Hi Katana..thanks for the help. Here are the needed files.
RSIT LogfileLogfile of random's system information tool 1.06 (written by random/random)
Run by User_XP at 2010-03-15 13:48:54
Microsoft Windows XP Professional Service Pack 2
System drive C: has 7 GB (72%) free of 10 GB
Total RAM: 111 MB (11% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:00 PM, on 3/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User_XP\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User_XP.exe
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [(Default)] C:\WINDOWS\System32\drivers\16771\csrss.exe
O4 - HKLM\..\Run: [WindowsLogon] C:\WINDOWS\winlogon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -
http://download.eset.com/special/eos/OnlineScanner.cabO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
--
End of file - 1940 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"USB Antivirus"=C:\Program Files\USB Disk Security\USBGuard.exe [2008-09-23 798720]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2008-07-01 1447168]
"(Default)"=C:\WINDOWS\System32\drivers\16771\csrss.exe [2007-02-12 32768]
"WindowsLogon"=C:\WINDOWS\winlogon.exe [2007-02-12 32768]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cba7be0-e57e-11de-a6b3-000ae6bb3bb4}]
shell\AutoRun\command - F:\l61yyp.exe
shell\open\command - F:\l61yyp.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35be9b60-da7a-11de-a6b1-000ae6bb3bb4}]
shell\AutoRun\command - F:\l61yyp.exe
shell\open\command - F:\l61yyp.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74a69ef3-b5b0-11de-8381-806d6172696f}]
shell\AutoRun\command - C:\winlogon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74a69ef4-b5b0-11de-8381-806d6172696f}]
shell\AutoRun\command - D:\csrss.exe
======List of files/folders created in the last 1 months======
2010-03-15 13:48:53 ----D---- C:\rsit
2010-03-12 13:36:32 ----D---- C:\Program Files\Trend Micro
2010-02-27 18:16:28 ----A---- C:\WINDOWS\PCTeamRulez.bat
2010-02-27 08:59:59 ----SH---- C:\winlogon.exe
2010-02-27 08:59:59 ----SH---- C:\WINDOWS\winlogon.exe
2010-02-27 08:59:59 ----SH---- C:\svchost.exe
2010-02-27 08:59:59 ----SH---- C:\services.exe
2010-02-27 08:59:59 ----SH---- C:\PCTeam Rulez.exe
2010-02-27 08:59:59 ----SH---- C:\lsass.exe
2010-02-27 08:59:59 ----SH---- C:\explorer.exe
2010-02-27 08:59:59 ----SH---- C:\csrss.exe
======List of files/folders modified in the last 1 months======
2010-03-12 14:01:24 ----A---- C:\WINDOWS\SchedLgU.Txt
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 Crusoe;Transmeta Crusoe Processor Driver; C:\WINDOWS\system32\DRIVERS\crusoe.sys [2004-08-04 36480]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-07-01 53256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-07-01 54280]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-07-01 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-07-01 71688]
R3 aliadwdm;ALi Audio Accelerator WDM driver; C:\WINDOWS\system32\drivers\ac97ali.sys [2004-08-03 231552]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-07-01 30728]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2001-08-17 104064]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2008-07-01 19200]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
-----------------EOF-----------------
RSIT Infotxtinfo.txt logfile of random's system information tool 1.06 2010-03-15 13:52:38
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
ESET Smart Security-->MsiExec.exe /I{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.5.
-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
USB Disk Security 5.1.0.15-->"C:\Program Files\USB Disk Security\unins000.exe"
======Security center information======
AV: ESET Smart Security 3.0
FW: ESET Personal firewall
======System event log======
Computer Name: BLD_ZAMBOANGA
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.
Record Number: 147
Source Name: Service Control Manager
Time Written: 20091022164632.000000+480
Event Type: error
User:
Computer Name: BLD_ZAMBOANGA
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.
Record Number: 130
Source Name: Service Control Manager
Time Written: 20091020090748.000000+480
Event Type: error
User:
Computer Name: BLD_ZAMBOANGA
Event Code: 10010
Message: The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.
Record Number: 128
Source Name: DCOM
Time Written: 20091020090502.000000+480
Event Type: error
User: NT AUTHORITY\SYSTEM
Computer Name: BLD_ZAMBOANGA
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.
Record Number: 97
Source Name: Service Control Manager
Time Written: 20091018094050.000000+480
Event Type: error
User:
Computer Name: MYN1029-CAE0EF7
Event Code: 7023
Message: The Computer Browser service terminated with the following error:
This operation returned because the timeout period expired.
Record Number: 71
Source Name: Service Control Manager
Time Written: 20091017083832.000000+480
Event Type: error
User:
=====Application event log=====
Computer Name: MYN1029-CAE0EF7
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.
Record Number: 18
Source Name: WinMgmt
Time Written: 20091010160451.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MYN1029-CAE0EF7
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.
Record Number: 17
Source Name: WinMgmt
Time Written: 20091010160451.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MYN1029-CAE0EF7
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 13
Source Name: WinMgmt
Time Written: 20091010155627.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MYN1029-CAE0EF7
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 12
Source Name: WinMgmt
Time Written: 20091010155627.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MYN1029-CAE0EF7
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 11
Source Name: WinMgmt
Time Written: 20091010155613.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=5
"PROCESSOR_IDENTIFIER"=x86 Family 5 Model 4 Stepping 3, GenuineTMx86
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
-----------------EOF-----------------
GmerLogfileGMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-03-15 15:34:36
Windows 5.1.2600 Service Pack 2
Running: look.exe; Driver: C:\DOCUME~1\User_XP\LOCALS~1\Temp\awdiikod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
---- Processes - GMER 1.0.15 ----
Process C:\WINDOWS\system32\cmd.exe (*** hidden *** ) 1260
---- EOF - GMER 1.0.15 ----