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:625 4156 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:56:28:625 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:625 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:625 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:625 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:625 4156 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:56:28:625 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:56:28:625 4156 IRP_MJ_SHUTDOWN : BA1092E2
16:56:28:625 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:625 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:625 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:625 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:625 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:625 4156 IRP_MJ_POWER : BA10AC82
16:56:28:625 4156 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:56:28:625 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:640 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:640 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:640 4156 C:\windows\system32\DRIVERS\disk.sys - Verdict: 1
16:56:28:640 4156
16:56:28:640 4156 Driver Name: Disk
16:56:28:640 4156 IRP_MJ_CREATE : BA10EBB0
16:56:28:640 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:640 4156 IRP_MJ_CLOSE : BA10EBB0
16:56:28:640 4156 IRP_MJ_READ : BA108D1F
16:56:28:640 4156 IRP_MJ_WRITE : BA108D1F
16:56:28:640 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:640 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:640 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:640 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:640 4156 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:56:28:640 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:640 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:640 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:640 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:640 4156 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:56:28:656 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:56:28:656 4156 IRP_MJ_SHUTDOWN : BA1092E2
16:56:28:656 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:656 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:656 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:656 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:656 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:656 4156 IRP_MJ_POWER : BA10AC82
16:56:28:656 4156 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:56:28:656 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:656 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:656 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:671 4156 C:\windows\system32\DRIVERS\disk.sys - Verdict: 1
16:56:28:671 4156
16:56:28:671 4156 Driver Name: Disk
16:56:28:671 4156 IRP_MJ_CREATE : BA10EBB0
16:56:28:671 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:671 4156 IRP_MJ_CLOSE : BA10EBB0
16:56:28:671 4156 IRP_MJ_READ : BA108D1F
16:56:28:671 4156 IRP_MJ_WRITE : BA108D1F
16:56:28:671 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:671 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:671 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:671 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:671 4156 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:56:28:671 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:671 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:671 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:671 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:671 4156 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:56:28:671 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:56:28:671 4156 IRP_MJ_SHUTDOWN : BA1092E2
16:56:28:671 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:671 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:671 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:671 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:671 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:671 4156 IRP_MJ_POWER : BA10AC82
16:56:28:671 4156 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:56:28:671 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:671 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:671 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:687 4156 C:\windows\system32\DRIVERS\disk.sys - Verdict: 1
16:56:28:687 4156
16:56:28:687 4156 Driver Name: atapi
16:56:28:687 4156 IRP_MJ_CREATE : B9F3B6F2
16:56:28:687 4156 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:56:28:687 4156 IRP_MJ_CLOSE : B9F3B6F2
16:56:28:687 4156 IRP_MJ_READ : 804F4562
16:56:28:687 4156 IRP_MJ_WRITE : 804F4562
16:56:28:687 4156 IRP_MJ_QUERY_INFORMATION : 804F4562
16:56:28:687 4156 IRP_MJ_SET_INFORMATION : 804F4562
16:56:28:687 4156 IRP_MJ_QUERY_EA : 804F4562
16:56:28:687 4156 IRP_MJ_SET_EA : 804F4562
16:56:28:687 4156 IRP_MJ_FLUSH_BUFFERS : 804F4562
16:56:28:687 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:56:28:687 4156 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:56:28:687 4156 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:56:28:687 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:56:28:687 4156 IRP_MJ_DEVICE_CONTROL : B9F3B712
16:56:28:687 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9F37852
16:56:28:687 4156 IRP_MJ_SHUTDOWN : 804F4562
16:56:28:687 4156 IRP_MJ_LOCK_CONTROL : 804F4562
16:56:28:687 4156 IRP_MJ_CLEANUP : 804F4562
16:56:28:687 4156 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:56:28:687 4156 IRP_MJ_QUERY_SECURITY : 804F4562
16:56:28:687 4156 IRP_MJ_SET_SECURITY : 804F4562
16:56:28:687 4156 IRP_MJ_POWER : B9F3B73C
16:56:28:687 4156 IRP_MJ_SYSTEM_CONTROL : B9F42336
16:56:28:687 4156 IRP_MJ_DEVICE_CHANGE : 804F4562
16:56:28:687 4156 IRP_MJ_QUERY_QUOTA : 804F4562
16:56:28:687 4156 IRP_MJ_SET_QUOTA : 804F4562
16:56:28:718 4156 C:\windows\system32\DRIVERS\atapi.sys - Verdict: 1
16:56:28:718 4156
16:56:28:718 4156 Driver Name: atapi
16:56:28:718 4156 IRP_MJ_CREATE : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_CREATE_NAMED_PIPE : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_CLOSE : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_READ : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_WRITE : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_QUERY_INFORMATION : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_SET_INFORMATION : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_QUERY_EA : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_SET_EA : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_FLUSH_BUFFERS : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_SET_VOLUME_INFORMATION : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_DIRECTORY_CONTROL : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_FILE_SYSTEM_CONTROL : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_DEVICE_CONTROL : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_SHUTDOWN : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_LOCK_CONTROL : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_CLEANUP : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_CREATE_MAILSLOT : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_QUERY_SECURITY : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_SET_SECURITY : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_POWER : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_SYSTEM_CONTROL : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_DEVICE_CHANGE : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_QUERY_QUOTA : 8A8AFAC8
16:56:28:718 4156 IRP_MJ_SET_QUOTA : 8A8AFAC8
16:56:28:718 4156 Driver "atapi" infected by TDSS rootkit!
16:56:28:734 4156 C:\windows\system32\DRIVERS\atapi.sys - Verdict: 1
16:56:28:734 4156 File "C:\windows\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 16:56:28:734 4156 Processing driver file: C:\windows\system32\DRIVERS\atapi.sys
16:56:28:734 4156 ProcessDirEnumEx: FindFirstFile(C:\windows\system32\DriverStore\FileRepository\*) error 3
16:56:28:906 4156 vfvi6
16:56:28:953 4156 !dsvbh1
16:56:29:093 4156 dsvbh2
16:56:29:109 4156 fdfb2
16:56:29:109 4156 Backup copy found, using it..
16:56:29:187 4156 will be cured on next reboot
16:56:29:187 4156 Reboot required for cure complete..
16:56:29:203 4156 Cure on reboot scheduled successfully
16:56:29:203 4156
16:56:29:203 4156 Completed
16:56:29:203 4156
16:56:29:203 4156 Results:
16:56:29:203 4156 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
16:56:29:203 4156 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:56:29:203 4156 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:56:29:203 4156
16:56:29:203 4156 fclose_ex: Trying to close file C:\windows\system32\config\system
16:56:29:203 4156 fclose_ex: Trying to close file C:\windows\system32\config\software
16:56:29:218 4156 UnloadDriverW: NtUnloadDriver error 1
16:56:29:218 4156 KLMD(ARK) unloaded successfully


