My Anti Spyware

[quillaine]

I'm VERY new to anything other than using Windows (even if it seems like I know more), and I may use the wrong terms sometimes, so beware!

OLD Dell Dimension V400 --> system was purchased used (apparently had been run as part of a network)
tried to "clean up" unneeded software, etc., but I kept having problems - started getting warnings from my AVG when I returned my flash drive to the laptop
single partition hard drive
no internet access (using my laptop)
disc drive doesn't seem able to read .iso files (tried Ubuntu Rescue Remix and AVG Rescue CD - burned with IsoBurner)
unable to boot from USB flash drive
unable to load antivirus software from USB flash drive (I'm guessing because of the Trojan/Worm/Virus ... whatever it is)

Hijack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:00 PM, on 7/25/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\SCVVHSOT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe SCVVHSOT.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINNT\system32\IETie.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - (no file)
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe
O4 - HKCU\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-21-602162358-813497703-854245398-500\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User '?')
O4 - HKUS\S-1-5-21-602162358-813497703-854245398-500\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/ ... bAgent.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/insta ... mtscab.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2F80936-3EF1-465F-BDB6-6F0A68A60DB4}: NameServer = 85.255.115.18,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE013B6F-44F0-4B8D-91BB-39E990A9CCFC}: NameServer = 85.255.115.18,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61
O22 - SharedTaskScheduler: criticalness - {bd2948f8-c949-464f-824a-6272608c739e} - (no file)

--
End of file - 5132 bytes

[quillaine]

I forgot to mention that when I downloaded Flash_Disinfector.exe I never got the screen that asked me to plug in my flash drive or that it was done. I even checked the Task Manager, but the program (Flash Disinfector) wasn't running at all. I have already downloaded Hijack This (obviously) and Avenger.

Ran Hijack This in Safe Mode on the Dell to get the log listed in the first post.

[patrik]

Hello, welcome to the Myantispyware forum.

Looks like the system is infected with a few trojans.
Run HijackThis. Click "Do a system scan only" button.
Now select the following entries by placing a tick in the left hand check box, if still present:

Code: Select all

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe SCVVHSOT.exe
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - (no file)
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe
O4 - HKUS\S-1-5-21-602162358-813497703-854245398-500\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2F80936-3EF1-465F-BDB6-6F0A68A60DB4}: NameServer = 85.255.115.18,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE013B6F-44F0-4B8D-91BB-39E990A9CCFC}: NameServer = 85.255.115.18,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61
O22 - SharedTaskScheduler: criticalness - {bd2948f8-c949-464f-824a-6272608c739e} - (no file)


Once you have selected all entries, close all running programs then click once on the "fix checked" button.
Reboot your computer.

Post back with a fresh HijackThis log.

[quillaine]

I'm so thankful for this forum! I want to learn as much as I can, but I'm just getting started.

The reason for the note below is that I still got an antivirus warning when I transferred my flash drive to this computer with the HijackThis log.

NOTE: I ran HijackThis again, and the item on the first line (R3 - Default URLSearchHook is missing) wasn't there, but there were some similar ones. I didn't select them, and they didn't copy into the new log. Just to check I did another "Run a system scan only" and they showed up again. Here they are:
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-DICA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {4CC2E67B-E700-8498-913C-3E7EF3581AE7} - (no file)

You guys are a Godsend! Thanks again ~ Q

Here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:10 PM, on 7/28/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {4CC2E67B-E700-8498-913C-3E7EF3581AE7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINNT\system32\IETie.dll
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm020LCUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/ ... bAgent.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/insta ... mtscab.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe

--
End of file - 4086 bytes

[patrik]

Looks more clean
Run HijackThis. Click "Do a system scan only" button.
Now select the following entries by placing a tick in the left hand check box, if still present:

Code: Select all

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {4CC2E67B-E700-8498-913C-3E7EF3581AE7} - (no file)
O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - (no file)

Once you have selected all entries, close all running programs then click once on the "fix checked" button.
Reboot your computer.

Download RSIT by random/random from here and save it to your desktop.

* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open. If it does not automatically open, then these logs can be found at %systemdrive%\rsit folder (typically C:\rsit)

Post back with both RSIT logs. Post each log in separate post.

[quillaine]

info.txt logfile of random's system information tool 1.09 2011-08-01 20:36:24

======Uninstall list======

-->C:\PROGRA~1\COMMON~1\EACCEL~1\SysSnap\syssnap.exe -UnregServer
-->C:\WINNT\UNINST.EXE -f"C:\Program Files\PhotoDeluxe HE 3.0\DeIsL1.isu" -c"C:\Program Files\PhotoDeluxe HE 3.0\Uninst.dll"
-->C:\WINNT\uninst.exe -fC:\Maxis\SimAnt\DeIsL1.isu
-->C:\WINNT\uninst.exe -fC:\Maxis\SimPark\DeIsL2.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
Autorun Eater v2.5-->"C:\Program Files\Autorun Eater\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Logic Quest-->C:\WINNT\uninst.exe -fC:\TLCWIN\LogicQuest\uninstal\DeIsL1.isu
Revo Uninstaller 1.92-->F:\Revo Uninstaller\uninst.exe
Vocabulary 2.1-->C:\WINNT\iun6002.exe "C:\Program Files\Vocabulary\irunin.ini"
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
ZipGenius 6.3-->"F:\ZipGenius\unins000.exe"

=====HijackThis Backups=====

F2 - REG:system.ini: Shell=Explorer.exe SCVVHSOT.exe [2011-07-28]
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - (no file) [2011-07-28]
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file) [2011-07-28]
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) [2011-07-28]
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file) [2011-07-28]
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User '?') [2011-07-28]
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61 [2011-07-28]
O22 - SharedTaskScheduler: criticalness - {bd2948f8-c949-464f-824a-6272608c739e} - (no file) [2011-07-28]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61 [2011-07-28]
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2F80936-3EF1-465F-BDB6-6F0A68A60DB4}: NameServer = 85.255.115.18,85.255.112.61 [2011-07-28]
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe [2011-07-28]
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE013B6F-44F0-4B8D-91BB-39E990A9CCFC}: NameServer = 85.255.115.18,85.255.112.61 [2011-07-28]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.61 [2011-07-28]
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 [2011-07-28]
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINNT\system32\SCVVHSOT.exe (User 'Default user') [2011-07-28]
O4 - HKUS\S-1-5-21-602162358-813497703-854245398-1000\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User '?') [2011-07-28]
O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - (no file) [2011-08-01]
R3 - URLSearchHook: (no name) - {4CC2E67B-E700-8498-913C-3E7EF3581AE7} - (no file) [2011-08-01]
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file) [2011-08-01]

======Hosts File======

localhost 127.0.0.1

Securitycenter WMI appears to be broken

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\QuickTime\QTSystem\;F:\ZipGenius\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 5 Stepping 2, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0502
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------

[quillaine]

Logfile of random's system information tool 1.09 (written by random/random)
Run by user at 2011-08-01 20:36:16
WIN_XP Service Pack 2
System drive C: has 11 GB (67%) free of 16 GB
Total RAM: 128 MB (13% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINNT\tasks\At1.job
C:\WINNT\tasks\At2.job
C:\WINNT\tasks\Check For Patches.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9527D42F-D666-11D3-B8DD-00600838CD5F}]
IEWatchObj Class - C:\WINNT\system32\IETie.dll [2003-05-15 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Autorun Eater"=C:\Program Files\Autorun Eater\oldmcdonald.exe [2010-05-06 516216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINNT\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
C:\WINNT\system32\wzcdlg.dll [2004-08-04 378368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=csljg.exe []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NBF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nbf.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sglfb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\tga.sys]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoBandCustomize"=1
"ForceActiveDesktopOn"=0
"NofolderOptions"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1147071396\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1147071396\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\WINNT\system32\dpvsetup.exe"="C:\WINNT\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINNT\system32\rundll32.exe"="C:\WINNT\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Common Files\AOL\1147071396\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1147071396\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINNT\system32\mmc.exe"="C:\WINNT\system32\mmc.exe:*:Enabled:Microsoft Management Console"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"=mmdrv.dll
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"wavemapper"=msacm32.drv
"msacm.lhacm"=lhacm.acm
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"VIDC.I420"=msh263.drv
"msacm.iac2"=C:\WINNT\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"wave3"=wdmaud.drv
"wave5"=
"wave6"=
"wave7"=
"wave8"=
"wave9"=
"midi3"=
"midi4"=
"midi5"=
"midi6"=
"midi7"=
"midi8"=
"midi9"=
"aux4"=
"aux5"=
"aux6"=
"aux7"=
"aux8"=
"aux9"=
"mixer2"=wdmaud.drv
"mixer4"=
"mixer5"=
"mixer6"=
"mixer7"=
"mixer8"=
"mixer9"=
"wdmaud.drv"=wdmaud.drv
"VIDC.YVU9"=tsbyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.UYVY"=msyuv.dll
"MSVideo"=lvfwwdmt.dll
"MSVideo8"=VfWWDM32.dll
"VIDC.MPG4"=mpg4c32.dll
"VIDC.MP42"=mpg4c32.dll
"vidc.iv41"=ir41_32.ax
"VIDC.IYUV"=iyuv_32.dll
"VIDC.YVYU"=msyuv.dll
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux1"=wdmaud.drv
"wave2"=serwvdrv.dll
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux2"=wdmaud.drv
"msacm.l3acm"=l3codecp.acm
"msacm.g723"=g723.acm
"vidc.I263"=I263_32.drv

======List of files/folders created in the last 3 months======

2011-08-01 20:27:11 ----DC---- C:\rsit
2011-07-28 12:22:32 ----ASH---- C:\hiberfil.sys
2011-07-25 23:37:57 ----DC---- C:\Program Files\Trend Micro
2011-07-25 22:20:42 ----DC---- C:\Documents and Settings\user\Application Data\ZipGenius
2011-07-25 22:02:21 ----DC---- C:\Program Files\AVAST Software
2011-07-25 22:02:21 ----DC---- C:\Documents and Settings\All Users\Application Data\AVAST Software
2011-07-25 21:52:13 ----DC---- C:\Documents and Settings\All Users\Application Data\Autorun Eater
2011-07-25 21:51:46 ----DC---- C:\Program Files\Autorun Eater
2011-07-25 19:51:02 ----AC---- C:\WINNT\SCVVHSOT.exe
2011-07-25 17:44:52 ----ASH---- C:\pagefile.sys
2011-07-25 17:35:19 ----DC---- C:\Documents and Settings\user\Application Data\EMCO
2011-07-25 08:36:51 ----AC---- C:\WINNT\ntbtlog.txt
2011-07-24 13:00:49 ----DC---- C:\Program Files\TLCWIN
2011-07-24 12:58:54 ----AC---- C:\WINNT\E-REGTLC.INI
2011-07-24 12:57:45 ----AC---- C:\WINNT\TLCAPPS.INI
2011-07-24 12:53:03 ----DC---- C:\Program Files\Vocabulary
2011-07-24 12:51:05 ----AC---- C:\WINNT\Vocabulary Setup Log.txt
2011-07-19 23:14:39 ----RASHC---- C:\WINNT\system32\SCVVHSOT.exe
2011-07-19 23:14:39 ----RASHC---- C:\WINNT\system32\blastclnnn.exe
2011-07-19 22:52:26 ----DC---- C:\WINNT\SxsCaPendDel
2011-07-19 19:08:27 ----DC---- C:\Documents and Settings\user\Application Data\eAcceleration
2011-07-19 19:08:08 ----DC---- C:\Documents and Settings\All Users\Application Data\eAcceleration
2011-07-19 19:07:01 ----DC---- C:\My Downloads
2011-07-19 19:07:00 ----DC---- C:\My Music
2011-07-19 19:06:20 ----DC---- C:\windows
2011-07-19 19:06:20 ----DC---- C:\Program Files\Common Files\eAcceleration
2011-07-19 18:22:00 ----DC---- C:\WINNT\pss

======List of files/folders modified in the last 3 months======

2011-08-01 20:29:54 ----ADC---- C:\WINNT\security
2011-07-28 12:39:09 ----HDC---- C:\WINNT\inf
2011-07-28 12:39:03 ----DC---- C:\WINNT\system32\CatRoot2
2011-07-25 23:37:57 ----RADC---- C:\Program Files
2011-07-25 22:25:59 ----DC---- C:\WINNT
2011-07-25 22:07:01 ----RADC---- C:\WINNT\system32
2011-07-25 19:37:42 ----ADC---- C:\WINNT\system32\config
2011-07-25 19:31:03 ----SHD---- C:\System Volume Information
2011-07-25 19:26:18 ----A---- C:\WINNT\SchedLgU.Txt
2011-07-25 18:57:38 ----DC---- C:\WINNT\Prefetch
2011-07-25 18:45:31 ----DC---- C:\WINNT\Registration
2011-07-25 18:24:48 ----SDC---- C:\WINNT\Tasks
2011-07-25 10:59:10 ----ADC---- C:\Documents and Settings
2011-07-25 09:38:11 ----AC---- C:\WINNT\system32\PerfStringBackup.INI
2011-07-25 08:58:28 ----ASHC---- C:\boot.ini
2011-07-24 12:59:09 ----ADC---- C:\WINNT\Temp
2011-07-24 12:58:10 ----C---- C:\WINNT\system.ini
2011-07-24 12:53:07 ----C---- C:\WINNT\win.ini
2011-07-24 12:50:45 ----AC---- C:\WINNT\iun6002.exe
2011-07-21 13:50:20 ----DC---- C:\Config.Msi
2011-07-21 13:43:00 ----SHDC---- C:\WINNT\Installer
2011-07-21 13:42:06 ----DC---- C:\WINNT\system32\URTTemp
2011-07-21 13:42:06 ----DC---- C:\Program Files\Internet Explorer
2011-07-21 13:21:27 ----DC---- C:\Program Files\Java
2011-07-21 11:31:21 ----HDC---- C:\Program Files\InstallShield Installation Information
2011-07-21 11:17:41 ----ADC---- C:\WINNT\system32\drivers
2011-07-21 11:15:58 ----RASHDC---- C:\WINNT\system32\dllcache
2011-07-21 11:15:49 ----DC---- C:\Program Files\Windows Media Player
2011-07-21 11:09:56 ----DC---- C:\WINNT\system32\drivers\UMDF
2011-07-20 22:57:24 ----DC---- C:\WINNT\system32\Logfiles
2011-07-20 22:24:02 ----DC---- C:\Program Files\Microsoft Office
2011-07-20 20:02:15 ----ADC---- C:\WINNT\Help
2011-07-20 19:59:24 ----DC---- C:\WINNT\WinSxS
2011-07-20 19:19:55 ----DC---- C:\Program Files\QuickTime
2011-07-20 15:14:29 ----DC---- C:\WINNT\system32\Restore
2011-07-20 12:49:39 ----AC---- C:\WINNT\ACROREAD.INI
2011-07-20 12:16:16 ----DC---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2011-07-20 12:14:41 ----ADC---- C:\Program Files\Common Files\Microsoft Shared
2011-07-20 12:14:25 ----RSDC---- C:\WINNT\Fonts
2011-07-20 12:09:20 ----HDC---- C:\WINNT\ShellNew
2011-07-20 01:48:08 ----ADC---- C:\Program Files\Common Files\AOL
2011-07-20 01:48:06 ----DC---- C:\Documents and Settings\All Users\Application Data\AOL
2011-07-20 01:47:01 ----DC---- C:\WINNT\system32\Macromed
2011-07-20 01:46:55 ----DC---- C:\Documents and Settings\user\Application Data\Macromedia
2011-07-20 01:23:50 ----DC---- C:\WINNT\system32\NtmsData
2011-07-20 00:03:33 ----ADC---- C:\WINNT\Debug
2011-07-20 00:03:16 ----DC---- C:\WINNT\Minidump
2011-07-19 23:40:25 ----DC---- C:\Program Files\Common Files\Symantec Shared
2011-07-19 23:39:35 ----ADC---- C:\Program Files\Common Files
2011-07-19 23:36:52 ----DC---- C:\Program Files\Mozilla Firefox
2011-07-19 23:32:06 ----DC---- C:\Program Files\Common Files\Real
2011-07-19 23:30:47 ----DC---- C:\Documents and Settings\user\Application Data\Real
2011-07-19 23:24:27 ----AC---- C:\WINNT\smsafari.ini
2011-07-19 23:19:21 ----ADC---- C:\Program Files\Common Files\aolshare
2011-07-19 23:07:57 ----DC---- C:\WINNT\system32\en-US
2011-07-19 22:59:19 ----DC---- C:\WINNT\WBEM
2011-07-19 22:51:43 ----DC---- C:\WINNT\system32\DRVSTORE
2011-07-19 22:41:17 ----DC---- C:\Program Files\Common Files\Adobe
2011-07-19 22:41:17 ----DC---- C:\Program Files\Adobe
2011-07-19 22:41:12 ----DC---- C:\Documents and Settings\All Users\Application Data\Adobe
2011-07-19 19:24:11 ----ADC---- C:\WINNT\system32\CatRoot
2011-07-19 19:11:31 ----ADC---- C:\WINNT\system32\wbem
2011-07-18 21:16:59 ----SDC---- C:\WINNT\Downloaded Program Files
2011-07-18 20:43:31 ----SDC---- C:\Documents and Settings\user\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 agp440;Intel AGP Bus Filter; C:\WINNT\System32\DRIVERS\agp440.sys [2004-08-03 42368]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2005-10-03 58000]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2005-10-03 23420]
R1 SYMTDI;SYMTDI; C:\WINNT\System32\Drivers\SYMTDI.SYS [2007-02-07 269616]
R2 Cnxtdiag;Cnxtdiag; C:\WINNT\System32\DRIVERS\cnxtdiag.sys [2001-07-03 17776]
R2 Fallback;Fallback; C:\WINNT\System32\DRIVERS\fallback.sys [2001-06-24 308403]
R2 Fsks;Fsks; C:\WINNT\System32\DRIVERS\fsksnt.sys [2001-06-24 124189]
R2 K56;K56; C:\WINNT\System32\DRIVERS\k56nt.sys [2001-06-24 427215]
R2 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINNT\System32\Drivers\PCASp50.sys [2006-11-28 27072]
R2 SoftFax;SoftFax; C:\WINNT\System32\DRIVERS\faxnt.sys [2001-06-24 215195]
R2 SpeakerPhone;SpeakerPhone; C:\WINNT\System32\DRIVERS\spkpnt.sys [2001-06-24 79745]
R2 Tones;Tones; C:\WINNT\System32\DRIVERS\tonesnt.sys [2001-06-24 59375]
R2 V124;V124; C:\WINNT\System32\DRIVERS\v124nt.sys [2001-07-16 539917]
R3 atirage3;atirage3; C:\WINNT\system32\DRIVERS\atimpae.sys [2001-08-17 75136]
R3 ds1;Yamaha DS1 Audio Driver (WDM); C:\WINNT\system32\drivers\ds1wdm.sys [2001-08-17 334208]
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINNT\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 HSF_DP;HSF_DP; C:\WINNT\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINNT\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINNT\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wanatw;WAN Miniport (ATW); C:\WINNT\System32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsf;winachsf; C:\WINNT\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S1 lusbaudio;Logitech USB Microphone; C:\WINNT\system32\drivers\lvsound2.sys [2000-06-09 25600]
S1 tga;tga; C:\WINNT\system32\drivers\tga.sys []
S2 mdmxsdk;mdmxsdk; C:\WINNT\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
S3 basic2;basic2; C:\WINNT\System32\DRIVERS\basic2.sys [2001-07-16 76610]
S3 CamAv;SAMSUNG Video Capture; C:\WINNT\System32\Drivers\CamAv.sys []
S3 CAMFLT;%CAMFLT.SvcDesc%; C:\WINNT\system32\drivers\CAMFLT.sys []
S3 ccdecode;Closed Caption Decoder; C:\WINNT\system32\drivers\ccdecode.sys [2004-08-03 17024]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver; C:\WINNT\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 HidUsb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
S3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 MxlW2k;MxlW2k; C:\WINNT\system32\drivers\MxlW2k.sys [2011-07-19 28256]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 QCEmerald;Logitech QuickCam Web; C:\WINNT\system32\DRIVERS\LVCE.sys [2000-06-09 37376]
S3 Rksample;Rksample; C:\WINNT\System32\DRIVERS\rksample.sys [2001-07-15 67222]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver; C:\WINNT\system32\DRIVERS\rt2870.sys [2007-07-27 517632]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 SQTECH905C;DualCamera; C:\WINNT\System32\Drivers\Capt905c.sys [2005-03-24 38937]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 SYMIDSCO;SYMIDSCO; C:\WINNT\system32\drivers\SYMIDSCO.sys []
S3 SYMREDRV;SYMREDRV; C:\WINNT\System32\Drivers\SYMREDRV.SYS [2007-02-07 17968]
S3 UnlockMonitor;UnlockMonitor; \??\F:\UnLockIT\v3\UnlockMonitor.sys []
S3 USB_RNDIS;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver; C:\WINNT\System32\DRIVERS\usb8023k.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINNT\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINNT\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 WpdUsb;WpdUsb; C:\WINNT\system32\DRIVERS\wpdusb.sys [2005-01-28 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 aic116x;aic116x; C:\WINNT\system32\drivers\aic116x.sys []
S4 ami0nt;ami0nt; C:\WINNT\system32\drivers\ami0nt.sys []
S4 BusLogic;BusLogic; C:\WINNT\system32\drivers\BusLogic.sys []
S4 cpqarry2;cpqarry2; C:\WINNT\system32\drivers\cpqarry2.sys []
S4 cpqfcalm;cpqfcalm; C:\WINNT\system32\drivers\cpqfcalm.sys []
S4 cpqfws2e;cpqfws2e; C:\WINNT\system32\drivers\cpqfws2e.sys []
S4 deckzpsx;deckzpsx; C:\WINNT\system32\drivers\deckzpsx.sys []
S4 EFS;EFS; C:\WINNT\system32\drivers\EFS.sys []
S4 Fd16_700;Fd16_700; C:\WINNT\system32\drivers\Fd16_700.sys []
S4 fireport;fireport; C:\WINNT\system32\drivers\fireport.sys []
S4 flashpnt;flashpnt; C:\WINNT\system32\drivers\flashpnt.sys []
S4 ipsraidn;ipsraidn; C:\WINNT\system32\drivers\ipsraidn.sys []
S4 lp6nds35;lp6nds35; C:\WINNT\system32\drivers\lp6nds35.sys []
S4 Ncrc710;Ncrc710; C:\WINNT\system32\drivers\Ncrc710.sys []
S4 Parallel;Parallel class driver; C:\WINNT\System32\DRIVERS\parallel.sys []
S4 ql2100;ql2100; C:\WINNT\system32\drivers\ql2100.sys []
S4 ultra66;ultra66; C:\WINNT\system32\drivers\ultra66.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S4 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe [2004-04-21 1434848]
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S4 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-07 206544]
S4 UMWdf;Windows User Mode Driver Framework; C:\WINNT\system32\wdfmgr.exe [2005-01-28 38912]
S4 UtilMan;Utility Manager; C:\WINNT\System32\UtilMan.exe [2004-08-04 50176]
S4 WANMiniportService;WAN Miniport (ATW) Service; C:\WINNT\wanmpsvc.exe [2003-08-27 65536]

