Solved WinAntiSpyware and a Dialer removal

[Resolved] WinAntiSpyware and a Dialer removal

I'll try and put everything in here that was requested.
Approx. two weeks ago we got the WinAntiSpyware pop up window. The window was closed without going to the site since I had heard of this one before. We also had a bunch of add windows opening up by themselves. Typical gambling save money, etc. All of these were confined to my daughters profile. I was using Spybot Tea Timer resident as well as the firewall and antivirus software that came free with our Earthlink account. I don't know what application it really is since Earthlink puts their name on it.
All updates were set for automatic and loaded several times a week. Same with Spybot S&D. I did notice that Earthlink wasn't loading resident any longer on her profile. I don't know how long it's been like that.
I logged into safe mode and ran the Earthlink full scan, then the Spybot S&D. I already had Addaware but hadn't used it in awhile. I updated and ran it too.
WinAntispyware was found, along with what was identified as a dialer. I apologize that I didn't write it down. I think it started with di, but I can't be sure as supposedly it was removed. According to all the utilities I used, the system was clean. I logged back in and the windows were still coming up in my daughter's profile.
I went back into safe mode /networking and downloaded AVG8 and tried to install it but it said there was another anti virus app running. I attempted to uninstall Earthlink from add remove programs and it failed with a MS error report. I ran reg cleaner and removed Earthlink and tried to install AVG again. It failed to complete the install however the Toolbar did get installed somehow. It kept popping up and disappearing. I checked the services and found that ieexplorer was starting and AVG toolbar was shutting it down, so I assumed the dialer or whatever it is was still trying to pop those links up. and avg was shutting them down. It would come about every 15 seconds more or less. This is getting really long so I'll try and be brief. I cleaned AVG out of the registry and tried to reinstall. After several attempts it went in. I ran it and it scanned in command line and found and fixed a problem:
C:\WINDOWS\system32\qqKNOnn4.exe Trojan horse Downloader.Tiny.H Object was moved to Virus Vault.

Things appeared to be working fairly well so I rebooted and went back to my normal profile (everything had been done in safe mode so far). I noticed a couple of strange things which I posted in another thread. The admin profile was viewable, it is normally hidden. There was no networking/internet available in my profile. Even though there was what appeared to be a normal list of services in task manager, no networking was loaded because "services could not load in safe mode ". This was my profile, not admin. That was the original problem I posted on here.
One more thing, I removed my daughters profile and deleted the directory. Firefox is our browser. We do not use ie5.
Here is the hijack this log that I was advised to post:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:24 AM, on 9/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137525022796
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 6741 bytes

Sorry if this was longer than it was supposed to be, but the instructions said to list the problem and everything you've done up to this point.

 

Hi Stratman50th
Thanks for the info, it does help.

Lets run a tool and then get another log.

Please do these in the order given.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Now a log from this.

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool and click Continue at the disclaimer.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of the log.txt here in your next reply.

Please post the MBAM log and the log.txt from RSIT.

Thanks
Geri

 

Thanks for your response Geri. I'll take care of it as soon as I get home this evening. This all started as a result of this thread I posted first just to give you all a little more background:
http://www.windowsbbs.com/windows-xp/77115-safe-mode-likes-hang-around.html
I have admin rights on my profile, but should I do the downloads and run the scans in safe mode under the admin profile?
I'll post the results of the scans as soon as I get them. Thanks again for all the help!

 

Hi
Normal mode would be best, if possible.

If not run MBAM in safe mode then try to boot into normal mode and run it again.

Geri

 

Malwarebytes Log:
Malwarebytes' Anti-Malware 1.28
Database version: 1194
Windows 5.1.2600 Service Pack 3

9/22/2008 7:47:58 PM
mbam-log-2008-09-22 (19-47-58).txt

Scan type: Quick Scan
Objects scanned: 70035
Time elapsed: 14 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lori.D4478691\Local Settings\Temp\5T4YwS8D.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5W3qdc2O.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qqKNOnn4.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

Hyjack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:43 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137525022796
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 6793 bytes

 

RSIT:
Logfile of random's system information tool 1.02 (written by random/random)
Run by Don at 2008-09-22 19:54:21
Microsoft Windows XP Professional Service Pack 3
System drive C: has 110 GB (74%) free of 149 GB
Total RAM: 1014 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:34 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Don\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Don.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137525022796
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 6834 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000002}]
ElnkBhoGuard Class - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll [2007-07-19 247272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15F4D456-5BAA-4076-8486-EECB38CD3E57}]
ElnkScamBHO Class - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll [2007-07-19 247272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{512ACF1B-64D9-4928-B382-A80556F28DB4}]
ElnkPubBHO Class - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll [2007-07-19 255464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-30 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9579D574-D4D8-4335-9560-FE8641A013BD}]
ElnkProtectionBHO Class - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll [2007-07-19 415208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E713904C-DF05-4C79-BBAD-02DB923253BE}]
ElnkLegacyUninstBHO Class - C:\Program Files\EarthLink\Toolbar\uninsttb.dll [2007-07-19 280040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C7768536-96F8-4001-B1A2-90EE21279187} - EarthLink Toolbar - C:\Program Files\EarthLink\Toolbar\Toolbar.dll [2007-07-19 878056]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "=C:\WINDOWS\system32\igfxtray.exe [2005-07-20 94208]
"igfxhkcmd "=C:\WINDOWS\system32\hkcmd.exe [2005-07-20 77824]
"igfxpers "=C:\WINDOWS\system32\igfxpers.exe [2005-07-20 114688]
"SigmatelSysTrayApp "=C:\WINDOWS\stsystra.exe [2005-03-23 339968]
"DVDLauncher "=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]
"ISUSPM Startup "=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler "=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"RoxioDragToDisc "=C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe [2005-10-20 1687552]
"AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-16 1235736]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]
"Creative Detector "=C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [2004-12-02 102400]
"EasyLinkAdvisor "=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-04-02 389120]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Adobe Reader Speed Launch.lnk.disabled - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "avgrsstx.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-07-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe "= "C:\WINDOWS\system32\sessmgr.exe:*isabledxpsp2res.dll,-22019 "
"C:\Program Files\NET6\net6vpn.exe "= "C:\Program Files\NET6\net6vpn.exe:*:Enabled:Citrix Secure Access Agent "
"C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe "= "C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service "
"C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "= "C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe:*:Enabled:Toolbox for HP Printing System for Windows "
"C:\Program Files\Roxio\Easy Media Creator 8\VideoUI\VideoWave8.exe "= "C:\Program Files\Roxio\Easy Media Creator 8\VideoUI\VideoWave8.exe:*:Enabled:VideoWave 8 "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\AVG\AVG8\avgnsx.exe "= "C:\Program Files\AVG\AVG8\avgnsx.exe:*isabled:avgnsx.exe "
"C:\Program Files\AVG\AVG8\avgupd.exe "= "C:\Program Files\AVG\AVG8\avgupd.exe:*isabled:avgupd.exe "
"C:\Program Files\MySpace\IM\MySpaceIM.exe "= "C:\Program Files\MySpace\IM\MySpaceIM.exe:*isabled:MySpaceIM "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL "
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL "
"C:\Program Files\America Online 9.0\waol.exe "= "C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "

======List of files/folders created in the last 1 months======

2008-09-22 19:54:21 ----D---- C:\rsit
2008-09-22 19:30:23 ----D---- C:\Documents and Settings\Don\Application Data\Malwarebytes
2008-09-22 19:30:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 19:30:19 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 08:40:52 ----D---- C:\Program Files\Trend Micro
2008-09-20 20:52:47 ----D---- C:\WINDOWS\pss
2008-09-20 18:26:04 ----HD---- C:\$AVG8.VAULT$
2008-09-20 16:45:57 ----D---- C:\Program Files\RegCleaner
2008-09-18 18:33:20 ----D---- C:\Documents and Settings\Don\Application Data\ScamBlocker
2008-09-18 18:28:56 ----D---- C:\Program Files\Common Files\EarthLink
2008-09-18 17:16:57 ----D---- C:\Documents and Settings\Don\Application Data\aAvgApi
2008-09-18 17:16:56 ----D---- C:\Documents and Settings\Don\Application Data\AVGTOOLBAR
2008-09-18 16:34:35 ----D---- C:\Program Files\AVG
2008-09-18 16:34:29 ----D---- C:\Program Files\McAfee
2008-09-18 16:34:07 ----D---- C:\Program Files\Common Files\EarthLink Protection Control Center
2008-09-18 16:34:05 ----D---- C:\Program Files\Common Files\ADS
2008-09-18 16:34:03 ----D---- C:\Documents and Settings\Don\Application Data\InstallShield
2008-09-18 16:30:11 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 19:00:01 ----D---- C:\Program Files\Common Files\ADS(2)
2008-09-16 19:37:36 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-09-10 07:47:10 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-10 07:46:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-09-09 18:14:10 ----SHD---- C:\WINDOWS\CSC
2008-09-08 18:07:51 ----A---- C:\WINDOWS\webica.ini
2008-09-08 18:01:09 ----D---- C:\Program Files\Citrix
2008-09-06 22:44:17 ----A---- C:\WINDOWS\system32\5W3qdc2O.exe
2008-09-01 22:54:16 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-08-29 17:21:19 ----D---- C:\WINDOWS\Prefetch