Logfile of random's system information tool 1.06 (written by random/random)
Run by Jerry at 2010-04-14 17:08:24
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 24 GB (71%) free of 34 GB
Total RAM: 2814 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:47 PM, on 4/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\windows\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerry\Desktop\RSIT.exe
C:\Program Files\trend micro\Jerry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4551 bytes

======Scheduled tasks folder======

C:\windows\tasks\Ad-Aware Update (Weekly).job
C:\windows\tasks\At25.job
C:\windows\tasks\At26.job
C:\windows\tasks\At27.job
C:\windows\tasks\At28.job
C:\windows\tasks\At29.job
C:\windows\tasks\At30.job
C:\windows\tasks\At31.job
C:\windows\tasks\At32.job
C:\windows\tasks\At33.job
C:\windows\tasks\At34.job
C:\windows\tasks\At35.job
C:\windows\tasks\At36.job
C:\windows\tasks\At37.job
C:\windows\tasks\At38.job
C:\windows\tasks\At39.job
C:\windows\tasks\At40.job
C:\windows\tasks\At41.job
C:\windows\tasks\At42.job
C:\windows\tasks\At43.job
C:\windows\tasks\At44.job
C:\windows\tasks\At45.job
C:\windows\tasks\At46.job
C:\windows\tasks\At47.job
C:\windows\tasks\At48.job
C:\windows\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
ZoneAlarm Toolbar Registrar - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2009-10-14 578928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-28 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-28 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - ZoneAlarm Toolbar - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2009-10-14 578928]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-03-09 2769336]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-11-22 1037192]
"ISW"=C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [2009-10-14 730480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCU]
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBTUpd]
C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
d:\Program Files\PowerISO\PWRISOVM.EXE [2009-11-08 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\windows\RTHDCPL.EXE [2009-08-14 18702336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
d:\program files\steam\steam.exe -silent []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3
"PnkBstrA"=2
"ose"=3
"odserv"=3
"Microsoft Office Groove Audit Service"=3
"JavaQuickStarterService"=2
"idsvc"=3
"IDriverT"=3
"ES lite Service"=2
"BCUService"=2
"Ati HotKey Poller"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\windows\system32\Ati2evxx.dll [2009-07-29 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent"
"C:\Program Files\Gigabyte\EasySaver\UpdExe.exe"="C:\Program Files\Gigabyte\EasySaver\UpdExe.exe:*:Disabled:Exe File"
"C:\Program Files\Gigabyte\GBTUpd\GBTUpd.exe"="C:\Program Files\Gigabyte\GBTUpd\GBTUpd.exe:*:Disabled:GBTUpd.exe"
"C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe"="C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe:*:Disabled:GBTUpd.exe"
"D:\Program Files\Steam\steamapps\zedmanmmiv\day of defeat source\hl2.exe"="D:\Program Files\Steam\steamapps\zedmanmmiv\day of defeat source\hl2.exe:*:Disabled:hl2"
"D:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe"="D:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe:*:Disabled:hl2"
"C:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe"="C:\Program Files\Steam\steamapps\zedmanmmiv\counter-strike source\hl2.exe:*:Disabled:hl2"
"C:\windows\Network Diagnostic\xpnetdiag.exe"="C:\windows\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Disabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Disabled:PnkBstrB"
"C:\windows\system32\sessmgr.exe"="C:\windows\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Gigabyte\GBTUpd\RunUpd.exe"="C:\Program Files\Gigabyte\GBTUpd\RunUpd.exe:*:Disabled:RunUpd"
"D:\Program Files\Steam\Steam.exe"="D:\Program Files\Steam\Steam.exe:*:Disabled:Steam"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Disabled:Steam"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15725b98-0bed-11df-adc5-806d6172696f}]
shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c3dafd9-46be-11df-a530-0012179fe30e}]
shell\AutoRun\command - G:\sources\sperr32.exe x64

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54757af8-0b4a-11df-9178-806d6172696f}]
shell\AutoRun\command - D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fbe7920-1451-11df-96cf-0012179fe30e}]
shell\AutoRun\command - G:\USBAutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f855c47c-20cf-11df-96d8-0012179fe30e}]
shell\AutoRun\command - G:\StartPortableApps.exe


======File associations======

.scr - open - "%1" /S "%3"

======List of files/folders created in the last 1 months======

2010-04-14 03:35:43 ----D---- C:\Boot
2010-04-13 19:15:07 ----A---- C:\windows\system32\zlcommdb.dll
2010-04-13 19:15:07 ----A---- C:\windows\system32\zlcomm.dll
2010-04-13 19:14:52 ----A---- C:\windows\system32\vswmi.dll
2010-04-13 19:14:46 ----A---- C:\windows\system32\zpeng25.dll
2010-04-13 19:14:45 ----A---- C:\windows\system32\vsmonapi.dll
2010-04-13 19:14:14 ----A---- C:\windows\system32\vsutil.dll
2010-04-13 19:14:14 ----A---- C:\windows\system32\vsinit.dll
2010-04-13 19:11:44 ----A---- C:\windows\ntbtlog.txt
2010-04-13 18:13:05 ----A---- C:\windows\system32\vsregexp.dll
2010-04-13 18:12:08 ----A---- C:\windows\system32\vsxml.dll
2010-04-13 18:12:05 ----A---- C:\windows\system32\vspubapi.dll
2010-04-13 18:11:08 ----N---- C:\windows\system32\vsdata.dll
2010-04-13 06:30:55 ----SHD---- C:\found.000
2010-04-13 01:47:46 ----HDC---- C:\windows\$NtUninstallKB932716-v2$
2010-04-13 01:47:16 ----N---- C:\windows\system32\imapi2fs.dll
2010-04-13 01:47:16 ----N---- C:\windows\system32\imapi2.dll
2010-04-12 17:35:43 ----AC---- C:\Documents and Settings\All Users\Application Data\gpy23d0J.exe_
2010-04-12 17:35:43 ----AC---- C:\Documents and Settings\All Users\Application Data\gpy23d0J.exe
2010-04-12 17:01:59 ----D---- C:\windows\_VOIDylnkbidbwu
2010-04-12 17:01:58 ----D---- C:\windows\LastGood(2)
2010-04-12 17:01:30 ----D---- C:\Program Files\Common Files\Futuremark Shared
2010-04-12 16:57:49 ----D---- C:\Program Files\WinPcap
2010-04-12 16:16:16 ----D---- C:\Documents and Settings\Jerry\Application Data\CheckPoint
2010-04-12 16:16:01 ----D---- C:\Program Files\CheckPoint
2010-04-12 16:15:48 ----D---- C:\windows\system32\ZoneLabs
2010-04-12 16:15:47 ----D---- C:\Program Files\Zone Labs
2010-04-12 16:15:16 ----D---- C:\windows\Internet Logs
2010-04-10 19:39:21 ----DC---- C:\rsit
2010-04-10 19:37:50 ----D---- C:\windows\ERDNT
2010-04-10 19:36:48 ----D---- C:\Program Files\ERUNT
2010-04-07 22:16:39 ----D---- C:\Program Files\Trend Micro
2010-04-07 20:04:46 ----DC---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 17:39:00 ----HDC---- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 17:38:54 ----DC---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-04-07 17:38:54 ----D---- C:\Program Files\Lavasoft
2010-04-07 14:08:34 ----D---- C:\Program Files\Microsoft Security Essentials
2010-04-06 23:44:54 ----DC---- C:\spoolerlogs
2010-04-06 22:30:42 ----D---- C:\Program Files\ZIP PASSWORD FINDER
2010-03-28 23:24:45 ----D---- C:\Documents and Settings\Jerry\Application Data\bfgbar
2010-03-28 18:08:34 ----D---- C:\Program Files\Turtix
2010-03-28 18:02:27 ----ADC---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-28 18:01:46 ----D---- C:\Program Files\Big Fish Games Toolbar Installer
2010-03-28 17:59:53 ----D---- C:\Program Files\bfgclient
2010-03-28 17:58:48 ----DC---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2010-03-28 00:54:02 ----A---- C:\windows\system32\PnkBstrB.exe
2010-03-28 00:53:56 ----A---- C:\windows\system32\PnkBstrA.exe
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\Help
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\gtk-2.0
2010-03-18 00:54:52 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
2010-03-18 00:54:47 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-18 00:54:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

======List of files/folders modified in the last 1 months======

2010-04-14 17:08:44 ----D---- C:\windows\Prefetch
2010-04-14 17:06:18 ----D---- C:\windows\system32
2010-04-14 17:06:18 ----A---- C:\windows\system32\PerfStringBackup.INI
2010-04-14 17:06:13 ----D---- C:\windows\Temp
2010-04-14 17:02:08 ----D---- C:\windows\system32\CatRoot2
2010-04-14 17:00:49 ----D---- C:\windows\system32\drivers
2010-04-14 17:00:00 ----A---- C:\windows\SchedLgU.Txt
2010-04-14 16:43:53 ----D---- C:\windows\system32\config
2010-04-14 14:47:03 ----SD---- C:\windows\Tasks
2010-04-14 14:47:03 ----RSD---- C:\windows\Fonts
2010-04-14 02:15:56 ----D---- C:\windows\system32\Restore
2010-04-13 19:12:21 ----DC---- C:\Documents and Settings
2010-04-13 19:11:44 ----D---- C:\WINDOWS
2010-04-13 09:11:23 ----RSHDC---- C:\windows\system32\dllcache
2010-04-13 02:15:02 ----HD---- C:\windows\inf
2010-04-13 01:51:28 ----SHDC---- C:\Config.Msi
2010-04-13 01:51:28 ----SHD---- C:\windows\Installer
2010-04-13 01:51:28 ----SD---- C:\Documents and Settings\Jerry\Application Data\Microsoft
2010-04-12 18:38:34 ----D---- C:\windows\system32\LogFiles
2010-04-12 18:07:09 ----D---- C:\Program Files\Mozilla Firefox
2010-04-12 18:06:10 ----D---- C:\windows\system32\CatRoot
2010-04-12 18:04:41 ----D---- C:\Program Files\Internet Explorer
2010-04-12 17:57:29 ----RD---- C:\Program Files
2010-04-12 17:51:16 ----D---- C:\windows\Minidump
2010-04-12 17:51:16 ----D---- C:\windows\Debug
2010-04-12 17:49:29 ----D---- C:\Program Files\Common Files
2010-04-12 17:49:28 ----DC---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-04-12 17:46:31 ----RSD---- C:\windows\assembly
2010-04-12 17:46:30 ----D---- C:\Program Files\OpenOffice.org 3
2010-04-12 17:41:43 ----DC---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-04-12 17:41:13 ----SDC---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-04-12 17:41:13 ----D---- C:\Program Files\Common Files\microsoft shared
2010-04-12 17:37:50 ----D---- C:\Program Files\Common Files\System
2010-04-12 17:37:46 ----A---- C:\windows\win.ini
2010-04-12 17:19:35 ----D---- C:\windows\system32\wbem
2010-04-12 17:19:31 ----D---- C:\windows\Registration
2010-04-12 17:11:21 ----D---- C:\Documents and Settings\Jerry\Application Data\BitTorrent
2010-04-07 22:34:28 ----A---- C:\windows\system.ini
2010-04-07 22:19:47 ----SD---- C:\windows\Downloaded Program Files
2010-04-07 20:31:10 ----D---- C:\windows\WinSxS
2010-04-07 20:29:31 ----HD---- C:\Program Files\InstallShield Installation Information
2010-04-07 20:28:51 ----D---- C:\Program Files\Gigabyte
2010-04-07 17:43:21 ----DC---- C:\windows\system32\DRVSTORE
2010-04-07 17:25:00 ----D---- C:\windows\msapps
2010-03-31 07:24:06 ----HD---- C:\windows\$hf_mig$
2010-03-20 02:29:21 ----D---- C:\windows\system32\DirectX
2010-03-20 02:28:23 ----D---- C:\Program Files\File Scavenger 3.2
2010-03-20 02:25:39 ----D---- C:\Program Files\Movie Maker
2010-03-18 01:36:22 ----D---- C:\windows\Config

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\windows\system32\drivers\Aavmker4.sys [2010-03-09 28880]
R1 AmdPPM;AMD HwPState Processor Driver; C:\windows\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 aswSP;aswSP; C:\windows\system32\drivers\aswSP.sys [2010-03-09 162640]
R1 aswTdi;avast! Network Shield Support; C:\windows\system32\drivers\aswTdi.sys [2010-03-09 46672]
R1 SCDEmu;SCDEmu; C:\windows\system32\drivers\SCDEmu.sys [2009-11-08 59388]
R1 truecrypt;truecrypt; C:\windows\System32\drivers\truecrypt.sys [2010-02-22 223440]
R1 vsdatant;vsdatant; C:\windows\System32\vsdatant.sys [2009-11-22 486280]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\windows\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\windows\system32\drivers\aswFsBlk.sys [2010-03-09 19024]
R2 aswMon2;avast! Standard Shield Support; C:\windows\system32\drivers\aswMon2.sys [2010-03-09 100432]
R2 ISWKL;ZoneAlarm Toolbar ISWKL; \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys []
R2 NPF;NetGroup Packet Filter Driver; C:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 aswRdr;aswRdr; C:\windows\system32\drivers\aswRdr.sys [2010-03-09 23376]
R3 ati2mtag;ati2mtag; C:\windows\system32\DRIVERS\ati2mtag.sys [2009-07-29 4411392]
R3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\windows\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\windows\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\windows\system32\drivers\RtkHDAud.sys [2009-08-18 5884416]
R3 mouhid;Mouse HID Driver; C:\windows\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\windows\system32\DRIVERS\RT2500.sys [2005-10-20 243328]
R3 RTHDMIAzAudService;Service for HDMI; C:\windows\system32\drivers\RtKHDMI.sys [2009-06-24 3734976]
R3 usbbus;LGE CDMA Composite USB Device; C:\windows\system32\DRIVERS\lgusbbus.sys [2007-07-23 12416]
R3 UsbDiag;LGE CDMA USB Serial Port; C:\windows\system32\DRIVERS\lgusbdiag.sys [2007-07-23 19840]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\windows\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBModem;LGE CDMA USB Modem; C:\windows\system32\DRIVERS\lgusbmodem.sys [2007-07-23 21632]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Ambfilt;Ambfilt; C:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 AODDriver;AODDriver; \??\C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\windows\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 cpuz130;cpuz130; \??\C:\DOCUME~1\Jerry\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 etdrv;etdrv; \??\C:\WINDOWS\etdrv.sys []
S3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\windows\system32\DRIVERS\mcdbus.sys []
S3 Monfilt;Monfilt; C:\windows\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 NIC1394;1394 Net Driver; C:\windows\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nm;Network Monitor Driver; C:\windows\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 pbfilter;pbfilter; \??\D:\Program Files\PeerBlock\pbfilter.sys []
S3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\windows\system32\DRIVERS\Rtenicxp.sys [2009-06-29 142592]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\windows\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\windows\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 WpdUsb;WpdUsb; C:\windows\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\windows\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\windows\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\windows\system32\Ati2evxx.exe [2009-07-29 602112]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
R2 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE [2007-01-11 113664]
R2 ES lite Service;ES lite Service for program management.; C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE [2009-08-24 68136]
R2 IswSvc;ZoneAlarm Toolbar IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [2009-10-14 476528]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-28 153376]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2010-03-28 75064]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-11-22 2384240]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\windows\system32\svchost.exe [2008-04-13 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-03-09 40384]
S3 aspnet_state;ASP.NET State Service; C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\windows\System32\svchost.exe [2008-04-13 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2009-10-20 117264]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

The issues with the computer has not changed, links from Google are redirected and tabs are opened randomly to unwanted sites. Avast does stop trojans when the page opens.

Thank you,
Jerry
Zedman2k
Active Member
 
Posts: 10
Joined: April 7th, 2010, 10:51 pm

Re: I can't remove this malware

Unread postby Wingman » April 14th, 2010, 6:53 pm

Hello Zedman2k

Please do not make any changes to your system: do not add or remove any software, run any scans or "fix" programs and/or remove any files unless instructed to do so, by me. Please read these instructions carefully before executing and then perform the steps, in the order given. lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
PunkBuster warning
I noticed you have PunkBuster installed... read the "Published features" section.
PunkBuster can take control over various aspects of your computer and some gaming tools not unlike PunkBuster, also hinder their removals.
By the definition we use, PunkBuster is actual spyware. Therefore, I'm asking you to choose one of the following options:
  1. We "try" to leave PunkBuster alone... however, there is no guarantee a spyware component doesn't "inadvertently" get taken out... so PunkBuster might fail. This will also prevent you from playing games using PunkBuster enabled servers.
  2. We can just remove PunkBuster. You can reinstall it afterwards if you wish, but please keep in mind that it is spyware.
  3. We can not clean this computer at all. This ensures PunkBuster will continue to function.
If you choose to remove PunkBuster, please perform the uninstall steps below. Otherwise, let me know what other option you chose.

Uninstall PunkBuster
Please download PBSVC Setup Program. Save it to your desktop.
  1. Double click on pbsvc.exe to start it... then click Uninstall.
    Once that's finished...
  2. Click Start > Run and copy and paste the following into the open text box:
    Code: Select all
    cmd /c for %i in (A B K) do sc delete PnkBstr%i
  3. Click OK. A black box will flash very briefly, this is normal.
  4. Double click My Computer on your desktop and browse to C:\windows\system32\drivers
  5. Locate the file: PnkBstrK.sys... if found delete it.
Let me know if you performed these steps successfully.

Step 3.
Defogger
CD Emulator Software (Daemon Tools, Alcohol, etc) use drivers that can interfere with rootkit scans, so we'll temporarily disable them.
Disable Drivers
Please download DeFogger... by jpshortstuff. Save it to your desktop.
  1. Double click DeFogger.exe to run the tool. The application window will appear.
  2. Click the Disable button to disable your CD Emulation drivers.
  3. Click Yes to continue. A 'Finished!' message will appear. Click OK.
  4. Click OK when DeFogger asks to reboot the machine.
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Step 4.
ComboFix
Please download ImageComboFix.exe... © Copyrighted to sUBs. Save it to your desktop. <<--- IMPORTANT!! .
Alternate download sites: Mirror #2 or Mirror #3

If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  2. Double click the ComboFix.exe icon on your desktop to begin execution. If you receive the "Open File - Security Warning"... press Run.
  3. Press Yes to the Disclaimer prompt.
    ComboFix screen appears... preparing to run. ComboFix will now begin creating a System Restore Point and then backup your registry.
  4. If not already installed... Press Yes to the "Install Recovery Console" prompt.
  5. Press Yes at the Recovery Console installation results prompt... Even if unsuccessful, have ComboFix continue the scan.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    ComboFix will disconnect you from the Internet, may cause your desktop to disappear and also change your clock settings... this is normal, so don't worry. They will be restored when finished. The ComboFix window data will be changing with various "Stages"... completed. When finished the screen will show that a log is being created.
    ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  6. Please copy/paste the contents of log.txt... in your next reply.
Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. PunkBuster Uninstalled?
  3. ComboFix log.txt file contents.
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: I can't remove this malware

Unread postby Zedman2k » April 14th, 2010, 10:39 pm

PunkBuster Uninstalled with no prob.

When I tried to run ComboFix first I got an error titled "iexplore.exe application error"-"instruction at 0x00000000 referenced memory The memory at 0x00000000 could not be "read""

I clicked OK, when ComboFix tried to install Windows Recovery Console the error was " Boot partition cannot be enumerated correctly"

Never got a log from ComboFix. :cry:

No change with the computers behavior.