-----------------EOF-----------------

[patrik]

I would check a few more.
If you have previously downloaded ComboFix, please delete that version now.
Download Combofix from here. Close any open browsers. Double click on combofix.exe and follow the prompts.
When the tool is finished, it will produce a log for you.If the log does not automatically open, then it can be found at %systemdrive%\combofix.txt (typically C:\combofix.txt).

If ComboFix will not run, please rename it to myapp.exe and try again!

Post back with combofix log.

[quillaine]

I downloaded ComboFix from the link you provided and ran it on the infected desktop. The program runs and opens a new window to save files in order to create a system restore point. After that window closes, the following message shows up in a new window entitled: Microsoft Windows Recovery Console

This machine does not have the 'Microsoft Windows recovery console' installed. Alternately, an existing installation of the recovery console may be present but requires updating.

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click 'Yes" to have ComboFix download/install it.

NOTE: this requires an active internet connection.

----------------------------------

I selected the "no" choice for that window because I can't get the unit connected to the internet, and when I searched for the "Microsoft Windows Recovery Console" but could not find a solution that I could use. I don't have the Windows XP disks (second-hand machine), and other than downloading directly from the internet, I found no other way to get that console.

ComboFix ran all night, and when I found it still grinding away the next morning, I closed the program and turned off the computer. Now I'm trying it again, but this time I will not turn off the computer until ComboFix is finished or you advice me to turn it off.

NOTE: I believe this unit was part of a network, because I get popup windows saying that the network administrator disabled certain actions (I know for a fact that the Control Panel is disabled). I have no idea if this might have any affect on cleaning the system, but I thought I'd mention it.

Your help has been very much appreciated, and I'm learning a bit, too. Unfortunately, my next question is: What now?

[patrik]

Open the guide http://www.myantispyware.com/2007/10/08 ... ware-tool/
Follow the steps 3-4 to install Windows Recovery console.
Perform a scan with Combofix and post a log here.

[quillaine]

Thanks, Patrik. I feel silly for not checking the ComboFix documentation ...

ComboFix ran two times. This one is BEFORE I installed the Windows Recovery Console.

ComboFix 11-08-03.03 - user 08/05/2011 16:35:49.1.1 - x86
Running from: c:\documents and settings\user\My Documents\ComboFix.exe
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\kc.tmp
c:\documents and settings\user\Application Data\uns.tmp
c:\documents and settings\user\My Documents\~WRL0001.tmp
c:\documents and settings\user\My Documents\~WRL0002.tmp
c:\documents and settings\user\My Documents\~WRL0003.tmp
c:\documents and settings\user\My Documents\~WRL0004.tmp
c:\documents and settings\user\My Documents\~WRL1062.tmp
c:\documents and settings\user\My Documents\~WRL2058.tmp
c:\documents and settings\user\My Documents\~WRL2154.tmp
c:\documents and settings\user\My Documents\~WRL2160.tmp
c:\documents and settings\user\My Documents\~WRL4062.tmp
c:\documents and settings\user\WINDOWS
c:\winnt\k.exe
c:\winnt\system32\39hr8mvo.dat
c:\winnt\system32\fooool.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_IAS
.
.
((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 )))))))))))))))))))))))))))))))
.
.
2011-08-02 03:27 . 2011-08-02 03:36 -------- dc----w- C:\rsit
2011-07-26 06:37 . 2011-07-26 06:37 -------- dc----w- c:\program files\Trend Micro
2011-07-26 05:20 . 2011-07-26 05:20 -------- dc----w- c:\documents and settings\user\Application Data\ZipGenius
2011-07-26 05:02 . 2011-07-26 05:07 -------- dc----w- c:\program files\AVAST Software
2011-07-26 05:02 . 2011-07-26 05:07 -------- dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-26 04:52 . 2011-07-26 04:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2011-07-26 04:51 . 2011-07-26 04:51 -------- dc----w- c:\program files\Autorun Eater
2011-07-26 03:00 . 2011-07-26 03:00 -------- dc----w- c:\documents and settings\user\DoctorWeb
2011-07-26 02:51 . 2008-03-24 16:19 310899 -c--a-w- c:\winnt\SCVVHSOT.exe
2011-07-26 00:35 . 2011-07-26 00:35 -------- dc----w- c:\documents and settings\user\Application Data\EMCO
2011-07-25 17:59 . 2011-07-25 17:59 -------- dc----w- c:\documents and settings\Administrator
2011-07-24 20:00 . 2011-07-24 20:00 -------- dc----w- c:\program files\TLCWIN
2011-07-24 19:53 . 2011-07-24 19:53 -------- dc----w- c:\program files\Vocabulary
2011-07-20 06:14 . 2008-03-24 16:19 310899 -csha-r- c:\winnt\system32\SCVVHSOT.exe
2011-07-20 06:14 . 2008-03-24 16:19 310899 -csha-r- c:\winnt\system32\blastclnnn.exe
2011-07-20 05:52 . 2011-07-20 06:07 -------- dc----w- c:\winnt\SxsCaPendDel
2011-07-20 02:11 . 2011-07-20 02:11 -------- dc----w- c:\winnt\system32\wbem\Repository
2011-07-20 02:08 . 2011-07-20 05:30 -------- dc----w- c:\documents and settings\user\Application Data\eAcceleration
2011-07-20 02:08 . 2011-07-20 02:08 -------- dc----w- c:\documents and settings\All Users\Application Data\eAcceleration
2011-07-20 02:07 . 2011-07-20 08:57 -------- dc----w- C:\My Downloads
2011-07-20 02:07 . 2011-07-20 08:57 -------- dc----w- C:\My Music
2011-07-20 02:06 . 2011-07-20 02:06 -------- dc----w- C:\windows
2011-07-20 02:06 . 2011-07-20 02:06 -------- dc----w- c:\program files\Common Files\eAcceleration
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-24 19:50 . 2004-05-19 06:10 716800 -c--a-w- c:\winnt\iun6002.exe
2011-07-20 06:35 . 2005-09-04 00:25 28256 -c--a-w- c:\winnt\system32\drivers\MxlW2k.sys
2010-09-13 21:07 . 2010-09-13 21:07 292 -c--a-w- c:\program files\makeboot.bat
2010-09-13 21:07 . 2010-09-13 21:07 28160 -c--a-w- c:\program files\syslinux.exe
2010-09-13 21:07 . 2010-09-13 21:07 217088 -c--a-w- c:\program files\setup.exe
2008-03-24 16:19 310899 -csha-r- c:\winnt\system32\blastclnnn.exe
2008-03-24 16:19 310899 -csha-r- c:\winnt\system32\SCVVHSOT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\dpvsetup.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundParameterProblem"= 1 (0x1)
.
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 QCEmerald;Logitech QuickCam Web;c:\winnt\system32\DRIVERS\LVCE.sys [2000-06-09 37376]
R3 UnlockMonitor;UnlockMonitor;f:\unlockit\v3\UnlockMonitor.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-26 c:\winnt\Tasks\At1.job
- c:\winnt\system32\blastclnnn.exe [2011-07-20 16:19]
.
2011-07-26 c:\winnt\Tasks\At2.job
- c:\winnt\system32\blastclnnn.exe [2011-07-20 16:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - hxxp://download.movienetworks.com/insta ... mtscab.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-sglfb.sys
SafeBoot-tga.sys
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
AddRemove-Adobe PhotoDeluxe Home Edition 3.0 - c:\program files\PhotoDeluxe HE 3.0\DeIsL1.isu
AddRemove-LQSHLL32.EXE - c:\tlcwin\LogicQuest\uninstal\DeIsL1.isu
AddRemove-Revo Uninstaller - f:\revo uninstaller\uninst.exe
AddRemove-SimAntv1.0 - c:\maxis\SimAnt\DeIsL1.isu
AddRemove-SimParkv1.0 - c:\maxis\SimPark\DeIsL2.isu
AddRemove-{EC3B598C-1151-4191-B5B4-A9072ADE6259}_is1 - f:\zipgenius\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-05 17:35
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(380)
c:\winnt\system32\l3codecp.acm
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-05 17:47:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-06 00:47
.
Pre-Run: 11,579,772,928 bytes free
Post-Run: 11,485,855,744 bytes free
.
- - End Of File - - 5B6ADE41302CE759DD4BE0D5EBB0926D

[quillaine]

ComboFix log AFTER installation of Windows Recovery Console:

ComboFix 11-08-03.03 - user 08/06/2011 7:38.2.1 - x86
Running from: c:\documents and settings\user\My Documents\ComboFix.exe
Command switches used :: F:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\winnt\system32\autorun.ini
c:\winnt\system32\blastclnnn.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 )))))))))))))))))))))))))))))))
.
.
2011-08-02 03:27 . 2011-08-02 03:36 -------- dc----w- C:\rsit
2011-07-26 06:37 . 2011-07-26 06:37 -------- dc----w- c:\program files\Trend Micro
2011-07-26 05:20 . 2011-07-26 05:20 -------- dc----w- c:\documents and settings\user\Application Data\ZipGenius
2011-07-26 05:02 . 2011-07-26 05:07 -------- dc----w- c:\program files\AVAST Software
2011-07-26 05:02 . 2011-07-26 05:07 -------- dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-26 04:52 . 2011-07-26 04:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2011-07-26 04:51 . 2011-07-26 04:51 -------- dc----w- c:\program files\Autorun Eater
2011-07-26 03:00 . 2011-07-26 03:00 -------- dc----w- c:\documents and settings\user\DoctorWeb
2011-07-26 02:51 . 2008-03-24 16:19 310899 -c--a-w- c:\winnt\SCVVHSOT.exe
2011-07-26 00:35 . 2011-07-26 00:35 -------- dc----w- c:\documents and settings\user\Application Data\EMCO
2011-07-25 17:59 . 2011-07-25 17:59 -------- dc----w- c:\documents and settings\Administrator
2011-07-24 20:00 . 2011-07-24 20:00 -------- dc----w- c:\program files\TLCWIN
2011-07-24 19:53 . 2011-07-24 19:53 -------- dc----w- c:\program files\Vocabulary
2011-07-20 06:14 . 2008-03-24 16:19 310899 -csha-r- c:\winnt\system32\SCVVHSOT.exe
2011-07-20 05:52 . 2011-07-20 06:07 -------- dc----w- c:\winnt\SxsCaPendDel
2011-07-20 02:11 . 2011-07-20 02:11 -------- dc----w- c:\winnt\system32\wbem\Repository
2011-07-20 02:08 . 2011-07-20 05:30 -------- dc----w- c:\documents and settings\user\Application Data\eAcceleration
2011-07-20 02:08 . 2011-07-20 02:08 -------- dc----w- c:\documents and settings\All Users\Application Data\eAcceleration
2011-07-20 02:07 . 2011-07-20 08:57 -------- dc----w- C:\My Downloads
2011-07-20 02:07 . 2011-07-20 08:57 -------- dc----w- C:\My Music
2011-07-20 02:06 . 2011-07-20 02:06 -------- dc----w- C:\windows
2011-07-20 02:06 . 2011-07-20 02:06 -------- dc----w- c:\program files\Common Files\eAcceleration
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-24 19:50 . 2004-05-19 06:10 716800 -c--a-w- c:\winnt\iun6002.exe
2011-07-20 06:35 . 2005-09-04 00:25 28256 -c--a-w- c:\winnt\system32\drivers\MxlW2k.sys
2010-09-13 21:07 . 2010-09-13 21:07 292 -c--a-w- c:\program files\makeboot.bat
2010-09-13 21:07 . 2010-09-13 21:07 28160 -c--a-w- c:\program files\syslinux.exe
2010-09-13 21:07 . 2010-09-13 21:07 217088 -c--a-w- c:\program files\setup.exe
2008-03-24 16:19 310899 -csha-r- c:\winnt\system32\SCVVHSOT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\dpvsetup.exe"=
"c:\\WINNT\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundParameterProblem"= 1 (0x1)
.
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 QCEmerald;Logitech QuickCam Web;c:\winnt\system32\DRIVERS\LVCE.sys [2000-06-09 37376]
R3 UnlockMonitor;UnlockMonitor;f:\unlockit\v3\UnlockMonitor.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - hxxp://download.movienetworks.com/insta ... mtscab.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-06 07:58
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(380)
c:\winnt\system32\l3codecp.acm
.
Completion time: 2011-08-06 08:06:42
ComboFix-quarantined-files.txt 2011-08-06 15:06
ComboFix2.txt 2011-08-06 00:47
.
Pre-Run: 11,473,928,192 bytes free
Post-Run: 11,268,620,288 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A091D2224D4191D319C20EB451E78B09

[12056]

Sorry for the delay...

It looks like Combofix has removed several infections, how is you computer acting?
Is your anti-virus showing anymore detections?