2008-08-29 17:17:47 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-29 17:17:41 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-29 17:17:34 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-29 17:17:27 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-08-29 17:17:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-29 17:17:15 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-08-29 17:17:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-08-29 17:17:01 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-29 17:16:55 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-29 17:16:49 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-08-29 17:16:41 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2008-08-29 17:16:33 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-29 17:12:47 ----D---- C:\WINDOWS\system32\en-us
2008-08-29 17:12:46 ----D---- C:\WINDOWS\system32\scripting
2008-08-29 17:12:46 ----D---- C:\WINDOWS\l2schemas
2008-08-29 17:12:45 ----D---- C:\WINDOWS\system32\en
2008-08-29 17:12:45 ----D---- C:\WINDOWS\system32\bits
2008-08-29 17:10:49 ----D---- C:\WINDOWS\ServicePackFiles
2008-08-29 17:08:50 ----D---- C:\WINDOWS\network diagnostic
2008-08-29 17:04:35 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-08-27 06:49:18 ----N---- C:\WINDOWS\system32\xmllite.dll
2008-08-27 06:49:15 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-08-27 06:49:13 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-08-27 06:49:12 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-27 06:49:12 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-08-27 06:49:04 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-08-27 06:49:04 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-08-27 06:48:56 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-08-27 06:48:55 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-08-27 06:48:54 ----N---- C:\WINDOWS\system32\slserv.exe
2008-08-27 06:48:54 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-08-27 06:48:54 ----N---- C:\WINDOWS\slrundll.exe
2008-08-27 06:48:53 ----N---- C:\WINDOWS\system32\slgen.dll
2008-08-27 06:48:53 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-08-27 06:48:53 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-08-27 06:48:49 ----N---- C:\WINDOWS\system32\setupn.exe
2008-08-27 06:48:46 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-08-27 06:48:45 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-08-27 06:48:44 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-08-27 06:48:42 ----N---- C:\WINDOWS\system32\qutil.dll
2008-08-27 06:48:41 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-08-27 06:48:41 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-08-27 06:48:41 ----N---- C:\WINDOWS\system32\qagent.dll
2008-08-27 06:48:40 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-27 06:48:37 ----N---- C:\WINDOWS\system32\onex.dll
2008-08-27 06:48:27 ----N---- C:\WINDOWS\system32\napstat.exe
2008-08-27 06:48:27 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-08-27 06:48:27 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-08-27 06:48:27 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-08-27 06:48:26 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-08-27 06:48:26 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-08-27 06:48:25 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-08-27 06:48:25 ----N---- C:\WINDOWS\system32\mssha.dll
2008-08-27 06:48:10 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-08-27 06:48:09 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-27 06:48:09 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-08-27 06:48:08 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-27 06:48:02 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2008-08-27 06:47:49 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-08-27 06:47:49 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-08-27 06:47:48 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-08-27 06:47:48 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-08-27 06:47:48 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-08-27 06:47:48 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-08-27 06:47:39 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-08-27 06:47:38 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-08-27 06:47:35 ----N---- C:\WINDOWS\system32\comsdupd.exe
2008-08-27 06:47:31 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-08-27 06:47:25 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-08-27 06:47:25 ----A---- C:\WINDOWS\002914_.tmp
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-08-27 06:47:23 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-08-27 06:47:20 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-08-27 06:47:20 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-08-27 06:47:20 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-08-27 06:47:20 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-27 06:47:20 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-08-27 06:47:20 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-08-27 06:47:20 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-08-27 06:47:18 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-08-27 06:47:18 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-08-27 06:47:17 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-08-27 06:47:15 ----N---- C:\WINDOWS\system32\credssp.dll
2008-08-27 06:47:10 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-08-27 06:47:10 ----N---- C:\WINDOWS\system32\azroles.dll
2008-08-27 06:47:09 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-08-27 06:47:09 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-08-27 06:47:08 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-08-27 06:47:08 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-08-27 06:47:08 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-08-27 06:47:08 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-08-27 06:47:07 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-08-27 06:47:03 ----N---- C:\WINDOWS\system32\aaclient.dll

======List of files/folders modified in the last 1 months======

2008-09-22 19:54:27 ----D---- C:\WINDOWS\Temp
2008-09-22 19:47:58 ----D---- C:\WINDOWS\system32
2008-09-22 19:37:29 ----D---- C:\Program Files\Mozilla Firefox
2008-09-22 19:34:47 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-22 19:31:49 ----D---- C:\WINDOWS\system32\drivers
2008-09-22 19:30:19 ----D---- C:\Program Files
2008-09-22 19:26:53 ----D---- C:\WINDOWS
2008-09-20 17:03:48 ----D---- C:\Program Files\EarthLink
2008-09-20 17:00:27 ----SHD---- C:\WINDOWS\Installer
2008-09-20 17:00:27 ----HD---- C:\Config.Msi
2008-09-20 17:00:26 ----D---- C:\WINDOWS\WinSxS
2008-09-20 17:00:26 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-09-20 16:59:47 ----SD---- C:\Documents and Settings\Don\Application Data\Microsoft
2008-09-20 14:18:11 ----A---- C:\WINDOWS\win.ini
2008-09-18 21:53:23 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 19:29:58 ----D---- C:\Documents and Settings
2008-09-18 19:28:53 ----A---- C:\WINDOWS\wininit.ini
2008-09-18 18:51:06 ----D---- C:\Documents and Settings\Don\Application Data\Mozilla
2008-09-18 18:28:56 ----D---- C:\Program Files\Common Files
2008-09-18 17:59:38 ----D---- C:\Katie
2008-09-18 16:38:02 ----D---- C:\WINDOWS\system32\config
2008-09-18 16:37:03 ----D---- C:\WINDOWS\system32\wbem
2008-09-18 16:36:59 ----D---- C:\WINDOWS\Registration
2008-09-18 16:33:58 ----HD---- C:\Program Files\InstallShield Installation Information
2008-09-17 18:27:19 ----RSD---- C:\WINDOWS\assembly
2008-09-17 04:53:00 ----SHD---- C:\System Volume Information
2008-09-17 04:53:00 ----D---- C:\WINDOWS\system32\Restore
2008-09-14 11:50:32 ----D---- C:\Documents and Settings\Don\Application Data\Canon
2008-09-11 16:53:25 ----D---- C:\WINDOWS\Debug
2008-09-10 07:47:12 ----HD---- C:\WINDOWS\inf
2008-09-09 19:59:15 ----D---- C:\WINDOWS\security
2008-09-08 18:04:41 ----D---- C:\Documents and Settings\Don\Application Data\ICAClient
2008-09-06 22:44:17 ----SD---- C:\WINDOWS\Tasks
2008-09-03 07:39:53 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-09-02 18:19:45 ----D---- C:\Family Photos
2008-09-02 16:36:25 ----D---- C:\WINDOWS\Help
2008-09-01 20:50:53 ----HD---- C:\WINDOWS\$hf_mig$
2008-08-29 22:24:22 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-08-29 17:24:22 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-08-29 17:20:58 ----D---- C:\WINDOWS\system32\Setup
2008-08-29 17:20:58 ----D---- C:\WINDOWS\AppPatch
2008-08-29 17:20:56 ----RSD---- C:\WINDOWS\Fonts
2008-08-29 17:17:51 ----D---- C:\WINDOWS\system32\CatRoot
2008-08-29 17:16:35 ----D---- C:\Program Files\Messenger
2008-08-29 17:12:59 ----D---- C:\WINDOWS\system32\inetsrv
2008-08-29 17:12:59 ----D---- C:\WINDOWS\ime
2008-08-29 17:12:47 ----D---- C:\WINDOWS\system32\usmt
2008-08-29 17:12:46 ----D---- C:\Program Files\Internet Explorer
2008-08-29 17:12:45 ----D---- C:\WINDOWS\PeerNet
2008-08-29 17:12:45 ----D---- C:\Program Files\Movie Maker
2008-08-29 17:10:40 ----D---- C:\WINDOWS\system32\npp
2008-08-29 17:10:40 ----D---- C:\WINDOWS\mui
2008-08-29 17:10:38 ----D---- C:\WINDOWS\msagent
2008-08-29 17:10:37 ----D---- C:\WINDOWS\srchasst
2008-08-29 17:10:36 ----D---- C:\Program Files\NetMeeting
2008-08-29 17:10:35 ----D---- C:\WINDOWS\system32\Com
2008-08-29 17:10:33 ----D---- C:\Program Files\Windows NT
2008-08-29 17:10:33 ----D---- C:\Program Files\Windows Media Player
2008-08-29 17:10:33 ----D---- C:\Program Files\Outlook Express
2008-08-29 17:10:30 ----D---- C:\Program Files\Common Files\System
2008-08-29 17:10:17 ----D---- C:\WINDOWS\system32\oobe
2008-08-29 17:10:15 ----D---- C:\WINDOWS\system
2008-08-29 17:07:50 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-08-29 17:04:33 ----D---- C:\WINDOWS\ehome
2008-08-26 16:28:12 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-09-16 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-09-16 26824]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2005-10-20 311680]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2005-10-20 119168]
R1 RxFilter;RxFilter; C:\WINDOWS\system32\DRIVERS\RxFilter.sys [2005-10-21 50176]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2005-10-20 27264]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-07-20 1049180]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-06-15 180864]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-01-14 8552]
S2 CSS DVP;Dynamic Virus Protection; C:\WINDOWS\system32\DRIVERS\css-dvp.sys [2007-02-12 837056]
S2 GRTdiMon;GR TDI Mon; C:\WINDOWS\System32\Drivers\GRTdiMon.sys [2007-04-11 42496]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-13 48128]
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver); C:\WINDOWS\system32\drivers\ADSFilter.sys [2007-08-03 57456]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver); C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 38384]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-13 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver; \??\C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys []
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter; \??\C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys []
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim; \??\C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys []
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2007-05-19 29184]
S3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2005-10-20 27136]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 Net6IM;Net6; C:\WINDOWS\system32\DRIVERS\net6im51.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-16 231704]
S2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-12 44032]
S2 dvpapi;DvpApi; C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe [2007-02-12 177672]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 RoxLiveShare;LiveShare P2P Server; C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe [2005-10-21 229376]
S2 RoxUpnpServer;RoxUpnpServer; C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe [2005-10-21 405504]
S2 RoxWatch;Roxio Hard Drive Watcher; C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe [2005-10-21 155648]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 AuthFw;AuthFw; C:\Program Files\Authentium\Firewall SDK\AuthFw.exe [2007-04-05 495616]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 EarthLinkSafeConnectAgent;EarthLinkSafeConnectAgent; C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe EarthLinkSafeConnectAgent []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 RoxMediaDB;RoxMediaDB; C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe [2005-10-21 864256]
S3 RoxUPnPRenderer;RoxUpnpRenderer; C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe [2005-10-21 45056]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 ADSService;ADSService; C:\Program Files\Common Files\ADS\ADSService.exe [2007-08-03 116200]
S4 ELNKUpdateService;ELNK Update Service; C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe []
S4 ProtectionService;ProtectionService; C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe []

-----------------EOF---------------

 

Hi
Ok first you have two Anti Virus programs, if you are just using one as a scanner only then that is OK, make sure only one is running real time protection.
Authentium AntiVirus
AVG8


Please do this next.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Combofix log.

Thanks
Geri

 

ComboFix Log:

ComboFix 08-09-22.06 - Don 2008-09-23 16:28:59.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.670 [GMT -4:00]
Running from: C:\Documents and Settings\Don\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 19:54 . 2008-09-22 19:54 <DIR> d-------- C:\rsit
2008-09-22 19:30 . 2008-09-22 19:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\Don\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 19:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 08:40 . 2008-09-21 08:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 18:26 . 2008-09-20 18:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-20 16:45 . 2008-09-20 16:58 <DIR> d-------- C:\Program Files\RegCleaner
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie's
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\ScamBlocker
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\EarthLink
2008-09-18 18:33 . 2008-09-18 18:33 <DIR> d-------- C:\Documents and Settings\Don\Application Data\ScamBlocker
2008-09-18 18:28 . 2008-09-18 18:29 <DIR> d-------- C:\Program Files\Common Files\EarthLink
2008-09-18 17:16 . 2008-09-18 17:19 <DIR> d-------- C:\Documents and Settings\Don\Application Data\AVGTOOLBAR
2008-09-18 17:16 . 2008-09-18 17:16 <DIR> d-------- C:\Documents and Settings\Don\Application Data\aAvgApi
2008-09-18 17:01 . 2008-09-18 17:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\aAvgApi
2008-09-18 16:34 . 2008-09-20 17:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-18 16:34 . 2008-09-18 18:06 <DIR> d-------- C:\Program Files\McAfee
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\Common Files\EarthLink Protection Control Center
2008-09-18 16:34 . 2008-09-18 16:40 <DIR> d-------- C:\Program Files\Common Files\ADS
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\AVG
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\InstallShield
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\Don\Application Data\InstallShield
2008-09-18 16:30 . 2008-09-20 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 20:08 . 2008-09-17 20:14 8,192 --a------ C:\Documents and Settings\TEMP\NTUSER(2).DAT
2008-09-17 19:00 . 2008-09-18 16:33 <DIR> d-------- C:\Program Files\Common Files\ADS(2)
2008-09-17 18:29 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EarthLink
2008-09-16 22:44 . 2008-09-16 22:44 163,840 --ah----- C:\AFCache.dat
2008-09-16 19:37 . 2008-09-16 19:37 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-16 19:37 . 2008-09-16 19:37 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-09-16 19:37 . 2008-09-16 19:37 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-09 18:32 . 2008-09-09 18:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-09-09 17:03 . 2008-09-09 17:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-08 18:07 . 2008-09-08 18:07 0 --a------ C:\WINDOWS\webica.ini
2008-09-08 18:01 . 2008-09-08 18:01 <DIR> d-------- C:\Program Files\Citrix
2008-09-06 22:44 . 2008-09-20 14:29 39,426 --a------ C:\WINDOWS\system32\5W3qdc2O.exe
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-29 17:10 . 2008-08-29 17:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-28 16:23 . 2008-08-28 16:23 35,262 --a------ C:\WINDOWS\Katie's.acl
2008-08-27 06:48 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-27 06:47 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 21:03 --------- d-----w C:\Program Files\EarthLink
2008-09-19 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 20:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 15:51 --------- d-----w C:\Documents and Settings\Don\Application Data\Canon
2008-09-10 01:24 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-08 22:04 --------- d-----w C:\Documents and Settings\Don\Application Data\ICAClient
2008-08-30 02:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-26 08:15 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 15:09 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-23 15:09 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2006-06-22 10:49 13,386 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2006-06-22 10:49 92,234 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"EasyLinkAdvisor "= "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 114688]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-20 1687552]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-16 1235736]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-03-23 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Adobe Reader Speed Launch.lnk.disabled [2008-03-09 1757]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel "= 0 (0x0)
"NoClose "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0cexx.sys]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1jlxx.sys]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2jlxx.sys]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6uxxx.sys]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7xbxx.sys]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8fhxx.sys]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe "=
"C:\\Program Files\\HP\\HP Officejet Pro K550 Series\\Toolbox\\HPWUTBX.exe "=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\VideoUI\\VideoWave8.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-09-16 12936]
R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 22528]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-16 97928]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-16 231704]
S2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 42496]
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver);C:\WINDOWS\system32\drivers\ADSFilter.sys [2007-08-03 57456]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 38384]
S3 AuthFw;AuthFw;C:\Program Files\Authentium\Firewall SDK\AuthFw.exe [2007-04-05 495616]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [ ]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [ ]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [ ]
S3 Net6IM;Net6;C:\WINDOWS\system32\DRIVERS\net6im51.sys [ ]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Don\Application Data\Mozilla\Firefox\Profiles\tjztp4pb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 16:33:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-23 16:33:59
ComboFix-quarantined-files.txt 2008-09-23 20:33:57

Pre-Run: 115,696,418,816 bytes free
Post-Run: 116,416,270,336 bytes free

193 --- E O F --- 2008-09-10 11:48:04

AVG8 I downloaded and installed as a result of this problem. I'm not using any ant-virus at the moment.
I don't know where Authentium AntiVirus came from, unless they are the author of the Earthlink AntiVirus software, which does not appear to be completely uninstalled.

 

Hi

OK please decide on one (1) and install it, you need a AV running on your system.

Please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • C:\WINDOWS\system32\5W3qdc2O.exe
• Click on the submit button
  
• Please post the results in your next reply.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Folder::
C:\Program Files\Authentium 

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0c xx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1jlxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2jlxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6uxxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7xxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8fhxx.sys]

Please post the combofix log and the Jotti results.

Thanks
Geri

 

I reinstalled the Earthlink last night and was going to use it since it also has a firewall. Unfortunately, the functionality goes back to my first post here. The services won't start on the AV/Firewall because the system thinks it's still in safe mode. No sound, no printer, no AV software. It seems to be running in some type of hybrid mode
I'm in my profile, not safe mode, but it's running in some kind of half safe mode. The Administrator profile is also available as a user, which is strange because it's normally hidden. I can't start the services manually because I get the error 1084 can't start services in safe mode.
Back on topic. I'll run the above listed software tonight and post the results.
Thanks again as always!

 

Scanner results
Scan taken on 24 Sep 2008 23:31:26 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.ULPM.Gen
ArcaVir
Found Trojan.Downloader.Agent.Ahdb
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Adclicker.HB
ClamAV
Found Trojan.Downloader-56035
CPsecure
Found Troj.W32.Agent.wro
Dr.Web
Found Trojan.Popuper.7420
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Agent.ahdb
Ikarus
Found Trojan.Adclicker.HB
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.ahdb
NOD32
Found a variant of Win32/TrojanClicker.Agent.NEB
Norman Virus Control
Found W32/Smalltroj.HITE
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/HckPk-A
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Agent.ahdb

Last file scanned at least one scanner reported something about: driverRemove.sys (MD5: f85c5890333e35375a547b2c9184bdf4, size: 4992 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Spy.Banker.AAZN
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Spy.Banker.AAZM
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.KillFiles.abs
Ikarus X
Kaspersky Anti-Virus Trojan.Win32.KillFiles.abs
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

 

ComboFix

ComboFix 08-09-24.07 - Don 2008-09-24 19:40:05.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.708 [GMT -4:00]
Running from: C:\Documents and Settings\Don\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Don\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Authentium
C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
C:\Program Files\Authentium\Firewall SDK\Driver\grtdimon.cat
C:\Program Files\Authentium\Firewall SDK\Driver\grtdimon.inf
C:\Program Files\Authentium\Firewall SDK\Driver\GRTdiMon.sys
C:\Program Files\Authentium\Firewall SDK\Filter\grfilter.cat
C:\Program Files\Authentium\Firewall SDK\Filter\grfilter.inf
C:\Program Files\Authentium\Firewall SDK\Filter\GRFilter.sys

.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-22 19:54 . 2008-09-22 19:54 <DIR> d-------- C:\rsit
2008-09-22 19:30 . 2008-09-22 19:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\Don\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 19:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 08:40 . 2008-09-21 08:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 16:45 . 2008-09-20 16:58 <DIR> d-------- C:\Program Files\RegCleaner
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie's
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\ScamBlocker
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\EarthLink
2008-09-18 18:33 . 2008-09-18 18:33 <DIR> d-------- C:\Documents and Settings\Don\Application Data\ScamBlocker
2008-09-18 18:28 . 2008-09-18 18:29 <DIR> d-------- C:\Program Files\Common Files\EarthLink
2008-09-18 17:16 . 2008-09-18 17:16 <DIR> d-------- C:\Documents and Settings\Don\Application Data\aAvgApi
2008-09-18 17:01 . 2008-09-18 17:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\aAvgApi
2008-09-18 16:34 . 2008-09-18 18:06 <DIR> d-------- C:\Program Files\McAfee
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\Common Files\EarthLink Protection Control Center
2008-09-18 16:34 . 2008-09-18 16:40 <DIR> d-------- C:\Program Files\Common Files\ADS
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\AVG
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\InstallShield
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\Don\Application Data\InstallShield
2008-09-18 16:30 . 2008-09-23 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 20:08 . 2008-09-17 20:14 8,192 --a------ C:\Documents and Settings\TEMP\NTUSER(2).DAT
2008-09-17 19:00 . 2008-09-18 16:33 <DIR> d-------- C:\Program Files\Common Files\ADS(2)
2008-09-17 18:29 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EarthLink
2008-09-16 22:44 . 2008-09-16 22:44 163,840 --ah----- C:\AFCache.dat
2008-09-09 18:32 . 2008-09-09 18:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-09-09 17:03 . 2008-09-09 17:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-08 18:07 . 2008-09-08 18:07 0 --a------ C:\WINDOWS\webica.ini
2008-09-08 18:01 . 2008-09-08 18:01 <DIR> d-------- C:\Program Files\Citrix
2008-09-06 22:44 . 2008-09-20 14:29 39,426 --a------ C:\WINDOWS\system32\5W3qdc2O.exe
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-29 17:10 . 2008-08-29 17:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-28 16:23 . 2008-08-28 16:23 35,262 --a------ C:\WINDOWS\Katie's.acl
2008-08-27 06:48 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-27 06:47 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 21:49 --------- d-----w C:\Program Files\EarthLink
2008-09-18 20:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 15:51 --------- d-----w C:\Documents and Settings\Don\Application Data\Canon
2008-09-10 01:24 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-08 22:04 --------- d-----w C:\Documents and Settings\Don\Application Data\ICAClient
2008-08-30 02:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-26 08:15 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2006-06-22 10:49 13,386 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2006-06-22 10:49 92,234 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-23_16.33.36.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-23 21:49:55 42,472 ----a-w C:\WINDOWS\assembly\GAC_MSIL\CenturianShellMenu\1.1.5.25016__a4004c7b772007f8\CenturianShellMenu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"EasyLinkAdvisor "= "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 114688]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-20 1687552]
"Earthlink Protection Control Center "= "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" [2007-08-08 67048]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-03-23 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Adobe Reader Speed Launch.lnk.disabled [2008-03-09 1757]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel "= 0 (0x0)
"NoClose "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xwsetup.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe "=
"C:\\Program Files\\HP\\HP Officejet Pro K550 Series\\Toolbox\\HPWUTBX.exe "=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\VideoUI\\VideoWave8.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 22528]
S2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 42496]
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver);C:\WINDOWS\system32\drivers\ADSFilter.sys [2007-08-03 57456]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 38384]
S3 AuthFw;AuthFw;C:\Program Files\Authentium\Firewall SDK\AuthFw.exe [ ]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [ ]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [ ]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [ ]
S3 Net6IM;Net6;C:\WINDOWS\system32\DRIVERS\net6im51.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 19:40:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-24 19:41:25
ComboFix-quarantined-files.txt 2008-09-24 23:41:23
ComboFix2.txt 2008-09-24 23:29:17
ComboFix3.txt 2008-09-23 20:34:00

Pre-Run: 116,309,192,704 bytes free
Post-Run: 116,294,324,224 bytes free

169 --- E O F --- 2008-09-10 11:48:04

 

Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:38 PM, on 9/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137525022796
O23 - Service: ADSService - EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: AuthFw - Unknown owner - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe (file missing)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 6805 bytes

 

Hi
OK I'll have noahdfear take a look in here. He may have a idea what is happening.

If he posts please follow his directions.

One of us will get back to you.

Edit>
OK please do this.

Please post this log from here.
C:\Qoobox\ComboFix2.txt

Also post a Kaspersky scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.



Geri

 

ComboFix2

ComboFix 08-09-24.07 - Don 2008-09-24 19:25:41.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.738 [GMT -4:00]
Running from: C:\Documents and Settings\Don\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Don\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-22 19:54 . 2008-09-22 19:54 <DIR> d-------- C:\rsit
2008-09-22 19:30 . 2008-09-22 19:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\Don\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 19:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 08:40 . 2008-09-21 08:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 16:45 . 2008-09-20 16:58 <DIR> d-------- C:\Program Files\RegCleaner
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie's
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\ScamBlocker
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\EarthLink
2008-09-18 18:33 . 2008-09-18 18:33 <DIR> d-------- C:\Documents and Settings\Don\Application Data\ScamBlocker
2008-09-18 18:28 . 2008-09-18 18:29 <DIR> d-------- C:\Program Files\Common Files\EarthLink
2008-09-18 17:16 . 2008-09-18 17:16 <DIR> d-------- C:\Documents and Settings\Don\Application Data\aAvgApi
2008-09-18 17:01 . 2008-09-18 17:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\aAvgApi
2008-09-18 16:34 . 2008-09-18 18:06 <DIR> d-------- C:\Program Files\McAfee
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\Common Files\EarthLink Protection Control Center
2008-09-18 16:34 . 2008-09-18 16:40 <DIR> d-------- C:\Program Files\Common Files\ADS
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\AVG
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\InstallShield
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\Don\Application Data\InstallShield
2008-09-18 16:30 . 2008-09-23 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 20:08 . 2008-09-17 20:14 8,192 --a------ C:\Documents and Settings\TEMP\NTUSER(2).DAT
2008-09-17 19:00 . 2008-09-18 16:33 <DIR> d-------- C:\Program Files\Common Files\ADS(2)
2008-09-17 18:29 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EarthLink
2008-09-16 22:44 . 2008-09-16 22:44 163,840 --ah----- C:\AFCache.dat
2008-09-09 18:32 . 2008-09-09 18:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-09-09 17:03 . 2008-09-09 17:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-08 18:07 . 2008-09-08 18:07 0 --a------ C:\WINDOWS\webica.ini
2008-09-08 18:01 . 2008-09-08 18:01 <DIR> d-------- C:\Program Files\Citrix
2008-09-06 22:44 . 2008-09-20 14:29 39,426 --a------ C:\WINDOWS\system32\5W3qdc2O.exe
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-29 17:10 . 2008-08-29 17:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-28 16:23 . 2008-08-28 16:23 35,262 --a------ C:\WINDOWS\Katie's.acl
2008-08-27 06:48 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-27 06:47 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 21:49 --------- d-----w C:\Program Files\EarthLink

 

Sorry, I can't get it to run the Kaspersky scan. It crashes Mozilla, and IE wants the latest version of Java. I can get Java downlaoded, but when it trys to install, it says that the policy prohibits the install. I can't recall where it is to change the policy.
Got another scanner I should try?

 

Hi
OK lets try Panda.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Also there was a big portion of the combofix2.txt log missing.

You may have some corrupted system files that is causing this problem.

Thanks
Geri

 

I thought I captured it all, but I'll check again. If not, should I run the scan again?

 

ComboFix (the whole thing this time)
ComboFix 08-09-24.07 - Don 2008-09-24 19:25:41.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.738 [GMT -4:00]
Running from: C:\Documents and Settings\Don\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Don\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-22 19:54 . 2008-09-22 19:54 <DIR> d-------- C:\rsit
2008-09-22 19:30 . 2008-09-22 19:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\Don\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-22 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-22 19:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 19:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 08:40 . 2008-09-21 08:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 16:45 . 2008-09-20 16:58 <DIR> d-------- C:\Program Files\RegCleaner
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie's
2008-09-18 19:29 . 2008-09-20 17:00 262,144 --a------ C:\Documents and Settings\Katie
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\ScamBlocker
2008-09-18 19:00 . 2008-09-18 19:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\EarthLink
2008-09-18 18:33 . 2008-09-18 18:33 <DIR> d-------- C:\Documents and Settings\Don\Application Data\ScamBlocker
2008-09-18 18:28 . 2008-09-18 18:29 <DIR> d-------- C:\Program Files\Common Files\EarthLink
2008-09-18 17:16 . 2008-09-18 17:16 <DIR> d-------- C:\Documents and Settings\Don\Application Data\aAvgApi
2008-09-18 17:01 . 2008-09-18 17:01 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\aAvgApi
2008-09-18 16:34 . 2008-09-18 18:06 <DIR> d-------- C:\Program Files\McAfee
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\Common Files\EarthLink Protection Control Center
2008-09-18 16:34 . 2008-09-18 16:40 <DIR> d-------- C:\Program Files\Common Files\ADS
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Program Files\AVG
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\InstallShield
2008-09-18 16:34 . 2008-09-18 16:34 <DIR> d-------- C:\Documents and Settings\Don\Application Data\InstallShield
2008-09-18 16:30 . 2008-09-23 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 20:08 . 2008-09-17 20:14 8,192 --a------ C:\Documents and Settings\TEMP\NTUSER(2).DAT
2008-09-17 19:00 . 2008-09-18 16:33 <DIR> d-------- C:\Program Files\Common Files\ADS(2)
2008-09-17 18:29 . 2008-09-17 18:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\EarthLink
2008-09-16 22:44 . 2008-09-16 22:44 163,840 --ah----- C:\AFCache.dat
2008-09-09 18:32 . 2008-09-09 18:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-09-09 17:03 . 2008-09-09 17:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-09-08 18:07 . 2008-09-08 18:07 0 --a------ C:\WINDOWS\webica.ini
2008-09-08 18:01 . 2008-09-08 18:01 <DIR> d-------- C:\Program Files\Citrix
2008-09-06 22:44 . 2008-09-20 14:29 39,426 --a------ C:\WINDOWS\system32\5W3qdc2O.exe
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-29 17:12 . 2008-08-29 17:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-29 17:10 . 2008-08-29 17:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-28 16:23 . 2008-08-28 16:23 35,262 --a------ C:\WINDOWS\Katie's.acl
2008-08-27 06:48 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-27 06:47 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 21:49 --------- d-----w C:\Program Files\EarthLink
2008-09-18 20:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 15:51 --------- d-----w C:\Documents and Settings\Don\Application Data\Canon
2008-09-10 01:24 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-08 22:04 --------- d-----w C:\Documents and Settings\Don\Application Data\ICAClient
2008-08-30 02:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-26 08:15 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2006-06-22 10:49 13,386 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2006-06-22 10:49 92,234 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-23_16.33.36.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-23 21:49:55 42,472 ----a-w C:\WINDOWS\assembly\GAC_MSIL\CenturianShellMenu\1.1.5.25016__a4004c7b772007f8\CenturianShellMenu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"Creative Detector "= "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"EasyLinkAdvisor "= "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 114688]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-20 1687552]
"Earthlink Protection Control Center "= "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" [2007-08-08 67048]
"SigmatelSysTrayApp "= "stsystra.exe" [2005-03-23 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Adobe Reader Speed Launch.lnk.disabled [2008-03-09 1757]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel "= 0 (0x0)
"NoClose "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xwsetup.EXE]
"Debugger "=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe "=
"C:\\Program Files\\HP\\HP Officejet Pro K550 Series\\Toolbox\\HPWUTBX.exe "=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\VideoUI\\VideoWave8.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 22528]
S2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 42496]
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver);C:\WINDOWS\system32\drivers\ADSFilter.sys [2007-08-03 57456]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 38384]
S3 AuthFw;AuthFw;C:\Program Files\Authentium\Firewall SDK\AuthFw.exe [2007-04-05 495616]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [ ]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [ ]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [ ]
S3 Net6IM;Net6;C:\WINDOWS\system32\DRIVERS\net6im51.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 19:28:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-24 19:29:16
ComboFix-quarantined-files.txt 2008-09-24 23:29:15
ComboFix2.txt 2008-09-23 20:34:00

Pre-Run: 116,345,315,328 bytes free
Post-Run: 116,332,171,264 bytes free

157 --- E O F --- 2008-09-10 11:48:04

 

Looks like it's going to be one of those days....


FYI, the blocked script was google analytics.