Jerry
Zedman2k
Active Member
 
Posts: 10
Joined: April 7th, 2010, 10:51 pm

Re: I can't remove this malware

Unread postby Wingman » April 15th, 2010, 8:44 am

Hello Zedman2k
Sorry you had problems... let's check a few thing to see if there are "other" problems.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
Check Hard Disk For Errors
  1. Press Start... then select Run
  2. Copy/paste the following command into the box... then press OK:
    Code: Select all
    cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"

    A blank command window will open on your desktop, then close in a few minutes. This is normal.
    A file and icon named "checkhd.txt" should appear on your Desktop.
  3. Please post the contents of the checkhd.txt file, in your next reply

Step 3.
Restore IE 6 default settings
Malware may have altered your browser settings, we'll reset them now. Any "personalized" settings will need to be reapplied.
  1. Click Start > Control Panel > Internet Options.
  2. On the General tab:
    • Click on Delete Cookies... click OK to confirm.
    • Click on Delete Files... click OK to confirm.
    • Click on Clear History... click OK to confirm.
  3. On the Content tab:
    • Click Clear SSL State... click OK to confirm.
  4. On the Advanced tab:
    • Click Restore Defaults... click OK to confirm.
Internet Explorer 6.0 default settings have been applied.

Step 4.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced.<<will be maximized
  3. Please post ONLY the "log.txt", file contents in your next reply.


Step 5.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. checkhd.txt file contents.
  3. RSIT log.txt file contents.
  4. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: I can't remove this malware

Unread postby Zedman2k » April 15th, 2010, 4:37 pm

Hello Wingman



The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Repairing Usn Journal file record segment.
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

35254610 KB total disk space.
10234268 KB in 38980 files.
12640 KB in 4825 indexes.
0 KB in bad sectors.
409298 KB in use by the system.
43296 KB occupied by the log file.
24598404 KB available on disk.

4096 bytes in each allocation unit.
8813652 total allocation units on disk.
6149601 allocation units available on disk.


Logfile of random's system information tool 1.06 (written by random/random)
Run by Jerry at 2010-04-15 16:05:12
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 24 GB (70%) free of 34 GB
Total RAM: 2814 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:13 PM, on 4/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerry\Desktop\RSIT.exe
C:\Program Files\trend micro\Jerry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4024 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
ZoneAlarm Toolbar Registrar - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2009-10-14 578928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-28 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-28 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - ZoneAlarm Toolbar - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2009-10-14 578928]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-04-14 2790472]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-11-22 1037192]
"ISW"=C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [2009-10-14 730480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCU]
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBTUpd]
C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW]
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [2009-10-14 730480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
d:\Program Files\PowerISO\PWRISOVM.EXE [2009-11-08 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2009-08-14 18702336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
d:\program files\steam\steam.exe -silent []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-11-22 1037192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3
"PnkBstrA"=2
"ose"=3
"odserv"=3
"Microsoft Office Groove Audit Service"=3
"JavaQuickStarterService"=2
"idsvc"=3
"IDriverT"=3
"ES lite Service"=2
"BCUService"=2
"Ati HotKey Poller"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-07-29 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent"
"C:\Program Files\Gigabyte\EasySaver\UpdExe.exe"="C:\Program Files\Gigabyte\EasySaver\UpdExe.exe:*:Disabled:Exe File"
"C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe"="C:\Program Files\Gigabyte\EasySaver\GBTUpd.exe:*:Disabled:GBTUpd.exe"
"C:\windows\Network Diagnostic\xpnetdiag.exe"="C:\windows\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\windows\system32\sessmgr.exe"="C:\windows\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fbe7920-1451-11df-96cf-0012179fe30e}]
shell\AutoRun\command - G:\USBAutoRun.exe


