Motul

Dear all,

I am a newbie here in this forum, and also in computer world. Anyway, my friend referred me to this forum to get solution for the problem I am having with my notebook.

I just got a new job and was given a second-hand notebook by my boss. He said that it was used by the person whose position I am replacing right now.

The problem with the notebook is, the startup screen (after bootscreen, but before welcome screen) turns out to be extremely slow. It takes 8-12/15 mins to just show the text "Windows is starting up" (after bootscreen).
Before the that screen shows up, after booting, the windows show a new window (blue coloured) which says "Regrun Partizan killer........" for about 8 seconds.

After the welcome screen shows up, the loading process before all the shortcut and items shown on the desktop finish loading takes considerably long as well. However, after fully loaded, my notebook tends to behave quite well, except that at times, it tends to freeze for 10 seconds when i run too many applications.

Before, the antivirus was not used to be updated.
Once i am in charge of it, i updated the antivirus (avg 7,5 free edition), and installed superantispyware.
After running the scan either by av and antispyware, I've quarrantined a large amount of infected files and potentially harmful softwares. But that doesn't affect anything to the problem I mentioned earlier.
The vault was also emptied, still no change.


Here is the HJT logfile, hoping that there is someone to help me out with it, here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:50:38, on 23/06/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\bmwebcfg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\TheSage\TheSage.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: CRnPluginSite Object - {0050A87F-CF26-41AE-9C0A-C32307C941CB} - C:\WINDOWS\system32\rnieplug.dll
O2 - BHO: (no name) - {03657894-7C44-4EF3-A162-E70D19564373} - C:\WINDOWS\System32\wvUnLFWQ.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DC1564D-5FBD-4786-A56B-F63ADAE02283} - C:\WINDOWS\System32\xxywUKdB.dll (file missing)
O2 - BHO: (no name) - {4D2D5EBF-267B-4A10-BAD5-05D7A06C2202} - (no file)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {796FAD50-6DE0-4CC1-85C9-94381CDEE4A8} - C:\WINDOWS\System32\vtusspn.dll (file missing)
O2 - BHO: (no name) - {AB9B3A8E-EECE-425B-AD10-0C73307C0E7D} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {AF1CC022-0228-42AE-912D-0CE89CD6559D} - (no file)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: TBSB00549 - {CAD0D77E-D50B-4110-9593-05BB5DA53298} - C:\PROGRA~1\FXCMTO~1\FXCM_T~1.DLL (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServicesOnce: [RNerase0]
O4 - HKLM\..\RunServicesOnce: [RNerase1]
O4 - HKLM\..\RunServicesOnce: [RNerase2]
O4 - HKLM\..\RunServicesOnce: [RNerase3]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Service Pack 1] $$ (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Service Pack 1] $$ (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ReadNotify - {0050A87F-CF26-41AE-9C0A-C32307C941CB} - C:\WINDOWS\system32\rnieplug.dll
O9 - Extra 'Tools' menuitem: ReadNotify - {0050A87F-CF26-41AE-9C0A-C32307C941CB} - C:\WINDOWS\system32\rnieplug.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra 'Tools' menuitem: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: www.1987324.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{672A7404-8699-4F90-A42C-FEF0AA18CC61}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A384D45-CC91-4BFE-AFA4-286668CAF057}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F91FDBE-368D-4C9D-95CC-0CEDEEB69770}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB9798C9-9D1C-4534-B9EC-21560EBC3382}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6165536-5FD7-40ED-90F1-588F65D9C6AB}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6079610-136A-46EC-8305-D1ECF73BA505}: NameServer = 195.186.1.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O20 - AppInit_DLLs: C:\WINDOWS\System32\iebusbu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dx8.dll (file missing)
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll (file missing)
O20 - Winlogon Notify: hggdccy - hggdccy.dll (file missing)
O20 - Winlogon Notify: jkhfe - C:\WINDOWS\System32\jkhfe.dll (file missing)
O20 - Winlogon Notify: nnnonll - nnnonll.dll (file missing)
O20 - Winlogon Notify: pmnli - C:\WINDOWS\System32\pmnli.dll (file missing)
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\System32\pmnlm.dll (file missing)
O20 - Winlogon Notify: vtusspn - vtusspn.dll (file missing)
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\System32\winsys32.dll
O20 - Winlogon Notify: wvUnLFWQ - wvUnLFWQ.dll (file missing)
O21 - SSODL: DCOM Server 2237 - {2C1CD3D7-86AC-4068-93BC-A02304BB2237} - (no file)
O22 - SharedTaskScheduler: DCOM Server 2237 - {2C1CD3D7-86AC-4068-93BC-A02304BB2237} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: Disk Monitor Manager - Unknown owner - C:\WINDOWS\system32\smcs.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: trnlvh guu0oxesc1 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 12392 bytes



Thanks,

Motul.

Motul

Bump........................

Motul

Bump!!!?!!!!?!!!!?!!!!

Motul

Bump!!!!!!!!!!!

Motul

BUMP..............(where are you, guys??)

forhockey

Hi Motul,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

DO NOT run SDFix yet. We will shortly

--------------------------------------------------------------

Enter Safe Mode

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
3. Instead of Windows loading as normal, a menu should appear
4. Use the up arrow key to highlight Safe Mode and press Enter.
5. Login with your usual account
6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

--------------------------------------------------------------

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Paste the contents of the Report.txt back on the forum

--------------------------------------------------------------

Restart your computer in Normal Mode

--------------------------------------------------------------


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix


IMPORTANT: Make sure you install the Recovery Console before running ComboFix.

Reply back with the following:

• C:\SDFix\report.txt
• C:\ComboFix.txt
• New HiJackThis Log

__________________

Motul

Hello forhockey,

Thanks for responding.

Here is the SDFix report text:

SDFix: Version 1.199
Run by Administrator on 02/07/2008 at 13:56

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
ntldr.sys

Path :
\??\C:\ntldr.sys

ntldr.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File



Here is the ComboFix.txt:
ComboFix 08-06-30.2 - Administrator 2008-07-02 14:43:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.73 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\winxpsp1_en_pro_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
C:\WINDOWS\inet20026
C:\WINDOWS\inet20026\1.txt
C:\WINDOWS\inet20026\mm.pid
C:\WINDOWS\inet20026\tmp.req
C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt
C:\WINDOWS\system32\BdKUwyxx.ini
C:\WINDOWS\system32\BdKUwyxx.ini2
C:\WINDOWS\system32\ijl11pro.dll
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\imas3r
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\rqRhEwTl.dll
C:\WINDOWS\winhelp.ini

----- BITS: Possible infected sites -----

hxxp://wc
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P
-------\Legacy_ASC3550U
-------\Legacy_WINDEV-4B22-3184
-------\Service_asc3550u
-------\Service_ntldr.sys
-------\Service_windev-4b22-3184


((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 13:50 . 2008-07-02 13:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-02 13:48 . 2008-07-02 14:02 <DIR> d-------- C:\SDFix
2008-06-30 01:20 . 2008-06-30 01:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-30 01:20 . 2008-06-30 01:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 16:09 . 2008-07-01 10:25 <DIR> d-------- C:\Program Files\YPOPs
2008-06-23 15:19 . 2006-04-19 02:00 62,976 --a------ C:\WINDOWS\system32\E_FD4BBGP.DLL
2008-06-23 15:19 . 2004-09-10 20:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2008-06-23 15:14 . 2006-08-10 02:02 75,264 --a------ C:\WINDOWS\system32\E_FLBBGP.DLL
2008-06-23 15:09 . 2006-08-10 02:02 75,264 --a------ C:\WINDOWS\system32\E_FLBBGE.DLL
2008-06-23 15:09 . 2006-04-19 02:00 62,976 --a------ C:\WINDOWS\system32\E_FD4BBGE.DLL
2008-06-23 15:06 . 2008-06-23 15:06 <DIR> d-------- C:\Program Files\EPSON
2008-06-23 15:06 . 2008-06-23 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-06-23 14:49 . 2008-06-23 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 10:51 . 2008-06-23 15:20 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-23 10:24 . 2008-06-23 10:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AT&T
2008-06-23 10:17 . 2008-06-23 10:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DBUpdater
2008-06-23 10:17 . 2003-09-08 14:43 89,728 --a------ C:\WINDOWS\system32\drivers\usbvsp.sys
2008-06-23 10:16 . 2008-06-23 10:16 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-23 10:14 . 2008-01-11 16:03 26,760 -ra------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-06-23 10:14 . 2006-10-20 10:28 26,368 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Program Files\Common Files\Research in Motion
2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Program Files\AT&T
2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AT&T
2008-06-23 10:11 . 2008-06-23 10:17 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-23 10:11 . 2008-06-23 10:11 <DIR> d-------- C:\Program Files\Option
2008-06-23 10:07 . 2008-06-23 10:50 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-06-23 10:07 . 2008-06-23 10:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-06-20 12:06 . 2008-06-20 12:10 60,416 --a------ C:\WINDOWS\system32\avvg.exe
2008-06-19 15:35 . 2008-06-19 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-19 15:33 . 2008-06-19 15:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 15:33 . 2008-06-19 15:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-19 15:31 . 2008-06-19 15:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 15:57 . 2008-06-20 09:01 45,936 --a------ C:\WINDOWS\system32\msv.exe
2008-06-17 13:14 . 2008-06-17 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-17 13:14 . 2008-06-17 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-17 13:14 . 2008-07-02 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2008-06-15 11:53 . 2008-06-15 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Oxford
2008-06-15 11:52 . 2008-06-15 11:52 <DIR> d-------- C:\Program Files\TEXTware
2008-06-15 11:50 . 2008-06-15 11:50 <DIR> d-------- C:\Program Files\Oxford
2008-06-13 00:14 . 2008-06-13 00:14 <DIR> d-------- C:\Program Files\TheSage
2008-06-13 00:12 . 2008-06-13 00:12 131,584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-06-12 21:48 . 2008-06-12 21:48 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-12 21:27 . 2002-08-29 01:27 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-06-12 21:27 . 2002-08-29 01:27 47,488 --a------ C:\WINDOWS\system32\drivers\cdrom.sys
2008-06-12 21:27 . 2002-08-29 01:28 39,808 --a------ C:\WINDOWS\system32\drivers\imapi.sys
2008-06-12 21:26 . 2003-12-09 19:16 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-06-12 21:20 . 2008-06-12 21:20 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-06-12 20:52 . 2002-08-29 01:27 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
2008-06-12 20:38 . 2006-04-24 17:21 <DIR> d-------- C:\AcrobatPro.708
2008-06-10 16:15 . 2008-06-10 16:16 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-06-10 16:15 . 2008-06-10 16:15 <DIR> d-------- C:\Documents and Settings\Guest
2008-06-08 11:39 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 01:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-23 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-15 07:04 --------- d-----w C:\Program Files\Common Files\Adobe
2006-12-22 03:58 764 ----a-w C:\Program Files\moron.htm
2006-12-20 08:13 656 ----a-w C:\Program Files\UntitledFrameset-2.htm
2006-12-20 08:13 369 ----a-w C:\Program Files\Untitled-1.htm
2006-12-20 08:13 266 ----a-w C:\Program Files\UntitledFrame-3.htm
2006-12-20 08:13 266 ----a-w C:\Program Files\UntitledFrame-2.htm
2007-02-08 13:31 8 --sh--r C:\WINDOWS\system32\303BA52854.dll
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 10:41 13312]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-07-05 08:29 4538368]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-19 15:42 1481968]
"EPSON Stylus D78 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE" [2006-09-22 04:01 139264]
"EPSON Stylus C79 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE" [2006-09-22 04:01 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-10 17:49 579072]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-03-25 11:22 5566464]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-09-19 15:58 33280]
"WatcherHelper"="C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-01-30 16:36 120088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-24 10:57 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2001-08-23 19:00 51200 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
TheSage.lnk - C:\Program Files\TheSage\TheSage.exe [2006-09-26 15:55:10 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-06-15 14:07:27 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\iebusbu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2006-03-22 13:01 851968 C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2006-10-28 08:46 1254400 C:\Program Files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-26 16:13 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2002-08-29 04:38 208953 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-03-25 11:22 5566464 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-03-25 11:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-04-26 07:29 237568 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-01-08 07:16 692315 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2005-01-08 07:17 102491 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 12:37 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-07-05 08:29 4538368 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-03-25 11:22 1495040 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 14:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"<NO NAME>"=
"C:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2962:TCP"= 2962:TCP:Microsoft standard protector

R3 swivsp;AC8xx Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\swivspnt.sys [2007-03-26 13:18]
S2 Disk Monitor Manager;Disk Monitor Manager;"C:\WINDOWS\system32\smcs.exe" []
S2 trnlvh guu0oxesc1;trnlvh guu0oxesc1;"C:\WINDOWS\system32\svshost.exe" []
S3 ATTRcAppSvc;AT&T RcAppSvc;"C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" []
S3 swmsflt;swmsflt;C:\WINDOWS\System32\drivers\swmsflt.sys [2008-01-11 16:03]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);C:\WINDOWS\System32\DRIVERS\swnc8u56.sys [2007-09-21 15:47]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);C:\WINDOWS\System32\DRIVERS\swumx56.sys [2007-09-21 15:48]
S4 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 10:15:01 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{2DC1564D-5FBD-4786-A56B-F63ADAE02283} - C:\WINDOWS\System32\xxywUKdB.dll
BHO-{CAD0D77E-D50B-4110-9593-05BB5DA53298} - C:\PROGRA~1\FXCMTO~1\FXCM_T~1.DLL
WebBrowser-{1DF06EFA-54FD-4BF0-942B-68DE1AFE3BB5} - (no file)
HKLM-Run-AirCardEnabler - (no file)
HKLM-RunServicesOnce-RNerase0 - (no file)
HKLM-RunServicesOnce-RNerase1 - (no file)
HKLM-RunServicesOnce-RNerase2 - (no file)
HKLM-RunServicesOnce-RNerase3 - (no file)
HKU-Default-Run-Windows Networking Monitoring - C:\WINDOWS\System32\mdm.exe
HKU-Default-Run-$$ - $$
HKU-Default-RunOnce-service - C:\WINDOWS\TEMP\tvhdavof.exe
Notify-jkhfe - C:\WINDOWS\System32\jkhfe.dll
Notify-pmnli - C:\WINDOWS\System32\pmnli.dll
Notify-pmnlm - C:\WINDOWS\System32\pmnlm.dll
Notify-winsys32 - C:\WINDOWS\System32\winsys32.dll
Notify-hggdccy - hggdccy.dll
Notify-nnnonll - nnnonll.dll
Notify-vtusspn - vtusspn.dll
Notify-wineak32 - wineak32.dll
Notify-wvUnLFWQ - wvUnLFWQ.dll
MSConfigStartUp-Acrobat Assistant 7 - C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-Broadcom Wireless Manager UI - C:\WINDOWS\System32\WLTRAY
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-HomeKeyLogger - C:\Documents and Settings\Administrator\Desktop\Aditya Loen\blog\HomeKeyLogger\KeyLogger.exe
MSConfigStartUp-Kazaa Download Accelerator Updater - C:\WINDOWS\system32\kdpupd.dll
MSConfigStartUp-KernelFaultCheck - C:\WINDOWS\system32\dumprep 0 -k
MSConfigStartUp-NAV CfgWiz - C:\Program Files\Norton AntiVirus\CfgWiz.exe
MSConfigStartUp-PHIME2002A - C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
MSConfigStartUp-PHIME2002ASync - C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
MSConfigStartUp-pro - C:\winstall.exe
MSConfigStartUp-Run - C:\WINDOWS\inet20026\services.exe
MSConfigStartUp-shell - C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
MSConfigStartUp-Spyware Vanisher - C:\spywarevanisher-full\SpywareVanisher.exe
MSConfigStartUp-SSC_UserPrompt - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-SysTray - C:\Program Files\pstxdgp.exe
MSConfigStartUp-Windows installer - C:\winstall.exe
MSConfigStartUp-Windows Networking Monitoring - C:\WINDOWS\System32\mdm.exe
MSConfigStartUp-Windows update loader - C:\Windows\xpupdate.exe
MSConfigStartUp-xp_system - C:\WINDOWS\inet20026\services.exe
MSConfigStartUp-ÿ_zskF_NZQN - C:\WINDOWS\system32\_zskwrkni05BOAXY`UDQ\NQZN_F.exe
MSConfigStartUp-= - (no file)
MSConfigStartUp-$$ - $$
MSConfigStartUp-System - $$
MSConfigStartUp-Tweak UI - TWEAKUI.CPL,TweakMeUp


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 14:52:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-07-02 14:59:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 07:59:17

Pre-Run: 9,087,852,544 bytes free
Post-Run: 8,996,089,856 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin /TUTag=3JO6KH /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /fastdetect /noexecute=optin /TUTag=3JO6KH-BAK
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

297



Here is the New HJT Logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:18:59, on 02/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\bmwebcfg.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\TheSage\TheSage.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: CRnPluginSite Object - {0050A87F-CF26-41AE-9C0A-C32307C941CB} - C:\WINDOWS\system32\rnieplug.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\PROGRA~1\SOFTOM~1\TOOLBA~1\bin\tbcore3U.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_SB1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SFA.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: TheSage.lnk = C:\Program Files\TheSage\TheSage.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ReadNotify - {0050A87F-CF26-41AE-9C0A-C32307C941CB} - C:\WINDOWS\system32\rnieplug.dll
O9 - Extra 'Tools' menuitem: ReadNotify - {0050A87F-CF26-41AE-9C0A-C32307C941CB} - C:\WINDOWS\system32\rnieplug.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra 'Tools' menuitem: FXCM Toolbar - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - C:\Program Files\FXCM Toolbar\fxcm_toolbar_v1_8b.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: www.1987324.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{672A7404-8699-4F90-A42C-FEF0AA18CC61}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A384D45-CC91-4BFE-AFA4-286668CAF057}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F91FDBE-368D-4C9D-95CC-0CEDEEB69770}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB9798C9-9D1C-4534-B9EC-21560EBC3382}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6165536-5FD7-40ED-90F1-588F65D9C6AB}: NameServer = 195.186.1.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6079610-136A-46EC-8305-D1ECF73BA505}: NameServer = 195.186.1.111
O20 - AppInit_DLLs: C:\WINDOWS\System32\iebusbu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: Disk Monitor Manager - Unknown owner - C:\WINDOWS\system32\smcs.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: trnlvh guu0oxesc1 - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 10482 bytes




P.S. :
*When running SDFix, I had to wait quite a considerably long time to wait till it prompted the 'press any key button...' (require rebooting), then after I pressed the spacebar (any key), the command prompt windows disappeared, only black desktop with the mode and service pack of my windows written at the top, bottom, and every corner of my windows. I waited for almost 30 minutes before I decided to power off my laptop.
After logging back on, I saw the notepad file 'catchme2' (if i am not mistaken) in my desktop icon. I did nothing with that, I then checked whether the report.txt existed in the SDFix folder.
Then I ran the ComboFix, rebooted, and the 'catchme2' file was gone.

*My laptop still behaves the same as previous, extremely slow at the 'startup'. One other strange behaviour happens to my pc, when I doubleclik the 'Local Disk (C) and (D)' it refers me into a 'search folder view'. I now have to right-click the drive, then choose 'open' to have it openned normally. I also notice that the first string (or value data?) in the right-click button is 'SEARCH', instead of 'OPEN', which is placed in the second string.

forhockey

Hello,

We'll first remove the malware, then look into your other issues.

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
Panda online scan results

__________________

Motul

Hello forhockey,

The Pandascan result is attached;

Here is the ComboFix.txt:
ComboFix 08-06-30.2 - Administrator 2008-07-03 10:05:45.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\303BA52854.dll
C:\WINDOWS\system32\avvg.exe
C:\WINDOWS\System32\iebusbu.dll
C:\WINDOWS\system32\msv.exe
C:\WINDOWS\system32\svshost.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\303BA52854.dll
C:\WINDOWS\system32\avvg.exe
C:\WINDOWS\system32\msv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TRNLVH_GUU0OXESC1
-------\Service_trnlvh guu0oxesc1


((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-02 13:50 . 2008-07-02 13:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-02 13:48 . 2008-07-02 14:02 <DIR> d-------- C:\SDFix
2008-06-30 01:20 . 2008-06-30 01:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-30 01:20 . 2008-06-30 01:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 16:09 . 2008-07-01 10:25 <DIR> d-------- C:\Program Files\YPOPs
2008-06-23 15:19 . 2006-04-19 02:00 62,976 --a------ C:\WINDOWS\system32\E_FD4BBGP.DLL
2008-06-23 15:19 . 2004-09-10 20:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2008-06-23 15:14 . 2006-08-10 02:02 75,264 --a------ C:\WINDOWS\system32\E_FLBBGP.DLL
2008-06-23 15:09 . 2006-08-10 02:02 75,264 --a------ C:\WINDOWS\system32\E_FLBBGE.DLL
2008-06-23 15:09 . 2006-04-19 02:00 62,976 --a------ C:\WINDOWS\system32\E_FD4BBGE.DLL
2008-06-23 15:06 . 2008-06-23 15:06 <DIR> d-------- C:\Program Files\EPSON
2008-06-23 15:06 . 2008-06-23 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-06-23 14:49 . 2008-06-23 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 10:51 . 2008-06-23 15:20 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-23 10:24 . 2008-06-23 10:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AT&T
2008-06-23 10:17 . 2008-06-23 10:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DBUpdater
2008-06-23 10:17 . 2003-09-08 14:43 89,728 --a------ C:\WINDOWS\system32\drivers\usbvsp.sys
2008-06-23 10:16 . 2008-06-23 10:16 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-23 10:14 . 2008-01-11 16:03 26,760 -ra------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-06-23 10:14 . 2006-10-20 10:28 26,368 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Program Files\Common Files\Research in Motion
2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Program Files\AT&T
2008-06-23 10:12 . 2008-06-23 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AT&T
2008-06-23 10:11 . 2008-06-23 10:17 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-23 10:11 . 2008-06-23 10:11 <DIR> d-------- C:\Program Files\Option
2008-06-23 10:07 . 2008-06-23 10:50 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-06-23 10:07 . 2008-06-23 10:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-06-19 15:35 . 2008-06-19 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-19 15:33 . 2008-06-19 15:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 15:33 . 2008-06-19 15:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-19 15:31 . 2008-06-19 15:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 13:14 . 2008-06-17 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-17 13:14 . 2008-06-17 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-17 13:14 . 2008-07-03 09:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2008-06-15 11:53 . 2008-06-15 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Oxford
2008-06-15 11:52 . 2008-06-15 11:52 <DIR> d-------- C:\Program Files\TEXTware
2008-06-15 11:50 . 2008-06-15 11:50 <DIR> d-------- C:\Program Files\Oxford
2008-06-13 00:14 . 2008-06-13 00:14 <DIR> d-------- C:\Program Files\TheSage
2008-06-13 00:12 . 2008-06-13 00:12 131,584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-06-12 21:48 . 2008-06-12 21:48 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-12 21:27 . 2002-08-29 01:27 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-06-12 21:27 . 2002-08-29 01:27 47,488 --a------ C:\WINDOWS\system32\drivers\cdrom.sys
2008-06-12 21:27 . 2002-08-29 01:28 39,808 --a------ C:\WINDOWS\system32\drivers\imapi.sys
2008-06-12 21:26 . 2003-12-09 19:16 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2008-06-12 21:20 . 2008-06-12 21:20 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-06-12 20:52 . 2002-08-29 01:27 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
2008-06-12 20:38 . 2006-04-24 17:21 <DIR> d-------- C:\AcrobatPro.708
2008-06-10 16:15 . 2008-06-10 16:16 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-06-10 16:15 . 2008-06-10 16:15 <DIR> d-------- C:\Documents and Settings\Guest
2008-06-08 11:39 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 01:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-23 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-15 07:04 --------- d-----w C:\Program Files\Common Files\Adobe
2006-12-22 03:58 764 ----a-w C:\Program Files\moron.htm
2006-12-20 08:13 656 ----a-w C:\Program Files\UntitledFrameset-2.htm
2006-12-20 08:13 369 ----a-w C:\Program Files\Untitled-1.htm
2006-12-20 08:13 266 ----a-w C:\Program Files\UntitledFrame-3.htm
2006-12-20 08:13 266 ----a-w C:\Program Files\UntitledFrame-2.htm
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\GroupPolicy ----

2008-06-12 21:48 38 --a------ C:\WINDOWS\system32\GroupPolicy\gpt.ini


------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-02_14.58.51.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 07:48:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-03 03:12:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 10:41 13312]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-07-05 08:29 4538368]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-19 15:42 1481968]
"EPSON Stylus D78 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE" [2006-09-22 04:01 139264]
"EPSON Stylus C79 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE" [2006-09-22 04:01 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-10 17:49 579072]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-03-25 11:22 5566464]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-09-19 15:58 33280]
"WatcherHelper"="C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-01-30 16:36 120088]