TechSpot

SHuer2.BITO / Virtumonde.sdn / WSC.FirewallBypass

By Buzz
Oct 4, 2009
Topic Status:
Not open for further replies.
  1. So happy to have found your site...

    I have completed the 8 step Prelim.Removal Instruct.

    I stupidly signed up for a on-line live feed of a footbal Grand Final ... AND, gave me debit card details for the 7 day Free trial to sign up for membership.

    AVG 8.5 popped up with Win32/Heur infection alert

    The sameday cancelled membership - requested my bank cnl card authorization ... withdrew balance of funds in that debit card account... unistalled the torrent software that they had advised me to download ... noticed the membership confirmation email was from at mediadome.ru - suspected this is Russia and started getting worried !

    SpyBot found Virtumonde.sdn and W.S.C.FirewallBypass

    Firefox 3.0.14 IE8

    Thanks heaps for providing this great service !
    Buzz
     
  2. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Buzzzzz at 2009-10-05 08:05:50
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 229 GB (90%) free of 256 GB
    Total RAM: 3071 MB (83% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:06:08 AM, on 05-Oct-09
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hotspot Shield\bin\openvpntray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Buzzzzz\Desktop\RSIT.exe
    C:\Program Files\trend micro\Buzzzzz.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\System32\c_iscii32.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 6847 bytes
     
  3. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-08-16 1111320]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-31 41760]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
    JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-31 73728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
    Hotspot Shield Class - C:\Program Files\Hotspot Shield\hssie\HssIE.dll [2009-08-22 218160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-08-16 2007832]
    "ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
    "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-10-25 8491008]
    "Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
    "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-31 149280]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
    C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE [2004-01-14 409600]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE [2001-08-23 44032]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2005-04-07 208952]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe [2009-09-21 305440]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"="C:\WINDOWS\System32\c_iscii32.dll"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
    C:\WINDOWS\system32\avgrsstx.dll [2009-08-16 11952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
    "C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
    "C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
    "C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
    "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
    "C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
    "C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
    "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
     
  4. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    ======List of files/folders created in the last 1 months======

    2009-10-05 08:05:51 ----D---- C:\Program Files\trend micro
    2009-10-05 08:05:50 ----D---- C:\rsit
    2009-10-05 07:48:51 ----A---- C:\RootRepeal report 10-05-09 (07-48-51).txt
    2009-10-05 07:44:17 ----A---- C:\RootRepeal report 10-05-09 (07-44-17).txt
    2009-10-05 07:42:52 ----A---- C:\RootRepeal report 10-05-09 (07-42-52).txt
    2009-10-05 02:49:01 ----D---- C:\Documents and Settings\Buzzzzz\Application Data\Malwarebytes
    2009-10-05 02:48:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2009-10-05 02:48:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-10-05 00:21:00 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-10-05 00:19:01 ----D---- C:\Program Files\SUPERAntiSpyware
    2009-10-05 00:19:01 ----D---- C:\Documents and Settings\Buzzzzz\Application Data\SUPERAntiSpyware.com
    2009-10-05 00:08:44 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2009-10-03 19:15:34 ----D---- C:\VundoFix Backups
    2009-10-03 19:15:34 ----A---- C:\VundoFix.txt
    2009-10-03 16:48:45 ----A---- C:\WINDOWS\wininit.ini
    2009-10-03 14:50:08 ----D---- C:\Documents and Settings\Buzzzzz\Application Data\LimeWire
    2009-10-03 14:49:54 ----D---- C:\Program Files\360Share Pro
    2009-09-26 23:17:23 ----D---- C:\Program Files\iPod
    2009-09-26 23:17:21 ----D---- C:\Program Files\iTunes
    2009-09-11 05:32:57 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
    2009-09-11 05:32:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
    2009-09-10 23:26:29 ----D---- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-09-10 23:25:29 ----D---- C:\Program Files\QuickTime
    2009-09-06 18:21:39 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$

    ======List of files/folders modified in the last 1 months======

    2009-10-05 08:06:07 ----D---- C:\WINDOWS\Prefetch
    2009-10-05 08:05:51 ----RD---- C:\Program Files
    2009-10-05 08:02:41 ----HD---- C:\$AVG8.VAULT$
    2009-10-05 08:02:13 ----D---- C:\Program Files\Mozilla Firefox
    2009-10-05 07:46:26 ----D---- C:\WINDOWS\system32\drivers
    2009-10-05 07:35:33 ----D---- C:\WINDOWS\system32
    2009-10-05 05:03:58 ----D---- C:\WINDOWS\Internet Logs
    2009-10-05 04:51:38 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    2009-10-05 04:47:49 ----D---- C:\WINDOWS\Temp
    2009-10-05 04:46:35 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-10-05 04:45:33 ----SHD---- C:\WINDOWS\Installer
    2009-10-05 04:45:30 ----D---- C:\Program Files\Java
    2009-10-05 03:45:14 ----D---- C:\WINDOWS
    2009-10-05 01:22:49 ----D---- C:\WINDOWS\system32\CatRoot2
    2009-10-05 00:08:44 ----D---- C:\Program Files\Common Files
    2009-10-03 18:08:03 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2009-10-03 18:07:16 ----D---- C:\Program Files\Hotspot Shield
    2009-10-03 18:06:32 ----HD---- C:\WINDOWS\inf
    2009-10-03 18:01:12 ----D---- C:\WINDOWS\Debug
    2009-10-03 16:51:32 ----SH---- C:\boot.ini
    2009-10-03 16:51:32 ----A---- C:\WINDOWS\win.ini
    2009-10-03 16:51:32 ----A---- C:\WINDOWS\system.ini
    2009-10-03 15:03:02 ----D---- C:\Documents and Settings\Buzzzzz\Application Data\uTorrent
    2009-10-02 05:55:38 ----A---- C:\WINDOWS\ModemLog_Data Modem @ CDMA(6523).txt
    2009-09-28 19:29:26 ----D---- C:\Documents and Settings\Buzzzzz\Application Data\Thai2English
    2009-09-27 17:55:00 ----D---- C:\Program Files\Google
    2009-09-26 23:17:23 ----D---- C:\Program Files\Common Files\Apple
    2009-09-26 07:27:24 ----D---- C:\Documents and Settings\Buzzzzz\Application Data\GoodSync
    2009-09-24 14:11:39 ----D---- C:\Program Files\Spybot - Search & Destroy
    2009-09-11 05:32:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2009-09-11 05:32:54 ----HD---- C:\WINDOWS\$hf_mig$
    2009-09-11 05:32:49 ----D---- C:\WINDOWS\ie8updates
    2009-09-10 23:33:17 ----D---- C:\Documents and Settings\Buzzzzz\Application Data\Apple Computer
    2009-09-10 23:26:50 ----DC---- C:\WINDOWS\system32\DRVSTORE

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-16 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-16 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-02 108552]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
    R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
    R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
    R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
    R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
    R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
    R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-11-08 62336]
    R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
    R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
    R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-08 138752]
    R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
    R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-10-16 4615168]
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]
    R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-10-25 6864736]
    R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2007-09-20 53632]
    R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2007-09-20 22016]
    R3 nvsmu;nvsmu; C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-07-07 12032]
    R3 taphss;Anchorfree HSS Adapter; C:\WINDOWS\system32\DRIVERS\taphss.sys [2009-09-16 32768]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
    R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
    R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
    R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
    S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\cmo_bus.sys [2005-08-17 58352]
    S3 cmo_mdfl;Data Modem @ CDMA Filter; C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys [2005-08-17 8304]
    S3 cmo_mdm;Data Modem @ CDMA Drivers; C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys [2005-08-17 93904]
    S3 cmo_serd;Data Modem @ CDMA Second DS Port (WDM); C:\WINDOWS\system32\DRIVERS\cmo_serd.sys [2005-08-17 73696]
    S3 ltmodem5;LT Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2004-08-04 606684]
    S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-18 16128]
    S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
    S3 tap0901;TAP-Win32 Adapter V9; C:\WINDOWS\system32\DRIVERS\tap0901.sys [2009-07-23 28592]
    S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2008-02-25 77568]
    S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-02-25 82944]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
     
  5. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    info.txt logfile of random's system information tool 1.06 2009-10-05 08:06:09

    ======Uninstall list======

    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    360Share Pro(remove only)-->"C:\Program Files\360Share Pro\bt-uninst.exe"
    Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Reader 7.0.5 Language Support-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
    Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
    Altysoft Free Video Converter 2.0-->"C:\Program Files\Altysoft Free Video Converter\unins000.exe"
    Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}
    Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
    Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
    AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
    Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
    Canon PIXMA iP1500-->C:\WINDOWS\system32\CNMCP5y.exe "-PRINTERNAMECanon PIXMA iP1500" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmi0409.dll"
    Canon Utilities Easy-PrintToolBox-->C:\WINDOWS\BJPSUNST.EXE
    CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
    ClearType Tuning Control Panel Applet-->MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
    C-motech Connection Manager(CCU650)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7E24A54-57A8-4137-B3F4-C7A0B26BB5BB}\setup.exe" -l0x9 -removeonly
    ffdshow [rev 735] [2007-01-02]-->"C:\Program Files\K-Lite Codec Pack\ffdshow\unins000.exe"
    Foxit PDF Editor-->C:\Program Files\Foxit Software\PDF Editor\uninstall.exe
    Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
    GoodSync-->"C:\Program Files\Siber Systems\GoodSync\uninstall.exe"
    Google Earth Plug-in-->MsiExec.exe /X{FE24D361-A3E8-11DE-88F3-005056806466}
    Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
    Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
    GoogleDesktop-->MsiExec.exe /I{279ECFF8-5EB9-4307-AD3D-AD7848648ECF}
    HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
    Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
    Hotspot Shield 1.30-->C:\Program Files\Hotspot Shield\Uninstall.exe
    Image Resizer Powertoy for Windows XP-->MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
    iTunes-->MsiExec.exe /I{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}
    Java(TM) 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
    K-Lite Mega Codec Pack 4.1.6-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
    Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
    Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
    Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
    Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
    Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
    Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
    Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
    Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
    Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
    Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
    Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Mozilla Firefox (3.0.14)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
    NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
    Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
    QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
    Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
    Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
     
  6. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Sorry, i'm having a hard time posting the info here due to:

    1. message too long - max text 10000 -

    2. contains links somewhere - i have deleted a few linksfrompreviuos blocks of info sent, but couldn't find any in the next blocks of info i want to send, but it still won't send the message and says links are in there ... bit frustrating !
     
  7. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
    S3 tap0901;TAP-Win32 Adapter V9; C:\WINDOWS\system32\DRIVERS\tap0901.sys [2009-07-23 28592]
    S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2008-02-25 77568]
    S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-02-25 82944]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [][/QUOTE]

    Just noticed i did not give the complete Randoms System Information log.txt ... here is the balance of that log (follows after S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys) :

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
    R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-08-16 908056]
    R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-16 297752]
    R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
    R2 HotspotShieldService;Hotspot Shield Service; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [2009-09-16 204848]
    R2 HssSrv;Hotspot Shield Routing Service; C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe [2009-09-16 331824]
    R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-31 153376]
    R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-10-25 155716]
    R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
    S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-21 133104]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
    S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
    S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
    S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-01 136120]
    S3 HssTrayService;Hotspot Shield Tray Service; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [2009-09-16 57640]
    S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
    S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-21 545568]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
    S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

    -----------------EOF-----------------
     
  8. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Here is the balance of Randoms System Information info.txt:
    Follows directly on from
    - Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

    Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
    Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
    Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
    Thai2English-->"C:\Program Files\Thai2English\unins000.exe"
    The KMPlayer (remove only)-->"C:\Program Files\The KMPlayer\uninstall.exe"
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
    Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
    Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
    Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
    Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
    Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
    Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
    Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
    VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
    VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
    Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
    Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
    Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
    ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

    ======Hosts File======

    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com

    ======Security center information======

    AV: AVG Anti-Virus Free (disabled)
    FW: ZoneAlarm Firewall

    ======System event log======

    Computer Name: W-924BCAF39F124
    Event Code: 36
    Message: The time service has not been able to synchronize the system time
    for 49152 seconds because none of the time providers has been able to
    provide a usable time stamp. The system clock is unsynchronized.

    Record Number: 14939
    Source Name: W32Time
    Time Written: 20090920040700.000000+420
    Event Type: warning
    User:

    Computer Name: W-924BCAF39F124
    Event Code: 6161
    Message: The document Web Sudoku - Billions of Fr... owned by Buzzzzz failed to print on printer Canon PIXMA iP1500. Data type: NT EMF 1.008. Size of the spool file in bytes: 262144. Number of bytes printed: 175400. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\W-924BCAF39F124. Win32 error code returned by the print processor: 122 (0x7a).

    Record Number: 14863
    Source Name: Print
    Time Written: 20090919062535.000000+420
    Event Type: error
    User: W-924BCAF39F124\Buzzzzz

    Computer Name: W-924BCAF39F124
    Event Code: 6161
    Message: The document Microsoft Word - Finals1-2009.doc owned by Buzzzzz failed to print on printer Canon PIXMA iP1500. Data type: NT EMF 1.008. Size of the spool file in bytes: 303744. Number of bytes printed: 177836. Total number of pages in the document: 2. Number of pages printed: 1. Client machine: \\W-924BCAF39F124. Win32 error code returned by the print processor: 122 (0x7a).

    Record Number: 14582
    Source Name: Print
    Time Written: 20090916231852.000000+420
    Event Type: error
    User: W-924BCAF39F124\Buzzzzz

    Computer Name: W-924BCAF39F124
    Event Code: 1002
    Message: The IP address lease 10.20.61.53 for the Network Card with network address 00FFF5D9B1D9 has been
    denied by the DHCP server 10.21.63.254 (The DHCP Server sent a DHCPNACK message).

    Record Number: 14536
    Source Name: Dhcp
    Time Written: 20090916134814.000000+420
    Event Type: error
    User:

    Computer Name: W-924BCAF39F124
    Event Code: 1003
    Message: Your computer was not able to renew its address from the network (from the
    DHCP Server) for the Network Card with network address 0021853BFF19. The following
    error occurred:
    The operation was canceled by the user.
    .
    Your computer will continue to try and obtain an address on its own from
    the network address (DHCP) server.

    Record Number: 14414
    Source Name: Dhcp
    Time Written: 20090915130642.000000+420
    Event Type: warning
    User:

    =====Application event log=====

    Computer Name: W-924BCAF39F124
    Event Code: 1020
    Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

    Record Number: 1727
    Source Name: ASP.NET 2.0.50727.0
    Time Written: 20090601162233.000000+420
    Event Type: warning
    User:

    Computer Name: W-924BCAF39F124
    Event Code: 1002
    Message: Hanging application WINWORD.EXE, version 11.0.6568.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    Record Number: 1686
    Source Name: Application Hang
    Time Written: 20090530012812.000000+420
    Event Type: error
    User:

    Computer Name: W-924BCAF39F124
    Event Code: 1002
    Message: Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    Record Number: 1685
    Source Name: Application Hang
    Time Written: 20090529143629.000000+420
    Event Type: error
    User:

    Computer Name: W-924BCAF39F124
    Event Code: 1002
    Message: Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    Record Number: 1684
    Source Name: Application Hang
    Time Written: 20090529143614.000000+420
    Event Type: error
    User:

    Computer Name: W-924BCAF39F124
    Event Code: 1002
    Message: Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    Record Number: 1683
    Source Name: Application Hang
    Time Written: 20090529143248.000000+420
    Event Type: error
    User:

    ======Environment variables======

    "ComSpec"=%SystemRoot%\system32\cmd.exe
    "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
    "windir"=%SystemRoot%
    "FP_NO_HOST_CHECK"=NO
    "OS"=Windows_NT
    "PROCESSOR_ARCHITECTURE"=x86
    "PROCESSOR_LEVEL"=6
    "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
    "PROCESSOR_REVISION"=1706
    "NUMBER_OF_PROCESSORS"=2
    "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP"=%SystemRoot%\TEMP
    "TMP"=%SystemRoot%\TEMP
    "tvdumpflags"=8
    "CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
    "QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

    -----------------EOF-----------------
     
  9. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Malwarebytes' Anti-Malware 1.41
    Database version: 2905
    Windows 5.1.2600 Service Pack 3

    05-Oct-09 3:45:15 AM
    mbam-log-2009-10-05 (03-45-15).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 156676
    Time elapsed: 22 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 16

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\system32\LocalService (Worm.Archive) -> Quarantined and deleted successfully.

    Files Infected:
    C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP304\A0030614.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{2680BA70-0047-4768-B84A-436EC72BC6AF}\RP304\A0030619.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\305.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\306.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\307.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\308.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\309.music.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\309.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\310.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\310.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\311.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\311.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\312.music4.au (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\LocalService\312.music4.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.
     
  10. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    ROOTREPEAL (c) AD, 2007-2009 (PART 1)
    ==================================================
    Scan Start Time: 2009/10/05 07:46
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP3
    ==================================================

    Drivers
    -------------------
    Name: dump_diskdump.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
    Address: 0xAB182000 Size: 16384 File Visible: No Signed: -
    Status: -

    Name: dump_nvgts.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_nvgts.sys
    Address: 0xA9D76000 Size: 122880 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xA9073000 Size: 49152 File Visible: No Signed: -
    Status: -

    Name: srescan.sys
    Image Path: srescan.sys
    Address: 0xBA59E000 Size: 81920 File Visible: No Signed: -
    Status: -

    Hidden/Locked Files
    -------------------
    Path: Volume C:\
    Status: MBR Rootkit Detected!

    Path: Volume C:\, Sector 1
    Status: Sector mismatch

    Path: Volume C:\, Sector 2
    Status: Sector mismatch

    Path: Volume C:\, Sector 3
    Status: Sector mismatch

    Path: Volume C:\, Sector 4
    Status: Sector mismatch

    Path: Volume C:\, Sector 5
    Status: Sector mismatch

    Path: Volume C:\, Sector 6
    Status: Sector mismatch

    Path: Volume C:\, Sector 7
    Status: Sector mismatch

    Path: Volume C:\, Sector 8
    Status: Sector mismatch

    Path: Volume C:\, Sector 9
    Status: Sector mismatch

    Path: Volume C:\, Sector 10
    Status: Sector mismatch

    Path: Volume C:\, Sector 11
    Status: Sector mismatch

    Path: Volume C:\, Sector 12
    Status: Sector mismatch

    Path: Volume C:\, Sector 13
    Status: Sector mismatch

    Path: Volume C:\, Sector 14
    Status: Sector mismatch

    Path: Volume C:\, Sector 15
    Status: Sector mismatch

    Path: Volume C:\, Sector 16
    Status: Sector mismatch

    Path: Volume C:\, Sector 17
    Status: Sector mismatch

    Path: Volume C:\, Sector 18
    Status: Sector mismatch

    Path: Volume C:\, Sector 19
    Status: Sector mismatch

    Path: Volume C:\, Sector 20
    Status: Sector mismatch

    Path: Volume C:\, Sector 21
    Status: Sector mismatch

    Path: Volume C:\, Sector 22
    Status: Sector mismatch

    Path: Volume C:\, Sector 23
    Status: Sector mismatch

    Path: Volume C:\, Sector 24
    Status: Sector mismatch

    Path: Volume C:\, Sector 25
    Status: Sector mismatch

    Path: Volume C:\, Sector 26
    Status: Sector mismatch

    Path: Volume C:\, Sector 27
    Status: Sector mismatch

    Path: Volume C:\, Sector 28
    Status: Sector mismatch

    Path: Volume C:\, Sector 29
    Status: Sector mismatch

    Path: Volume C:\, Sector 30
    Status: Sector mismatch

    Path: Volume C:\, Sector 31
    Status: Sector mismatch

    Path: Volume C:\, Sector 32
    Status: Sector mismatch

    Path: Volume C:\, Sector 33
    Status: Sector mismatch

    Path: Volume C:\, Sector 34
    Status: Sector mismatch

    Path: Volume C:\, Sector 35
    Status: Sector mismatch

    Path: Volume C:\, Sector 36
    Status: Sector mismatch

    Path: Volume C:\, Sector 37
    Status: Sector mismatch

    Path: Volume C:\, Sector 38
    Status: Sector mismatch

    Path: Volume C:\, Sector 39
    Status: Sector mismatch

    Path: Volume C:\, Sector 40
    Status: Sector mismatch

    Path: Volume C:\, Sector 41
    Status: Sector mismatch

    Path: Volume C:\, Sector 42
    Status: Sector mismatch

    Path: Volume C:\, Sector 43
    Status: Sector mismatch

    Path: Volume C:\, Sector 44
    Status: Sector mismatch

    Path: Volume C:\, Sector 45
    Status: Sector mismatch

    Path: Volume C:\, Sector 46
    Status: Sector mismatch
     
  11. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    (PART 2)
    Path: Volume C:\, Sector 47
    Status: Sector mismatch

    Path: Volume C:\, Sector 48
    Status: Sector mismatch

    Path: Volume C:\, Sector 49
    Status: Sector mismatch

    Path: Volume C:\, Sector 50
    Status: Sector mismatch

    Path: Volume C:\, Sector 51
    Status: Sector mismatch

    Path: Volume C:\, Sector 52
    Status: Sector mismatch

    Path: Volume C:\, Sector 53
    Status: Sector mismatch

    Path: Volume C:\, Sector 54
    Status: Sector mismatch

    Path: Volume C:\, Sector 55
    Status: Sector mismatch

    Path: Volume C:\, Sector 56
    Status: Sector mismatch

    Path: Volume C:\, Sector 57
    Status: Sector mismatch

    Path: Volume C:\, Sector 58
    Status: Sector mismatch

    Path: Volume C:\, Sector 59
    Status: Sector mismatch

    Path: Volume C:\, Sector 60
    Status: Sector mismatch

    Path: Volume C:\, Sector 61
    Status: Sector mismatch

    Path: Volume C:\, Sector 62
    Status: Sector mismatch

    Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-1265B479.pf
    Status: Visible to the Windows API, but not on disk.

    Path: C:\Documents and Settings\Buzzzzz\Local Settings\Apps\2.0\X7X63WT0.OYD\HMGO6022.X1G\manifests\uniKode for Thai.exe.cdf-ms
    Status: Locked to the Windows API!

    Path: C:\Documents and Settings\Buzzzzz\Local Settings\Apps\2.0\X7X63WT0.OYD\HMGO6022.X1G\manifests\uniKode for Thai.exe.manifest
    Status: Locked to the Windows API!

    SSDT
    -------------------
    #: 031 Function Name: NtConnectPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f1fc0

    #: 037 Function Name: NtCreateFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07eec80

    #: 041 Function Name: NtCreateKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0809170

    #: 046 Function Name: NtCreatePort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f2580

    #: 047 Function Name: NtCreateProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0806900

    #: 048 Function Name: NtCreateProcessEx
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0806b10

    #: 050 Function Name: NtCreateSection
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb080ab10

    #: 056 Function Name: NtCreateWaitablePort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f2670

    #: 062 Function Name: NtDeleteFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07ef210

    #: 063 Function Name: NtDeleteKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb08099f0

    #: 065 Function Name: NtDeleteValueKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb08097a0

    #: 068 Function Name: NtDuplicateObject
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0806280

    #: 098 Function Name: NtLoadKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0809f10

    #: 099 Function Name: NtLoadKey2
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0809f90

    #: 116 Function Name: NtOpenFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07ef070

    #: 122 Function Name: NtOpenProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0808180

    #: 128 Function Name: NtOpenThread
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0807f40

    #: 192 Function Name: NtRenameKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb080a6f0

    #: 193 Function Name: NtReplaceKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb080a150

    #: 200 Function Name: NtRequestWaitReplyPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f1be0

    #: 204 Function Name: NtRestoreKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb080a540

    #: 210 Function Name: NtSecureConnectPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f2190

    #: 224 Function Name: NtSetInformationFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07ef440

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb08094e0

    #: 255 Function Name: NtSystemDebugControl
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0807200

    #: 257 Function Name: NtTerminateProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb0807080

    Shadow SSDT
    -------------------
    #: 460 Function Name: NtUserMessageCall
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f0e70

    #: 475 Function Name: NtUserPostMessage
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f0f20

    #: 476 Function Name: NtUserPostThreadMessage
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f0fe0

    #: 491 Function Name: NtUserRegisterRawInputDevices
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07efd60

    #: 502 Function Name: NtUserSendInput
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb07f1250

    ==EOF==
     
     
  12. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    JavaRa 1.15 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Mon Oct 05 07:08:13 2009

    Found and removed: C:\Documents and Settings\Buzzzzz\Application Data\Sun\Java\jre1.6.0_11

    Found and removed: C:\Documents and Settings\Buzzzzz\Application Data\Sun\Java\jre1.6.0_12

    Found and removed: C:\Documents and Settings\Buzzzzz\Application Data\Sun\Java\jre1.6.0_13

    Found and removed: C:\Documents and Settings\Buzzzzz\Application Data\Sun\Java\jre1.6.0_14

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

    JavaRa 1.15 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Mon Oct 05 07:26:46 2009

    ------------------------------------

    Finished reporting.
     
  13. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Apart from the Infected Alerts I got from AVG and SpyBot ... the only Symptoms experienced were a slowing down of loading sites in Firefox and IE - and a couple of sites would not open at all ...

    Since I've done the 8 steps, all seems pretty fine and muchly back to normal.

    cheers and thanks in advance,
    Buzz
     
  14. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,872   +166

    Good work Buzz :) Maybe one day you will learn to post logs properly...
     
  15. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    My sincere apologies ... I did all this in the 'wee' hours after a very long day ... was just going over it and noticed :

    Attachment Instructions

    * ONLY attach .txt or .log files; we will NOT read other files (such as .doc) due to the risk of viruses etc.
    * We strongly discourage you from copying and pasting the logs in your posts, unless if you have trouble with attaching them.

    (i thought I read in another post, to copy and paste and not attach files - my bad )
     
  16. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    Would you want me to attach the logs the correct way now ?
     
  17. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,872   +166

    If your computer is running clean now, there's no need. In the future, if needed, you know how to do it correctly
     
  18. Buzz

    Buzz TS Rookie Topic Starter Posts: 57

    I certainly hope so Tmagic ... thanks for your replies ...
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.