======List of files/folders created in the last 1 months======

2010-04-15 19:40:46 ----HDC---- C:\WINDOWS\$NtUninstallKB981349$
2010-04-15 19:40:40 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-15 19:40:32 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-15 07:15:22 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-15 07:15:11 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-14 23:38:19 ----D---- C:\Program Files\CheckPoint
2010-04-14 23:38:15 ----A---- C:\WINDOWS\system32\vsregexp.dll
2010-04-14 23:38:14 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2010-04-14 23:38:14 ----A---- C:\WINDOWS\system32\zlcomm.dll
2010-04-14 23:38:09 ----A---- C:\WINDOWS\system32\vswmi.dll
2010-04-14 23:38:08 ----D---- C:\WINDOWS\system32\ZoneLabs
2010-04-14 23:38:08 ----A---- C:\WINDOWS\system32\zpeng25.dll
2010-04-14 23:38:08 ----A---- C:\WINDOWS\system32\vsxml.dll
2010-04-14 23:38:08 ----A---- C:\WINDOWS\system32\vspubapi.dll
2010-04-14 23:38:08 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2010-04-14 23:38:06 ----D---- C:\Program Files\Zone Labs
2010-04-14 23:37:47 ----D---- C:\WINDOWS\Internet Logs
2010-04-14 23:37:46 ----A---- C:\WINDOWS\system32\vsinit.dll
2010-04-14 23:37:46 ----A---- C:\WINDOWS\system32\vsdata.dll
2010-04-14 23:37:45 ----A---- C:\WINDOWS\system32\vsutil.dll
2010-04-14 22:34:29 ----SD---- C:\ComboFix
2010-04-14 22:02:23 ----A---- C:\Boot.bak
2010-04-14 22:02:18 ----ASHDC---- C:\cmdcons
2010-04-14 22:01:39 ----SHD---- C:\RECYCLER
2010-04-14 21:55:48 ----ASH---- C:\boot.ini
2010-04-14 21:47:37 ----A---- C:\WINDOWS\system32\aswBoot.exe
2010-04-14 21:38:39 ----D---- C:\WINDOWS\temp
2010-04-14 21:22:44 ----D---- C:\Documents and Settings\All Users\Application Data\ZA_PreservedFiles
2010-04-14 21:07:25 ----HD---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 21:07:18 ----HD---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-14 19:52:48 ----A---- C:\WINDOWS\zip.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\SWSC.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\SWREG.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\sed.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\PEV.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\NIRCMD.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\MBR.exe
2010-04-14 19:52:48 ----A---- C:\WINDOWS\grep.exe
2010-04-14 19:52:26 ----D---- C:\Qoobox
2010-04-14 19:32:39 ----A---- C:\WINDOWS\system32\pbsvc.exe
2010-04-14 03:35:43 ----D---- C:\Boot
2010-04-13 19:11:44 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-13 06:30:55 ----D---- C:\found.000
2010-04-13 01:47:54 ----A---- C:\WINDOWS\imsins.BAK
2010-04-13 01:47:46 ----HD---- C:\WINDOWS\$NtUninstallKB932716-v2$
2010-04-13 01:47:16 ----N---- C:\WINDOWS\system32\imapi2fs.dll
2010-04-13 01:47:16 ----N---- C:\WINDOWS\system32\imapi2.dll
2010-04-12 17:35:43 ----A---- C:\Documents and Settings\All Users\Application Data\gpy23d0J.exe_
2010-04-12 17:35:43 ----A---- C:\Documents and Settings\All Users\Application Data\gpy23d0J.exe
2010-04-12 17:01:58 ----D---- C:\WINDOWS\LastGood(2)
2010-04-12 17:01:30 ----D---- C:\Program Files\Common Files\Futuremark Shared
2010-04-12 16:57:49 ----D---- C:\Program Files\WinPcap
2010-04-12 16:16:16 ----D---- C:\Documents and Settings\Jerry\Application Data\CheckPoint
2010-04-10 19:39:21 ----D---- C:\rsit
2010-04-10 19:37:50 ----D---- C:\WINDOWS\ERDNT
2010-04-10 19:36:48 ----D---- C:\Program Files\ERUNT
2010-04-07 22:16:39 ----D---- C:\Program Files\Trend Micro
2010-04-07 20:04:46 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 17:39:00 ----HD---- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-07 17:38:54 ----D---- C:\Program Files\Lavasoft
2010-04-07 17:38:54 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-04-07 14:08:34 ----D---- C:\Program Files\Microsoft Security Essentials
2010-04-06 23:44:54 ----D---- C:\spoolerlogs
2010-04-06 22:30:42 ----D---- C:\Program Files\ZIP PASSWORD FINDER
2010-03-28 23:24:45 ----D---- C:\Documents and Settings\Jerry\Application Data\bfgbar
2010-03-28 18:08:34 ----D---- C:\Program Files\Turtix
2010-03-28 18:02:27 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-28 18:01:46 ----D---- C:\Program Files\Big Fish Games Toolbar Installer
2010-03-28 17:59:53 ----D---- C:\Program Files\bfgclient
2010-03-28 17:58:48 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\Help
2010-03-20 02:29:27 ----D---- C:\Documents and Settings\Jerry\Application Data\gtk-2.0
2010-03-18 00:54:52 ----D---- C:\Documents and Settings\Jerry\Application Data\Malwarebytes
2010-03-18 00:54:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-18 00:54:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

======List of files/folders modified in the last 1 months======

2010-04-15 20:03:00 ----D---- C:\WINDOWS\Prefetch
2010-04-15 19:49:49 ----D---- C:\WINDOWS\system32
2010-04-15 19:49:49 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-15 19:47:11 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-15 19:45:48 ----D---- C:\WINDOWS
2010-04-15 19:40:48 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-04-15 19:40:48 ----HD---- C:\WINDOWS\inf
2010-04-15 19:40:42 ----D---- C:\WINDOWS\system32\drivers
2010-04-15 07:17:31 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-15 07:15:19 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-15 07:13:59 ----D---- C:\WINDOWS\Debug
2010-04-14 23:38:19 ----RD---- C:\Program Files
2010-04-14 23:32:23 ----D---- C:\WINDOWS\system32\CatRoot
2010-04-14 23:30:58 ----SHD---- C:\WINDOWS\Installer
2010-04-14 23:30:58 ----D---- C:\Config.Msi
2010-04-14 23:30:55 ----D---- C:\Program Files\LG Electronics
2010-04-14 21:47:45 ----D---- C:\WINDOWS\WinSxS
2010-04-14 21:47:34 ----D---- C:\Documents and Settings\All Users\Application Data\Alwil Software
2010-04-14 21:38:18 ----SD---- C:\WINDOWS\Tasks
2010-04-14 21:37:43 ----N---- C:\WINDOWS\system.ini
2010-04-14 21:36:05 ----D---- C:\WINDOWS\AppPatch
2010-04-14 21:36:03 ----D---- C:\Program Files\Common Files
2010-04-14 21:16:19 ----A---- C:\WINDOWS\win.ini
2010-04-14 16:43:53 ----D---- C:\WINDOWS\system32\config
2010-04-14 14:47:03 ----RSD---- C:\WINDOWS\Fonts
2010-04-14 02:15:56 ----D---- C:\WINDOWS\system32\Restore
2010-04-13 19:12:21 ----D---- C:\Documents and Settings
2010-04-13 01:51:28 ----SD---- C:\Documents and Settings\Jerry\Application Data\Microsoft
2010-04-12 18:38:34 ----D---- C:\WINDOWS\system32\LogFiles
2010-04-12 18:07:09 ----D---- C:\Program Files\Mozilla Firefox
2010-04-12 18:04:41 ----D---- C:\Program Files\Internet Explorer
2010-04-12 17:51:16 ----D---- C:\WINDOWS\Minidump
2010-04-12 17:49:28 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-04-12 17:46:31 ----RSD---- C:\WINDOWS\assembly
2010-04-12 17:46:30 ----D---- C:\Program Files\OpenOffice.org 3
2010-04-12 17:41:43 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-04-12 17:41:13 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-04-12 17:41:13 ----D---- C:\Program Files\Common Files\microsoft shared
2010-04-12 17:37:50 ----D---- C:\Program Files\Common Files\System
2010-04-12 17:19:35 ----D---- C:\WINDOWS\system32\wbem
2010-04-12 17:19:31 ----D---- C:\WINDOWS\Registration
2010-04-12 17:11:21 ----D---- C:\Documents and Settings\Jerry\Application Data\BitTorrent
2010-04-07 22:19:47 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-04-07 20:29:31 ----HD---- C:\Program Files\InstallShield Installation Information
2010-04-07 20:28:51 ----D---- C:\Program Files\Gigabyte
2010-04-07 17:43:21 ----D---- C:\WINDOWS\system32\DRVSTORE
2010-04-07 17:25:00 ----D---- C:\WINDOWS\msapps
2010-04-06 13:52:54 ----A---- C:\WINDOWS\system32\MRT.exe
2010-03-20 02:29:21 ----D---- C:\WINDOWS\system32\DirectX
2010-03-20 02:28:23 ----D---- C:\Program Files\File Scavenger 3.2
2010-03-20 02:25:39 ----D---- C:\Program Files\Movie Maker
2010-03-18 01:36:22 ----D---- C:\WINDOWS\Config

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2010-04-14 28880]
R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2010-04-14 162768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2010-04-14 46672]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2009-11-08 59388]
R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2010-02-22 223440]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-11-22 486280]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2010-04-14 19024]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2010-04-14 100432]
R2 ISWKL;ZoneAlarm Toolbar ISWKL; \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys []
R2 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2009-10-20 50704]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2010-04-14 23376]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-07-29 4411392]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-08-18 5884416]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2005-10-20 243328]
R3 RTHDMIAzAudService;Service for HDMI; C:\WINDOWS\system32\drivers\RtKHDMI.sys [2009-06-24 3734976]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 AODDriver;AODDriver; \??\C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 catchme;catchme; \??\C:\DOCUME~1\Jerry\LOCALS~1\Temp\catchme.sys []
S3 cpuz130;cpuz130; \??\C:\DOCUME~1\Jerry\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 etdrv;etdrv; \??\C:\WINDOWS\etdrv.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 pbfilter;pbfilter; \??\D:\Program Files\PeerBlock\pbfilter.sys []
S3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2009-06-29 142592]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-07-23 12416]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-07-23 19840]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-07-23 21632]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
R2 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE [2007-01-11 113664]
R2 IswSvc;ZoneAlarm Toolbar IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [2009-10-14 476528]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-11-22 2384240]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-07-29 602112]
S4 ES lite Service;ES lite Service for program management.; C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE [2009-08-24 68136]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-28 153376]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2009-10-20 117264]

-----------------EOF-----------------
Zedman2k
Active Member
 
Posts: 10
Joined: April 7th, 2010, 10:51 pm

Re: I can't remove this malware

Unread postby Wingman » April 16th, 2010, 7:37 am

Hello Zedman2k
CHKDSK indicates there are errors on your hard drive that need to be fixed. We can do this with CHKDSK...

Even if you don't use it... Please try to open Internet Explorer... there seems to be an issue with it. Let me know if you can open it and if it works.
I'm concerned that HJT (from RSIT) can not determine what version of Internet Explorer you have, any longer. This may require a reinstall of Internet Explorer. Let's see what it shows after the CHKDSK runs.

The CHKDSK with the /f parameter (will run for a while)...do not interfere with the process, let it finish and restart your system.

Step 1.
ERUNT - Emergency Recovery Utility NT
Please run this again, as changes may have occurred between the last run and now. Better to be safe than to be sorry.
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
Run:
  1. Please navigate to Start >> All Programs >> ERUNT... double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 2.
CHKDSK Fix HD Errors
  1. Press Start... then select Run
  2. Copy/paste the following command into the box... then press OK:
    Code: Select all
    cmd /c chkdsk c: /f |find /v "percent" >> "%userprofile%\desktop\checkhdf.txt"

    A blank command window will open on your desktop, then close in a few minutes. This is normal.
    A file and icon named "checkhd.txt" should appear on your Desktop.
  3. Please post the contents of the checkhdf.txt file, in your next reply

Step 3.
Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.
  1. Double click on RSIT.exe to run it.
  2. Please read the disclaimer... click on Continue.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced.<<will be maximized
  3. Please post ONLY the "log.txt", file contents in your next reply.

Step 4.
Please include in your next reply:
  1. Any problem executing the instructions?
  2. IE6... can you open it? Does it work?
  3. checkhdf.txt file contents.
  4. RSIT log.txt file contents.
  5. How is the computer behaving?
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14112
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware