Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware found and removed but would like a review to clear

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

malware found and removed but would like a review to clear

Unread postby craigs1969 » August 3rd, 2009, 2:31 am

Hi,

I volunteered to help a friend with her computer. It was very slow and had not been given proper service pack updates, no antivirus installed, etc. Installed AVG Free with some adware found and removed. Installed malwarebytes and when running it, I noticed that it was scanning hundreds of thousands of files in a hidden ...\Content.IE5 folder. I stopped malwarebytes before it was done due this and it found serveral more malwares and removed them. In looking, this content.ie5 folder was a subfolder on a profile which was no longer active on the machine (didn't show up as a user in control panel nor to login when starting windows). I then booted to a Bart's PE cd and forced in cmd the deletion of the files in that profile. This process took about 24 hours to delete all the files. I have now run malwarebytes again which took about one hour and it found several more malwares and removed them. Here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:12 AM, on 8/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wltray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6997203375
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5128 bytes


Thanks!
craigs1969
craigs1969
Regular Member
 
Posts: 18
Joined: April 6th, 2009, 11:20 pm
Advertisement
Register to Remove

Re: malware found and removed but would like a review to clear

Unread postby askey127 » August 6th, 2009, 10:00 am

Hi craigs1969,
(For future reference, better to positively ascertain the PC is clean before doing an update like SP3.
Updating an infected one can break the system.)

-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Note: Save your work. TFC will automatically close any open programs. Let it run uninterrupted.
  • Double-click TFC.exe to run the program.
  • TFC will most likely require a Reboot. If prompted, click "Yes" to reboot.
The scan shouldn't take longer take a couple of minutes, and may only take a few seconds.
-----------------------------------------------
Run the RSIT Scanner
Please download the scanner from here and save it to your desktop. The icon will be named RSIT.exe
Doubleclick the RSIT icon.
When the scan is complete, two text files will open
log.txt <- this one will be maximized
info.txt <- this one will be minimized
( Default location for both files is C:\rsit\ )
Copy/Paste the contents of both log.txt and info.txt into your next post please. Use two posts if you prefer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware found and removed but would like a review to clear

Unread postby craigs1969 » August 6th, 2009, 2:39 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by Casie at 2009-08-06 11:57:11
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 10 GB (28%) free of 35 GB
Total RAM: 223 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:41 AM, on 8/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Casie\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Casie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6997203375
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4654 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-07-31 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-07-16 55296]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-07-31 2000152]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-07-27 341312]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-07-31 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\pinaco1993\My Documents\LimeWire\LimeWire.exe"="C:\Documents and Settings\pinaco1993\My Documents\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"
"C:\WINDOWS\system32\usmt\migwiz.exe"="C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\setup.exe


======List of files/folders created in the last 1 months======

2009-08-06 11:57:11 ----D---- C:\rsit
2009-08-02 22:38:45 ----D---- C:\Program Files\Trend Micro
2009-08-02 22:25:51 ----D---- C:\Documents and Settings\Casie\Application Data\WinPatrol
2009-08-02 22:25:20 ----D---- C:\Program Files\BillP Studios
2009-08-01 16:32:51 ----D---- C:\Program Files\Common Files\NSV
2009-08-01 16:01:44 ----N---- C:\WINDOWS\system32\pxcpya64.exe
2009-08-01 16:01:43 ----N---- C:\WINDOWS\system32\pxinsa64.exe
2009-08-01 16:01:43 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-08-01 16:01:42 ----N---- C:\WINDOWS\system32\pxsfs.dll
2009-08-01 16:01:42 ----N---- C:\WINDOWS\system32\pxafs.dll
2009-08-01 16:01:41 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-08-01 16:01:40 ----N---- C:\WINDOWS\system32\vxblock.dll
2009-08-01 16:01:40 ----N---- C:\WINDOWS\system32\pxwave.dll
2009-08-01 16:01:39 ----N---- C:\WINDOWS\system32\pxmas.dll
2009-08-01 16:01:38 ----N---- C:\WINDOWS\system32\px.dll
2009-08-01 16:01:26 ----D---- C:\Program Files\Winamp
2009-08-01 16:01:26 ----D---- C:\Documents and Settings\Casie\Application Data\Winamp
2009-08-01 15:53:21 ----D---- C:\Program Files\QuickTime
2009-08-01 15:49:51 ----D---- C:\Program Files\Apple Software Update
2009-08-01 15:49:45 ----SHD---- C:\Config.Msi
2009-08-01 15:48:08 ----D---- C:\WINDOWS\system32\Adobe
2009-08-01 15:40:23 ----D---- C:\Documents and Settings\Casie\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-01 15:25:05 ----D---- C:\Program Files\Adobe
2009-08-01 15:23:38 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-08-01 15:23:25 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-08-01 15:01:28 ----HDC---- C:\WINDOWS\$NtUninstallbasecsp$
2009-08-01 13:47:52 ----A---- C:\WINDOWS\ODBC.INI
2009-08-01 13:47:33 ----A---- C:\WINDOWS\system32\mdimon.dll
2009-08-01 13:44:18 ----D---- C:\Program Files\Common Files\L&H
2009-08-01 13:43:35 ----D---- C:\Program Files\Microsoft ActiveSync
2009-08-01 13:42:09 ----D---- C:\Program Files\Common Files\DESIGNER
2009-08-01 13:41:48 ----D---- C:\Program Files\Microsoft Works
2009-08-01 13:41:13 ----D---- C:\Program Files\Microsoft Visual Studio
2009-08-01 13:40:43 ----D---- C:\WINDOWS\SHELLNEW
2009-08-01 13:40:35 ----D---- C:\Program Files\Microsoft.NET
2009-08-01 13:40:35 ----D---- C:\Program Files\Microsoft Office
2009-08-01 13:40:35 ----D---- C:\Program Files\Common Files\ODBC
2009-08-01 13:31:44 ----D---- C:\Program Files\PowerISO
2009-08-01 06:14:12 ----HD---- C:\$AVG8.VAULT$
2009-07-31 21:02:48 ----D---- C:\Program Files\Microsoft Bootvis
2009-07-31 20:10:28 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-07-31 20:09:57 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2009-07-31 20:09:21 ----D---- C:\Program Files\AVG
2009-07-31 20:09:20 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-07-31 19:54:23 ----D---- C:\Documents and Settings\Casie\Application Data\Malwarebytes
2009-07-31 19:54:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-31 19:54:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-31 19:52:06 ----D---- C:\Program Files\WinDirStat
2009-07-31 19:49:05 ----D---- C:\Documents and Settings\Casie\Application Data\Mozilla
2009-07-31 19:47:29 ----D---- C:\Program Files\Mozilla Firefox
2009-07-31 19:26:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-07-31 19:10:53 ----D---- C:\Program Files\Microsoft Silverlight
2009-07-31 18:59:13 ----D---- C:\WINDOWS\system32\XPSViewer
2009-07-31 18:59:05 ----D---- C:\Program Files\MSBuild
2009-07-31 18:58:47 ----D---- C:\Program Files\Reference Assemblies
2009-07-31 18:57:55 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-07-31 18:57:55 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-07-31 18:57:54 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-07-31 18:50:58 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-07-31 18:50:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-07-31 18:46:19 ----RSD---- C:\WINDOWS\assembly
2009-07-31 18:46:19 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-31 18:46:16 ----D---- C:\WINDOWS\system32\URTTemp
2009-07-31 18:27:09 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-07-31 18:21:30 ----D---- C:\WINDOWS\Prefetch
2009-07-31 18:17:29 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-31 18:16:55 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-31 18:16:29 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-31 18:15:42 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-07-31 18:15:15 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-31 18:14:20 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-31 18:14:00 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-31 18:13:43 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-31 18:13:28 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-07-31 18:13:16 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-31 18:13:03 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-07-31 18:12:50 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-07-31 18:12:33 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-07-31 18:12:21 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-07-31 18:12:09 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-07-31 18:11:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-07-31 18:11:45 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-07-31 18:11:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-07-31 18:10:39 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-31 18:10:20 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-07-31 18:10:09 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-07-31 18:09:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-07-31 18:09:44 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-07-31 18:09:32 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-07-31 18:09:19 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-31 18:09:07 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-07-31 18:08:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-07-31 18:08:45 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-07-31 18:08:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-07-31 18:08:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-07-31 18:08:10 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-07-31 18:07:59 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-07-31 18:07:46 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-07-31 18:07:35 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-07-31 18:07:18 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-31 18:00:36 ----D---- C:\WINDOWS\system32\scripting
2009-07-31 18:00:34 ----D---- C:\WINDOWS\l2schemas
2009-07-31 18:00:33 ----D---- C:\WINDOWS\system32\en
2009-07-31 17:53:47 ----D---- C:\WINDOWS\network diagnostic
2009-07-31 17:29:26 ----D---- C:\WINDOWS\ie8updates
2009-07-31 17:26:04 ----HDC---- C:\WINDOWS\ie8
2009-07-31 13:53:58 ----D---- C:\Program Files\CCleaner
2009-07-15 22:45:11 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 22:44:58 ----HDC---- C:\WINDOWS\$NtUninstallKB971633_0$
2009-07-15 22:37:48 ----HDC---- C:\WINDOWS\$NtUninstallKB968537_0$
2009-07-15 22:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB961371_0$
2009-07-14 21:40:56 ----D---- C:\Program Files\NOS
2009-07-14 21:40:56 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-07-07 22:31:59 ----HDC---- C:\WINDOWS\$NtUninstallKB961501_0$
2009-07-07 22:31:48 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-07-07 22:31:24 ----HDC---- C:\WINDOWS\$NtUninstallKB970238_0$

======List of files/folders modified in the last 1 months======

2009-08-06 11:55:40 ----D---- C:\WINDOWS\Temp
2009-08-06 11:52:07 ----D---- C:\WINDOWS
2009-08-06 11:50:31 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-06 11:49:56 ----D---- C:\WINDOWS\system32
2009-08-04 12:04:14 ----D---- C:\Documents and Settings
2009-08-04 10:13:54 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-02 23:59:18 ----D---- C:\WINDOWS\system32\drivers
2009-08-02 22:38:45 ----RD---- C:\Program Files
2009-08-02 22:29:16 ----SD---- C:\WINDOWS\Tasks
2009-08-01 16:32:51 ----D---- C:\Program Files\Common Files
2009-08-01 15:54:45 ----SHD---- C:\WINDOWS\Installer
2009-08-01 15:53:17 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-08-01 15:36:14 ----D---- C:\Documents and Settings\Casie\Application Data\Adobe
2009-08-01 15:26:49 ----D---- C:\Program Files\Common Files\Adobe
2009-08-01 15:11:26 ----SD---- C:\Documents and Settings\Casie\Application Data\Microsoft
2009-08-01 15:05:48 ----D---- C:\WINDOWS\security
2009-08-01 15:01:47 ----HD---- C:\WINDOWS\inf
2009-08-01 13:48:07 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-01 13:44:43 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-01 13:44:34 ----RSD---- C:\WINDOWS\Fonts
2009-08-01 13:37:14 ----D---- C:\WINDOWS\system
2009-08-01 13:21:00 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-01 13:12:39 ----D---- C:\Temp
2009-08-01 13:07:52 ----D---- C:\WINDOWS\Debug
2009-08-01 12:23:02 ----D---- C:\WINDOWS\WinSxS
2009-08-01 12:20:52 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-31 23:56:26 ----HDC---- C:\WINDOWS\$NtUninstallKB923561_0$
2009-07-31 22:45:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-31 22:23:30 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2009-07-31 22:22:45 ----D---- C:\Documents and Settings\Casie\Application Data\AOL
2009-07-31 21:54:34 ----D---- C:\WINDOWS\SoftwareDistribution
2009-07-31 21:43:45 ----RASH---- C:\boot.ini
2009-07-31 19:30:13 ----D---- C:\WINDOWS\Registration
2009-07-31 19:27:49 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-31 19:10:10 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-07-31 18:59:07 ----D---- C:\WINDOWS\system32\en-US
2009-07-31 18:58:16 ----D---- C:\WINDOWS\system32\spool
2009-07-31 18:46:36 ----D---- C:\WINDOWS\system32\mui
2009-07-31 18:20:53 ----D---- C:\WINDOWS\system32\Setup
2009-07-31 18:20:53 ----D---- C:\WINDOWS\AppPatch
2009-07-31 18:20:52 ----D---- C:\WINDOWS\system32\wbem
2009-07-31 18:07:48 ----D---- C:\Program Files\Messenger
2009-07-31 18:01:04 ----D---- C:\WINDOWS\ServicePackFiles
2009-07-31 18:01:01 ----D---- C:\WINDOWS\ime
2009-07-31 18:01:00 ----D---- C:\WINDOWS\Help
2009-07-31 18:00:38 ----D---- C:\WINDOWS\system32\usmt
2009-07-31 18:00:32 ----D---- C:\WINDOWS\system32\bits
2009-07-31 18:00:32 ----D---- C:\WINDOWS\peernet
2009-07-31 18:00:32 ----D---- C:\Program Files\Movie Maker
2009-07-31 17:56:14 ----D---- C:\WINDOWS\system32\Restore
2009-07-31 17:56:14 ----D---- C:\WINDOWS\system32\npp
2009-07-31 17:56:12 ----D---- C:\WINDOWS\msagent
2009-07-31 17:56:10 ----D---- C:\WINDOWS\srchasst
2009-07-31 17:56:09 ----D---- C:\Program Files\NetMeeting
2009-07-31 17:56:07 ----D---- C:\WINDOWS\system32\Com
2009-07-31 17:56:04 ----D---- C:\Program Files\Windows Media Player
2009-07-31 17:56:03 ----D---- C:\Program Files\Windows NT
2009-07-31 17:56:03 ----D---- C:\Program Files\Outlook Express
2009-07-31 17:56:00 ----D---- C:\Program Files\Common Files\System
2009-07-31 17:55:40 ----D---- C:\WINDOWS\system32\oobe
2009-07-31 17:50:41 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-31 17:45:31 ----D---- C:\WINDOWS\EHome
2009-07-31 17:34:11 ----D---- C:\WINDOWS\Media
2009-07-31 17:34:10 ----D---- C:\Program Files\Internet Explorer
2009-07-31 15:10:34 ----D---- C:\Documents and Settings\Casie\Application Data\Apple Computer
2009-07-31 14:07:40 ----D---- C:\WINDOWS\Minidump
2009-07-19 19:48:58 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-19 07:18:59 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-15 00:18:35 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-15 00:18:15 ----D---- C:\Program Files\Pure Networks
2009-07-14 21:34:13 ----D---- C:\Program Files\Yahoo!
2009-07-14 21:33:50 ----D---- C:\Program Files\Windows Live Toolbar
2009-07-14 21:32:03 ----D---- C:\WINDOWS\PCHealth
2009-07-14 21:23:55 ----D---- C:\Program Files\Java
2009-07-08 15:20:59 ----D---- C:\WINDOWS\system32\Macromed
2009-07-07 09:10:58 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-07-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-07-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-07-31 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-11-02 56572]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter; C:\WINDOWS\system32\drivers\bcmwlnpf.sys [2007-04-26 33664]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2009-06-16 46592]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\System32\DRIVERS\Mtlmnt5.sys [2004-04-01 126686]
R3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-12-13 159744]
R3 Slntamr;Smart Link 56K Modem Driver; C:\WINDOWS\System32\DRIVERS\slntamr.sys [2004-04-01 404990]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS\System32\DRIVERS\SlWdmSup.sys [2004-01-28 13240]
R3 SMBios;Intel (R) System Management BIOS Service; C:\WINDOWS\System32\DRIVERS\SMBios.sys [2003-10-14 36484]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2006-08-10 204672]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-07-24 403968]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-07-24 461312]
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2009-06-16 46592]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2003-09-04 41984]
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\System32\DRIVERS\Mtlstrm.sys [2004-01-28 1309184]
S3 NdisWDM;Dynex Wireless G USB Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 198528]
S3 NTACCESS;NTACCESS; \??\D:\NTACCESS.sys []
S3 NtMtlFax;NtMtlFax; C:\WINDOWS\System32\DRIVERS\NtMtlFax.sys [2004-01-28 180360]
S3 NTSIM;NTSIM; \??\C:\WINDOWS\System32\ntsim.sys []
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 SlNtHal;SlNtHal; C:\WINDOWS\System32\DRIVERS\Slnthal.sys [2004-01-28 95424]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem; C:\WINDOWS\System32\DRIVERS\usb8023.sys [2008-04-13 12800]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Vsp;Vsp; \??\C:\WINDOWS\System32\drivers\Vsp.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-07-31 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-07-31 297752]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2004-01-08 73796]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\wltrysvc.exe [2007-06-14 20480]
S3 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
craigs1969
Regular Member
 
Posts: 18
Joined: April 6th, 2009, 11:20 pm

Re: malware found and removed but would like a review to clear

Unread postby craigs1969 » August 6th, 2009, 2:40 pm

info.txt logfile of random's system information tool 1.06 2009-08-06 11:57:49

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Cnxt 2011 D850 56K V.9x DF Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_201114F1\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F20&SUBSYS_201114F1
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dynex Wireless G USB Network Adapter Setup-->C:\Program Files\InstallShield Installation Information\{531D27E5-DE21-4777-9EDB-B7803087E7F3}\setup.exe -runfromtemp -l0x0009 -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Bootvis-->MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.5.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
ProSavageDDR and Utilities-->C:\PROGRA~1\S3\P4M266\s3setvga.exe -s -fC:\PROGRA~1\S3\P4M266\P4M266.uns
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
The Sims Unleashed-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C32C567-DC0F-4C80-B06C-7873850A2E06}\setup.exe" -l0009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VIA Audio Driver Setup Program-->RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -f"C:\PROGRA~1\VIATEC~1\VIAAUD~1/Uninst.isu"
VIA Rhine-Family Fast-Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPatrol 2009-->C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
Yahoo! Anti-Spy-->C:\PROGRA~1\Yahoo!\Common\unypsr.exe

=====HijackThis Backups=====

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) [2009-08-06]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [2009-08-06]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) [2009-08-06]
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe [2009-08-06]
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) [2009-08-06]

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: YOUR-4ECD8HHOVM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 14885
Source Name: Service Control Manager
Time Written: 20090714213119.000000-360
Event Type: error
User:

Computer Name: YOUR-4ECD8HHOVM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 14882
Source Name: Service Control Manager
Time Written: 20090714213119.000000-360
Event Type: error
User:

Computer Name: YOUR-4ECD8HHOVM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 14879
Source Name: Service Control Manager
Time Written: 20090714213119.000000-360
Event Type: error
User:

Computer Name: YOUR-4ECD8HHOVM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 14876
Source Name: Service Control Manager
Time Written: 20090714213119.000000-360
Event Type: error
User:

Computer Name: YOUR-4ECD8HHOVM
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 14873
Source Name: Service Control Manager
Time Written: 20090714213119.000000-360
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-4ECD8HHOVM
Event Code: 1517
Message: Windows saved user YOUR-4ECD8HHOVM\pinaco1993 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1845
Source Name: Userenv
Time Written: 20080808174341.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4ECD8HHOVM
Event Code: 1517
Message: Windows saved user YOUR-4ECD8HHOVM\pinaco1993 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1842
Source Name: Userenv
Time Written: 20080808145705.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4ECD8HHOVM
Event Code: 1517
Message: Windows saved user YOUR-4ECD8HHOVM\Casie registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1840
Source Name: Userenv
Time Written: 20080808140408.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4ECD8HHOVM
Event Code: 1517
Message: Windows saved user YOUR-4ECD8HHOVM\pinaco1993 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1837
Source Name: Userenv
Time Written: 20080808001139.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-4ECD8HHOVM
Event Code: 1517
Message: Windows saved user YOUR-4ECD8HHOVM\pinaco1993 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1822
Source Name: Userenv
Time Written: 20080807181624.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------
craigs1969
Regular Member
 
Posts: 18
Joined: April 6th, 2009, 11:20 pm

Re: malware found and removed but would like a review to clear

Unread postby askey127 » August 7th, 2009, 6:31 am

craigs1969,
------------------------------------------------------------
Download the latest version of Java Runtime Environment here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
It is currently the 5th item on the page (the page changes often), called JRE 6 Update 15
Select Windows and multi-language, and check to agree to the license.
Choose Windows Offline installation version.
Download it, choose Save, and save it to your desktop.
Then doubleclick it, and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware found and removed but would like a review to clear

Unread postby craigs1969 » August 7th, 2009, 5:53 pm

The Java installed with no problem. However, I tried the Kaspersky 3 times. (twice directly after the java install and once after a reboot). I got this message each time when it in the updating the database phase:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Key is expired]


Please advise. This machine is a 2 GHz Celeron with 224MB Ram and system managed virtual memory, by the way.
craigs1969
Regular Member
 
Posts: 18
Joined: April 6th, 2009, 11:20 pm

Re: malware found and removed but would like a review to clear

Unread postby askey127 » August 7th, 2009, 8:41 pm

Please try this one. I works i bit differently.
Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now, it's Free.
  • Read and place a check mark next to-"Yes, I accept the terms of use".
  • Click Launch HouseCall.
    Select this:
    • Using Java-Based Housecall Kernel
    • Click Starting HouseCall.
    or this
    • "Browser plug-in" Installing and using the Housecall Kernel
    • Click Starting HouseCall --(Allow ActiveX install)
  • Choose:
    • "Scan complete computer for malware, greyware and vulnerabilities".
    • Click Next.
  • Please be patient, the scan can take a while.
  • When the scan is finished, a summary page will open.
  • Under Cleanup options:
    • Choose clean all detected infections automatically.
    • Click Clean now>>.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.
  • Please write down the full path and filename of anything that could not be cleaned/deleted.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware found and removed but would like a review to clear

Unread postby craigs1969 » August 8th, 2009, 3:57 am

I started the HouseCall shortly after you posted that. It was moving along slowly but surely until the progress bar got about 80% done on Step 2. It's been stuck there for several hours now. Task Manager shows 2% CPU usage and the page file usage is at 320mb which is at or close to what windows has it set at. Firefox is the only ap running in the applications tab and it does not show "not responding". Ideas?
craigs1969
Regular Member
 
Posts: 18
Joined: April 6th, 2009, 11:20 pm

Re: malware found and removed but would like a review to clear

Unread postby askey127 » August 8th, 2009, 6:05 am

craigs1969,
That machine badly needs at least another 256Mb memory stick. For that PC, they are nearly free now.
There may be some reason the online scanners don't work.
Could you please post the last log from malwarebytes Anti-Malware.
The log can be found using the "Logs" tab in the program. You can click any log listed to open its contents.
Recent logs are named by time/date stamp in this format : mbam-log-2009-mm-dd(hour-min-sec).txt
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware found and removed but would like a review to clear

Unread postby craigs1969 » August 8th, 2009, 12:13 pm

Yes it does. I'll look into the cost for the owner. I'm not sure what she could afford now. Also, I must travel to LA for business on Monday unexpectedly. I'm going to transfer the PC to a mutual friend tomorrow and he is going to take over. He said he'd probably end up doing fdisk/format/OS reinstall. Let's go ahead and close this thread. Thanks for all your help. But, here's that log:

Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 5.1.2600 Service Pack 3

8/2/2009 11:57:30 PM
mbam-log-2009-08-02 (23-57-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 141827
Time elapsed: 58 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Casie\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Casie\application data\shoppingreport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Casie\application data\shoppingreport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
craigs1969
Regular Member
 
Posts: 18
Joined: April 6th, 2009, 11:20 pm

Re: malware found and removed but would like a review to clear

Unread postby askey127 » August 8th, 2009, 2:48 pm

Those entries are not disastrous, but they are Adware items.
Some PC repair shops will give away 256Mb sticks for those older machines. Just need to look up the model# to be sure of the RAM type.

OK, let me know if you want any further assistance. I will leave this thread open for 4 days.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware found and removed but would like a review to clear

Unread postby askey127 » August 12th, 2009, 9:53 pm

craigs1969, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 281 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware