Hello.

It seems I have a smart malware program running that will not allow malwarebytes to run or be re-installed.

Per the administrators suggestion I have run hijack this and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:55 AM, on 10/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\42709325\42709325.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06f7df88-1ba3-4372-ac32-d0f3138b2fdc} - polekove.dll (file missing)
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [73413119] C:\DOCUME~1\ALLUSE~1\APPLIC~1\73413119\73413119.exe
O4 - HKLM\..\Run: [42709325] C:\DOCUME~1\ALLUSE~1\APPLIC~1\42709325\42709325.exe
O4 - HKLM\..\Run: [lomafawipi] Rundll32.exe "tonepopo.dll",s
O4 - HKLM\..\Run: [sawodafik] Rundll32.exe "c:\windows\system32\nowikuje.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O15 - Trusted Zone: http://*.usearchtv.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144238640765
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\yezumoyu.dll dijineho.dll c:\windows\system32\subapade.dll c:\windows\system32\nowikuje.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: welojotam - {8e83ad35-3bb2-41ee-985b-739b7f4a0689} - c:\windows\system32\nowikuje.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Alerter AlerterAlerterAlerterALG (AlerterAlerterAlerterALG) - Unknown owner - C:\WINDOWS\system32\d.exe (file missing)
O23 - Service: Alerter AlerterAlerterALG (AlerterAlerterALG) - Unknown owner - C:\WINDOWS\system32\d.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Hi and welcome to the Malwarebytes forums.

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans whilst I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.

Uninstall list

Please post an Uninstall list.

1. Open HijackThis.
2. Click on the Open the Misc Tools section button.
3. Look under System tools.
4. Click on the Open Uninstall Manager... button.
5. Click on the Save list... button.
6. It will prompt you to save. Save this log in a convenient location, such as your Desktop By default it's named uninstall_list.txt.
7. Notepad will open. Please post this log in your next reply.

In your next reply.

1. Uninstall list.

Thanks Melboy.

Here is the uninstall list.

7-Zip 4.57
Adobe Acrobat Reader 3.01
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
AT&T Labs' Natural Voices™ Desktop 1.2.1
AVG Free 8.5
Bonjour Core for Windows
Bounce from Hewlett-Packard Desktops (remove only)
Cakewalk Audio Finder Tool
Cakewalk Music Creator 2003
Cakewalk Pyro 1.5
Charter Pipeline® Self-Installation
CleanUp!
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
DirectX Media Runtime 5.1
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Easy DVD Player 2.0
GdiplusUpgrade
GoGear ARIA Device Manager
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Instant Support
HP Organize
HP Photo & Imaging 3.0
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Product Detection
HP Software Update
HPImageZone
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_04
Java Web Start
Java™ 6 Update 15
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
KBD
Lexmark 2300 Series
Lexmark Fax Solutions
Lyra Personal Audio Player (RD1021/1071/1075)
Macromedia Shockwave Player
Madeline European Adventures
Madeline Rainy Day Activities
Malwarebytes' Anti-Malware
MapleStory
Media Converter for Philips
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
MP3 Player Utilities 1.47
MSN Messenger 7.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
MyFreeCodec
NVIDIA Display Driver
NVIDIA Drivers
NVIDIA Ethernet Driver
NVIDIA Gart Driver
OLYMPUS Master 2
OpenOffice.org 3.1
PhatNoise Music Manager
Photosmart 140,240,7200,7600,7700,7900 Series
PS2
Quicken 2003 New User Edition
QuickTime
Realtek AC'97 Audio
Rhapsody
Rhapsody Player Engine
Rhapsody Player Engine
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shockwave
TI Connect™ 1.2.1
toolkit
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Updates from HP
USB Driver
VC80CRTRedist - 8.0.50727.4053
Virtual Earth 3D (Beta)
Virtual Sound Canvas DXi
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Related
Windows XP Service Pack 3
WinRAR archiver
World Wind v1.2
Yahoo! Internet Mail
Yahoo! Messenger
YP-T6

Hi

Unfortunately your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Let's try to clean this machine.

Thanks.

Hi

I would strongly impress upon you what I previously said that if you do any banking or other financial transactions on the PC, a reformat and reinstall of the OS would definately be advised.

I can't guarantee that the PC will be at all secure afterwards.

=====================================================================

ComboFix (by sUBs)
Download Combofix from any of the links below but rename it to melboy1.exe before saving it to your desktop.

Link 1
Link 2

• Now STOP your security programs (Antivirus/Antispyware Guards) as they could easily interfere with ComboFix.
  How to Temporarily Disable your Anti-virus
  
  QUOTE
  AVG 8.5
  

  • Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
  • Click on Open AVG Interface.
  • Double click on Resident Shield
  • Deselect the option to "Enable Resident Shield."
  • Save changes, and exit the application.
  • To re-enable AVG 8.5, please select "Enable Resident Shield" again.
  
  
• Double click the renamed ComboFix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

Re-enable all the programs that were disabled during the running of ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Thank you. Here is the combofix log file.

ComboFix 09-11-01.04 - Owner 11/02/2009 11:30.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.324 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\melboy1.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\tejanizyx.inf
c:\documents and settings\All Users\Documents\ehudyqy.inf
c:\documents and settings\All Users\documents\setup.exe
c:\documents and settings\All Users\Documents\ufupo.bat
c:\documents and settings\Owner\Application Data\xunawynu.bat
c:\documents and settings\Sarah\Application Data\iniasd.txt
c:\documents and settings\Sarah\Desktop\Security Tool.lnk
c:\documents and settings\Sarah\Start Menu\Programs\Security Tool.lnk
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Fonts\acrsec.fon
c:\windows\patch.exe
c:\windows\pubosi.vbs
c:\windows\system32\dakagego.dll
c:\windows\system32\dowileyi.dll
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\duhavevo.dll
c:\windows\system32\gadonesi.exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\kojofaba.dll.tmp
c:\windows\system32\ndisapi.dll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\nopulana.dll
c:\windows\system32\Packet.dll
c:\windows\system32\petolahu.dll
c:\windows\system32\pmkmudme.ini
c:\windows\system32\ps2.bat
c:\windows\system32\pthreadVC.dll
c:\windows\system32\regoyivu.dll.tmp
c:\windows\system32\rijikoyi.dll
c:\windows\system32\sibogaya.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yabohoyu.dll.tmp
c:\windows\system32\ziluyuda.dll
c:\windows\system32\zuhuyaba.dll
c:\windows\Tasks\xqougtbu.job
c:\windows\uwyfagugo.inf
c:\windows\viassary-hp.reg
c:\windows\yfulojiryk._sy
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD


((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 12:59 . 2009-11-02 13:00 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 23:20 . 2009-10-30 23:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-10-30 01:43 . 2009-10-30 01:43 -------- d-----w- c:\documents and settings\Owner\NTI-Shadow
2009-10-30 01:19 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 01:19 . 2009-10-30 12:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 01:19 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 00:44 . 2009-10-30 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\42709325
2009-10-29 12:45 . 2009-10-30 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\73413119
2009-10-20 19:05 . 2009-10-20 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-10-20 19:01 . 2009-11-02 17:47 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 13:53 . 2006-10-03 23:19 -------- d-----w- c:\program files\Lx_cats
2009-11-02 13:00 . 2009-04-24 02:21 -------- d-----w- c:\program files\Easy DVD Player
2009-11-01 18:50 . 2008-09-13 18:21 0 ----a-w- c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat
2009-10-30 17:20 . 2009-08-06 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-17 21:31 . 2003-08-23 14:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 00:57 . 2009-09-28 00:57 -------- d-----w- c:\documents and settings\Sarah\Application Data\InstallShield Installation Information
2009-09-28 00:56 . 2009-09-28 00:56 -------- d-----w- c:\program files\NewTech Infosystems
2009-09-26 19:20 . 2004-05-30 21:39 -------- d-----w- c:\program files\Google
2009-09-08 02:25 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-09-05 21:18 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-09-05 21:18 . 2009-09-05 21:16 -------- d-----w- c:\documents and settings\Geoffrey\Application Data\ArcSoft
2009-08-30 07:10 . 2005-12-28 22:50 39896 ----a-w- c:\documents and settings\Geoffrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 00:58 . 2009-08-30 00:58 14879 ----a-w- c:\program files\Common Files\yxixib.dl
2009-08-30 00:58 . 2009-08-30 00:58 13848 ----a-w- c:\windows\herafuhod.bin
2009-08-30 00:58 . 2009-08-30 00:58 12368 ----a-w- c:\documents and settings\All Users\Application Data\jyjaqozedo.sys
2009-08-30 00:58 . 2009-08-30 00:58 10992 ----a-w- c:\program files\Common Files\lepa.sys
2009-08-30 00:58 . 2009-08-30 00:58 10905 ----a-w- c:\program files\Common Files\duky.exe
2009-08-30 00:58 . 2009-08-30 00:58 10531 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys
2009-08-30 00:58 . 2009-08-30 00:58 19670 ----a-w- c:\windows\jerawybos.com
2009-08-30 00:58 . 2009-08-30 00:58 14636 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin
2009-08-30 00:58 . 2009-08-30 00:58 12412 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys
2009-08-30 00:58 . 2009-08-30 00:58 11554 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin
2009-08-26 12:32 . 2003-08-23 14:12 39896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 01:19 . 2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 01:19 . 2009-08-06 01:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 01:19 . 2009-08-06 01:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 01:19 . 2009-08-06 01:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2004-01-08 02:27 . 2004-01-08 02:27 0 --sha-w- c:\windows\SMINST\HPCD.sys
2009-05-02 00:06 . 2009-05-02 00:06 48640 --sha-w- c:\windows\system32\figohele.dll.tmp
2009-01-19 21:17 . 2009-01-19 21:17 1403021 --sh--w- c:\windows\system32\hspkthog.tmp
2009-07-30 12:44 . 2009-07-30 12:44 1054752 --sha-w- c:\windows\system32\latabaye.exe
2009-05-02 00:06 . 2009-05-02 00:06 48640 --sha-w- c:\windows\system32\yawikofe.dll.tmp
2009-05-02 00:06 . 2009-05-02 00:06 48640 --sha-w- c:\windows\system32\yimazitu.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear ARIA Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear ARIA Device Manager.lnk
backup=c:\windows\pss\Philips GoGear ARIA Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sarah^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Sarah\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ATTNaturalVoices\\TTS1.2\\Desktop\\bin\\ttsdesktopproxy.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\Patcher.exe"=
"c:\\Program Files\\WIZET\\MSEA\\NewPatcher.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\MapleStory.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 7:19 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 7:19 PM 108552]
R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\GEARASPISYS.SYS [2/6/2004 10:23 PM 53412]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 7:18 PM 297752]
S2 AlerterAlerterAlerterALG;Alerter AlerterAlerterAlerterALG;c:\windows\system32\d.exe run --> c:\windows\system32\d.exe run [?]
S2 AlerterAlerterALG;Alerter AlerterAlerterALG;c:\windows\system32\d.exe run --> c:\windows\system32\d.exe run [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2009 1:15 PM 133104]
S2 mrtRate;mrtRate; [x]
S3 2874e298-29f2-4b77-b190-2895f2a8df59;2874e298-29f2-4b77-b190-2895f2a8df59;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: usearchtv.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{06f7df88-1ba3-4372-ac32-d0f3138b2fdc} - polekove.dll
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-sawodafik - c:\windows\system32\ziberone.dll
HKLM-Run-lomafawipi - tonepopo.dll
SharedTaskScheduler-{fa7404b5-4ef8-4477-817f-1c48a67fd03b} - c:\windows\system32\ziberone.dll
SSODL-yuzezajuj-{fa7404b5-4ef8-4477-817f-1c48a67fd03b} - c:\windows\system32\ziberone.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-D11F7128-8CBD-408B-8BF8-034604DEDD42 - c:\program files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 11:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgui.exe
.
**************************************************************************
.
Completion time: 2009-11-02 11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 17:55

Pre-Run: 15,112,269,824 bytes free
Post-Run: 15,234,433,024 bytes free

- - End Of File - - E9E2C1A8EEE6C0BF8DE2ACBFE9C8AE40

Hi CSF


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  CODE
  http://www.malwarebytes.org/forums/index.php?showtopic=29441&view=findpost&p=152578
  
  Folder::
  c:\documents and settings\All Users\Application Data\42709325
  c:\documents and settings\All Users\Application Data\73413119
  
  Collect::
  c:\windows\system32\d.exe
  C:\WINDOWS\system32\drivers\svchost.exe
  c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat
  c:\program files\Common Files\yxixib.dl
  c:\windows\herafuhod.bin
  c:\documents and settings\All Users\Application Data\jyjaqozedo.sys
  c:\program files\Common Files\lepa.sys
  c:\program files\Common Files\duky.exe
  c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys
  c:\windows\jerawybos.com
  c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin
  c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys
  c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin
  c:\windows\system32\hspkthog.tmp
  c:\windows\system32\latabaye.exe
  c:\windows\system32\yawikofe.dll.tmp
  c:\windows\system32\yimazitu.dll.tmp
  
  Driver::
  AlerterAlerterAlerterALG
  AlerterAlerterALG
  
  Registry::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "AlcxMonitor"=-
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  "C:\WINDOWS\system32\drivers\svchost.exe"=-
  
  DDS::
  uInternet Settings,ProxyServer = http=localhost:7171
  Trusted Zone: usearchtv.com
  
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Thanks Melboy. I got a prompt that there was a newer version of combofix when I ran this. I did not update it. Here is the new log.

ComboFix 09-11-01.04 - Owner 11/03/2009 7:03.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.354 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\melboy1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\All Users\Application Data\jyjaqozedo.sys
file zipped: c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys
file zipped: c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin
file zipped: c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys
file zipped: c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin
file zipped: c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat
file zipped: c:\program files\Common Files\duky.exe
file zipped: c:\program files\Common Files\yxixib.dl
file zipped: c:\windows\herafuhod.bin
file zipped: c:\windows\jerawybos.com
file zipped: c:\windows\system32\hspkthog.tmp
file zipped: c:\windows\system32\latabaye.exe
file zipped: c:\windows\system32\yawikofe.dll.tmp
file zipped: c:\windows\system32\yimazitu.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\42709325
c:\documents and settings\All Users\Application Data\73413119
c:\documents and settings\All Users\Application Data\jyjaqozedo.sys
c:\documents and settings\Owner\Local Settings\Application Data\fimi.sys
c:\documents and settings\Owner\Local Settings\Application Data\pimerex.bin
c:\documents and settings\Owner\Local Settings\Application Data\sygo.sys
c:\documents and settings\Owner\Local Settings\Application Data\xasyf.bin
c:\documents and settings\Sarah\Local Settings\Application Data\prvlcl.dat
c:\program files\Common Files\duky.exe
c:\program files\Common Files\yxixib.dl
c:\windows\herafuhod.bin
c:\windows\jerawybos.com
c:\windows\system32\hspkthog.tmp
c:\windows\system32\latabaye.exe
c:\windows\system32\yawikofe.dll.tmp
c:\windows\system32\yimazitu.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALERTERALERTERALERTERALG
-------\Legacy_ALERTERALERTERALG
-------\Service_AlerterAlerterAlerterALG
-------\Service_AlerterAlerterALG


((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-02 12:59 . 2009-11-02 17:47 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 23:20 . 2009-10-30 23:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-10-30 01:43 . 2009-10-30 01:43 -------- d-----w- c:\documents and settings\Owner\NTI-Shadow
2009-10-30 01:19 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 01:19 . 2009-10-30 12:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 01:19 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 19:05 . 2009-10-20 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-10-20 19:01 . 2009-11-02 17:47 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 13:53 . 2006-10-03 23:19 -------- d-----w- c:\program files\Lx_cats
2009-11-02 13:00 . 2009-04-24 02:21 -------- d-----w- c:\program files\Easy DVD Player
2009-10-30 17:20 . 2009-08-06 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-17 21:31 . 2003-08-23 14:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 00:57 . 2009-09-28 00:57 -------- d-----w- c:\documents and settings\Sarah\Application Data\InstallShield Installation Information
2009-09-28 00:56 . 2009-09-28 00:56 -------- d-----w- c:\program files\NewTech Infosystems
2009-09-26 19:20 . 2004-05-30 21:39 -------- d-----w- c:\program files\Google
2009-09-08 02:25 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-09-05 21:18 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-09-05 21:18 . 2009-09-05 21:16 -------- d-----w- c:\documents and settings\Geoffrey\Application Data\ArcSoft
2009-08-30 07:10 . 2005-12-28 22:50 39896 ----a-w- c:\documents and settings\Geoffrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 00:58 . 2009-08-30 00:58 10992 ----a-w- c:\program files\Common Files\lepa.sys
2009-08-26 12:32 . 2003-08-23 14:12 39896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 01:19 . 2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 01:19 . 2009-08-06 01:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 01:19 . 2009-08-06 01:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 01:19 . 2009-08-06 01:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2004-01-08 02:27 . 2004-01-08 02:27 0 --sha-w- c:\windows\SMINST\HPCD.sys
2009-05-02 00:06 . 2009-05-02 00:06 48640 --sha-w- c:\windows\system32\figohele.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-11-02_17.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-03 13:19 . 2009-11-03 13:19 16384 c:\windows\temp\Perflib_Perfdata_7f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear ARIA Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear ARIA Device Manager.lnk
backup=c:\windows\pss\Philips GoGear ARIA Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sarah^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Sarah\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ATTNaturalVoices\\TTS1.2\\Desktop\\bin\\ttsdesktopproxy.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\Patcher.exe"=
"c:\\Program Files\\WIZET\\MSEA\\NewPatcher.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\MapleStory.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 7:19 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 7:19 PM 108552]
R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\GEARASPISYS.SYS [2/6/2004 10:23 PM 53412]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 7:18 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2009 1:15 PM 133104]
S2 mrtRate;mrtRate; [x]
S3 2874e298-29f2-4b77-b190-2895f2a8df59;2874e298-29f2-4b77-b190-2895f2a8df59;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]

2009-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 07:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-03 7:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 13:27
ComboFix2.txt 2009-11-02 17:55

Pre-Run: 15,211,200,512 bytes free
Post-Run: 15,172,984,832 bytes free

- - End Of File - - 2735025DDDBB1DB1BF6E47B1ED38EBB5

If combofix prompts you to update it, please do so first.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  CODE
  http://www.malwarebytes.org/forums/index.php?s=&showtopic=29441&view=findpost&p=152953
  
  Collect::
  c:\program files\Common Files\lepa.sys
  c:\windows\system32\figohele.dll.tmp
  
  Registry::
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "%windir%\\system32\\drivers\\svchost.exe"=-
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

===========


Update Adobe Acrobat Reader
Your Adobe Acrobat Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.2 to your PC's desktop.

• Uninstall >Adobe Reader 7.0.9< via Start > Control Panel > Add/Remove Programs
• Install the new downloaded updated software.

Uninstall Programs

• click on start
• Click on control panel
• Double click the icon add/remove programs
• click on the first program in the list and click Remove
• Continue through the list below (one at a time) until all programs have been removed.
• If something isn't found, please continue with the next entry in the list.

Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware, but UNcheck Launch Malwarebytes' Anti-Malware, then click Finish.

random's system information tool (RSIT)

• Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  
  • log.txt (<<will be maximized)
  • info.txt (<<will be minimized)
• Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)

In your next reply:

1. combofix.txt
2. RSIT log.txt
3. RSIT info.txt

Thanks again Melboy.

Here is the combofix log. I will use a separate response for the RSIT logs.

ComboFix 09-11-03.01 - Owner 11/03/2009 14:48.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.349 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\melboy1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\program files\Common Files\lepa.sys
file zipped: c:\windows\system32\figohele.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\lepa.sys
c:\windows\system32\figohele.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-02 12:59 . 2009-11-02 17:47 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 23:20 . 2009-10-30 23:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-10-30 01:43 . 2009-10-30 01:43 -------- d-----w- c:\documents and settings\Owner\NTI-Shadow
2009-10-30 01:19 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 01:19 . 2009-10-30 12:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 01:19 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 19:05 . 2009-10-20 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-10-20 19:01 . 2009-11-02 17:47 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 13:53 . 2006-10-03 23:19 -------- d-----w- c:\program files\Lx_cats
2009-11-02 13:00 . 2009-04-24 02:21 -------- d-----w- c:\program files\Easy DVD Player
2009-10-30 17:20 . 2009-08-06 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-17 21:31 . 2003-08-23 14:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 00:57 . 2009-09-28 00:57 -------- d-----w- c:\documents and settings\Sarah\Application Data\InstallShield Installation Information
2009-09-28 00:56 . 2009-09-28 00:56 -------- d-----w- c:\program files\NewTech Infosystems
2009-09-26 19:20 . 2004-05-30 21:39 -------- d-----w- c:\program files\Google
2009-09-08 02:25 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-09-05 21:18 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-09-05 21:18 . 2009-09-05 21:16 -------- d-----w- c:\documents and settings\Geoffrey\Application Data\ArcSoft
2009-08-30 07:10 . 2005-12-28 22:50 39896 ----a-w- c:\documents and settings\Geoffrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 12:32 . 2003-08-23 14:12 39896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 01:19 . 2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 01:19 . 2009-08-06 01:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 01:19 . 2009-08-06 01:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 01:19 . 2009-08-06 01:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2004-01-08 02:27 . 2004-01-08 02:27 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear ARIA Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear ARIA Device Manager.lnk
backup=c:\windows\pss\Philips GoGear ARIA Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sarah^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Sarah\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ATTNaturalVoices\\TTS1.2\\Desktop\\bin\\ttsdesktopproxy.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\Patcher.exe"=
"c:\\Program Files\\WIZET\\MSEA\\NewPatcher.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\MapleStory.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 7:19 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 7:19 PM 108552]
R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\GEARASPISYS.SYS [2/6/2004 10:23 PM 53412]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 7:18 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2009 1:15 PM 133104]
S2 mrtRate;mrtRate; [x]
S3 2874e298-29f2-4b77-b190-2895f2a8df59;2874e298-29f2-4b77-b190-2895f2a8df59;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]

2009-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 14:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2009-11-03 15:03
ComboFix-quarantined-files.txt 2009-11-03 21:02
ComboFix2.txt 2009-11-03 13:27
ComboFix3.txt 2009-11-02 17:55

Pre-Run: 15,132,508,160 bytes free
Post-Run: 15,098,224,640 bytes free

Upload was successful

Not sure which of the RSIT logs this is. The other I'll send on separate reply. Thanks.'

info.txt logfile of random's system information tool 1.06 2009-11-03 15:43:11

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
Adobe Acrobat Reader 3.01-->C:\WINDOWS\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
AT&T Labs' Natural Voices™ Desktop 1.2.1-->MsiExec.exe /I{5D5F53E9-360E-42C9-B8B3-05D92F3C9D5B}
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour Core for Windows-->MsiExec.exe /I{56DF5C9E-6392-46D3-B366-297B14E1DAAF}
Cakewalk Audio Finder Tool-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Cakewalk\CWAF\DeIsL1.isu"
Cakewalk Music Creator 2003-->C:\PROGRA~1\Cakewalk\CAKEWA~1\UNWISE.EXE C:\PROGRA~1\Cakewalk\CAKEWA~1\INSTALL.LOG
Cakewalk Pyro 1.5-->C:\PROGRA~1\Cakewalk\CAKEWA~1.5\UNWISE.EXE C:\PROGRA~1\Cakewalk\CAKEWA~1.5\INSTALL.LOG
Charter Pipeline® Self-Installation-->"C:\Program Files\Support.com\unins000.exe"
CleanUp!-->C:\Program Files\CleanUp!\uninstall.exe
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DirectX Media Runtime 5.1-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DXM51.INF,Uninstall.NT
GdiplusUpgrade-->MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
GoGear ARIA Device Manager-->C:\Program Files\InstallShield Installation Information\{43B0D334-9A1B-4257-9E51-D3813BD8B9D0}\setup.exe -runfromtemp -l0x0009 -removeonly
Google Chrome-->"C:\Program Files\Google\Chrome\Application\3.0.195.27\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /X{3A05B900-A3E7-11DE-A9B7-005056806466}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Instant Support-->C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Organize-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photo & Imaging 3.0-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photo and Imaging 2.0 - Photosmart Cameras-->MsiExec.exe /X{5D7F0A0E-369E-46C0-9F99-FAB21A064781}
HP Product Detection-->MsiExec.exe /I{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HPImageZone-->MsiExec.exe /X{3F46F8A1-75E1-4bbd-A02D-650C84422E87}
Intel® Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
Java Web Start-->"C:\Program Files\Java Web Start\uninst-javaws.exe"
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
Lexmark 2300 Series-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcgUNST.EXE -NOLICENSE
Lexmark Fax Solutions-->C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe
Lyra Personal Audio Player (RD1021/1071/1075)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3D9322-E392-411F-81EB-3F844B56248B}\Setup.exe" -l0x9
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Madeline European Adventures-->C:\CWONDERS\MADEA\UNINST.EXE
Madeline Rainy Day Activities-->C:\CWONDERS\MRDA\CWRUN.EXE MadelineRainyDayActivities UninstallExe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory-->MsiExec.exe /I{F99C5427-4D78-43E2-B97E-F4C4E622D612}
Media Converter for Philips-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E623BB3F-F7ED-4148-BEB5-A0D1DB28B4DE}\Setup.exe" -l0x9
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2003 System Pack-->MsiExec.exe /I{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}
Microsoft Money 2003-->MsiExec.exe /I{01F9D88C-3C86-4E82-840A-101A3221F67A}
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel Viewer 2003-->MsiExec.exe /I{90840409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MP3 Player Utilities 1.47-->MsiExec.exe /I{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}
MSN Messenger 7.0-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600813}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Multimedia Card Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E05895C5-FE97-4334-8D73-B0089FD07CE3}
MyFreeCodec-->C:\Program Files\MyFree Codec\09a beta\uninstall.exe
NVIDIA Display Driver-->C:\WINDOWS\system32\nvudisp.exe Uninstall C:\WINDOWS\system32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers-->C:\WINDOWS\system32\nvuaudio.exe UninstallGUI
NVIDIA Ethernet Driver-->C:\WINDOWS\System32\nvuenet.exe Uninstall C:\WINDOWS\System32\Nvenet.nvu,NVIDIA Ethernet Driver
NVIDIA Gart Driver-->C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA Gart Driver
OLYMPUS Master 2-->MsiExec.exe /X{F0FC1E09-AF67-47BC-9E61-90ECFEB4CE82}
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
PhatNoise Music Manager-->C:\WINDOWS\iun6002.exe "C:\Program Files\PhatNoise Music Manager\irunin.ini"
Photosmart 140,240,7200,7600,7700,7900 Series-->C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Quicken 2003 New User Edition-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
QuickTime-->MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Rhapsody Player Engine-->MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody-->C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
TI Connect™ 1.2.1-->C:\PROGRA~1\TIEDUC~1\TICONN~1\UNWISE.EXE C:\PROGRA~1\TIEDUC~1\TICONN~1\INSTALL.LOG
toolkit-->c:\Windows\HPTK\unhptkit.exe
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Updates from HP-->C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
Virtual Earth 3D (Beta)-->MsiExec.exe /I{3CCB26F5-E2A7-4C91-8340-9149D7B7C2BE}
Virtual Sound Canvas DXi-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E10E7FC-36CD-4C22-AC20-9E15692E8C2F}\setup.exe" UNINSTALL_XXX
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Related-->Rundll32.exe C:\WINDOWS\lbbho.dll,Uninst
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World Wind v1.2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4FAA6105-43D8-4D6D-B843-46F1530ABAE3}
Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
YP-T6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{808EB4CB-E52F-4A93-9540-6184ABF77662}\Setup.exe" -l0x9

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: YOUR-XHTR8HVC4P
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 91823
Source Name: Service Control Manager
Time Written: 20091103162316.000000-300
Event Type: error
User:

Computer Name: YOUR-XHTR8HVC4P
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 91820
Source Name: Service Control Manager
Time Written: 20091103162316.000000-300
Event Type: error
User:

Computer Name: YOUR-XHTR8HVC4P
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 91817
Source Name: Service Control Manager
Time Written: 20091103162316.000000-300
Event Type: error
User:

Computer Name: YOUR-XHTR8HVC4P
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 91814
Source Name: Service Control Manager
Time Written: 20091103162315.000000-300
Event Type: error
User:

Computer Name: YOUR-XHTR8HVC4P
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 91811
Source Name: Service Control Manager
Time Written: 20091103162315.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-XHTR8HVC4P
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 42706
Source Name: Userenv
Time Written: 20090226212228.000000-360
Event Type: warning
User: YOUR-XHTR8HVC4P\Owner

Computer Name: YOUR-XHTR8HVC4P
Event Code: 1001
Message: Fault bucket 573763124.

Record Number: 42700
Source Name: Application Error
Time Written: 20090226150153.000000-360
Event Type: error
User:

Computer Name: YOUR-XHTR8HVC4P
Event Code: 1000
Message: Faulting application maagent.exe, version 3.1.2007.1017, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Record Number: 42699
Source Name: Application Error
Time Written: 20090226150128.000000-360
Event Type: error
User:

Computer Name: YOUR-XHTR8HVC4P
Event Code: 1517
Message: Windows saved user YOUR-XHTR8HVC4P\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 42694
Source Name: Userenv
Time Written: 20090226072130.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-XHTR8HVC4P
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 42693
Source Name: Userenv
Time Written: 20090226072127.000000-360
Event Type: warning
User: YOUR-XHTR8HVC4P\Owner

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;c:\Python22;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;"C:\Program Files\Java\jre1.5.0_01\lib\ext\QTJava.zip";C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"VERSION"=3.0.1
"SESSIONID"=1085197741666wuws05-l19ec4ed:fcc3d2cd24:-7b92
"COLLECTIONID"=COL5123
"ITEMID"=dj-17724-8
"UPDATEDIR"=C:\DOCUME~1\Owner\LOCALS~1\Temp\rad10E38.tmp
"TOOLPATH"=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
"HMSERVER"=https://h30083.www3.hp.com/wuss/servlet/WUSSServlet
"SWUTVER"=1.0.16.20030613
"OSVER"=winXPH
"LANG"=1033
"TIMEOUT"=0
"FP_NO_HOST_CHECK"=NO
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

And here is the other RSIT log. Thanks.


Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-11-03 15:42:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 14 GB (13%) free of 109 GB
Total RAM: 703 MB (28% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:08 PM, on 11/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144238640765
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7456 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11222041-111B-46E3-BD29-EFB2449479B1}]
IEPlugin Class - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL [2008-12-24 145920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-07-25 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-17 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP View - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll [2003-06-16 98304]

{ACB1E670-3217-45C4-A021-6B829A8A27CB}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-08-27 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-02-23 3026944]
"LXCGCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-11-03 2028312]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-09-10 420176]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2009-10-10 203264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE [2003-06-18 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe [2003-06-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe [2002-10-07 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
C:\Program Files\Lexmark 2300 Series\ezprint.exe [2005-08-01 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2005-07-12 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe [2003-04-07 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-16 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe [2003-05-23 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-05-23 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe [1998-05-07 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE [2003-02-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe [2005-07-21 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe [2005-04-27 6856704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\DOCUME~1\Sarah\LOCALS~1\Temp\yaywvuSk.dll,#1 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe [2007-09-11 95536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe [2002-10-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealOne Player\realplay.exe /RunUPGToolCommandReBoot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe [2003-08-09 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsvcon]
C:\Documents and Settings\Sarah\Application Data\Google\pzpsp23511834.exe 2 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqtra08.exe [2003-06-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear ARIA Device Manager.lnk]
C:\PROGRA~1\Philips\GOGEAR~1\GOGEAR~1.EXE [2009-03-13 1611152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
C:\PROGRA~1\Quicken\bagent.exe [2002-09-20 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
C:\PROGRA~1\INTERM~1\SPAMSU~1\SPAMSU~1.EXE -q []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sarah^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
C:\PROGRA~1\OPENOF~1.4\program\QUICKS~1.EXE []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-05 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-07 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\dplaysvr.exe"="C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\Program Files\ATTNaturalVoices\TTS1.2\Desktop\bin\ttsdesktopproxy.exe"="C:\Program Files\ATTNaturalVoices\TTS1.2\Desktop\bin\ttsdesktopproxy.exe:*:Enabled:ttsdesktopproxy"
"C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\Patcher.exe"="C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\Program Files\WIZET\MSEA\NewPatcher.exe"="C:\Program Files\WIZET\MSEA\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\MapleStory.exe"="C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\MapleStory.exe:*:Enabled:MapleStory"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe"="C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe:*:Enabled:Abaclient"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"

======List of files/folders created in the last 1 months======

2009-11-03 15:42:48 ----D---- C:\Program Files\trend micro
2009-11-03 15:42:45 ----D---- C:\rsit
2009-11-03 15:38:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-03 15:18:30 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-03 15:04:05 ----D---- C:\WINDOWS\temp
2009-11-03 15:03:28 ----A---- C:\ComboFix.txt
2009-11-03 14:46:07 ----D---- C:\melboy1
2009-11-02 11:28:50 ----A---- C:\WINDOWS\zip.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\SWSC.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\SWREG.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\sed.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\PEV.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\MBR.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\grep.exe
2009-11-02 11:28:44 ----D---- C:\WINDOWS\ERDNT
2009-11-02 06:59:59 ----D---- C:\WINDOWS\SxsCaPendDel
2009-10-29 19:47:00 ----AD---- C:\Qoobox
2009-10-20 13:05:01 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
2009-10-20 13:01:27 ----D---- C:\Program Files\DivX

======List of files/folders modified in the last 1 months======

2009-11-03 15:42:48 ----AD---- C:\Program Files
2009-11-03 15:42:38 ----D---- C:\WINDOWS\Prefetch
2009-11-03 15:38:07 ----D---- C:\WINDOWS\system32\drivers
2009-11-03 15:33:13 ----SHD---- C:\WINDOWS\Installer
2009-11-03 15:33:06 ----D---- C:\Program Files\Java
2009-11-03 15:33:06 ----AD---- C:\Program Files\Common Files
2009-11-03 15:32:55 ----D---- C:\WINDOWS\system32
2009-11-03 15:16:45 ----D---- C:\Program Files\Adobe
2009-11-03 15:04:05 ----AD---- C:\WINDOWS
2009-11-03 15:00:05 ----A---- C:\WINDOWS\system.ini
2009-11-03 14:54:01 ----D---- C:\WINDOWS\AppPatch
2009-11-03 14:47:27 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-03 14:46:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-03 07:16:08 ----D---- C:\WINDOWS\system32\config
2009-11-02 11:42:14 ----SD---- C:\WINDOWS\Tasks
2009-11-02 11:42:06 ----RSD---- C:\WINDOWS\Fonts
2009-11-02 07:53:19 ----D---- C:\Program Files\Lx_cats
2009-11-02 07:00:12 ----D---- C:\Program Files\Easy DVD Player
2009-11-01 10:01:37 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-31 09:57:34 ----D---- C:\$AVG8.VAULT$
2009-10-30 11:20:50 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-10-24 09:11:22 ----D---- C:\WINDOWS\network diagnostic
2009-10-20 13:01:35 ----D---- C:\WINDOWS\WinSxS
2009-10-20 06:16:19 ----ASH---- C:\boot.ini
2009-10-20 06:16:19 ----A---- C:\WINDOWS\win.ini
2009-10-20 06:16:17 ----D---- C:\WINDOWS\pss
2009-10-17 15:31:02 ----HD---- C:\Program Files\InstallShield Installation Information

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-05-26 43672]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-05 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-05 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-08-05 108552]
R1 GearAspiSys;GearAspiSys; C:\WINDOWS\System32\drivers\gearaspisys.sys [2002-06-24 53412]
R1 SbcpHid;SbcpHid; \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys []
R1 sdcplh;sdcplh; C:\WINDOWS\System32\drivers\sdcplh.sys [2005-08-18 55808]
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2003-04-11 10624]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2002-05-06 16512]
R2 npkcrypt;npkcrypt; \??\C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\npkcrypt.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2003-08-23 28276]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-02-23 1624491]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2005-07-12 10368]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbcm;USB Cable Modem 351000 NDIS Driver; C:\WINDOWS\System32\DRIVERS\usbcm.sys [2002-04-11 13335]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 2874e298-29f2-4b77-b190-2895f2a8df59;2874e298-29f2-4b77-b190-2895f2a8df59; \??\E:\Player\cds300.dll []
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-17 391424]
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS []
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
S3 mbr;mbr; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys []
S3 nvax;Service for NVIDIA® nForce™ Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2004-10-22 53376]
S3 NVENET;NVIDIA nForce MCP Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENET.sys [2003-04-21 54784]
S3 nvnforce;Service for NVIDIA® nForce™ Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2004-10-22 413824]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2004-08-03 166912]
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable; C:\WINDOWS\System32\Drivers\SilvrLnk.sys [2002-10-22 21456]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2003-05-06 394752]
S3 StMp3Rec;Player Recovery Device Control Driver; C:\WINDOWS\System32\Drivers\StMp3Rec.sys [2004-03-02 34308]
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WUDFRd;WUDFRd; C:\WINDOWS\system32\DRIVERS\WUDFRd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2009-09-28 109056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-05 297752]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 73728]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2004-02-23 77824]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-08-08 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-09-26 133104]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-15 182768]
S3 lxcg_device;lxcg_device; C:\WINDOWS\system32\lxcgcoms.exe [2005-07-25 491520]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------

Hi CSF

How are things running now?


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  CODE
  File::
  C:\Documents and Settings\Sarah\Application Data\Google\pzpsp23511834.exe
  C:\DOCUME~1\Sarah\LOCALS~1\Temp\yaywvuSk.dll
  
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsvcon]
  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
  "%windir%\system32\drivers\svchost.exe"=-
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.
  QUOTE
  AVG 8.5
  

  • Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
  • Click on Open AVG Interface.
  • Double click on Resident Shield
  • Deselect the option to "Enable Resident Shield."
  • Save changes, and exit the application.
  • To re-enable AVG 8.5, please select "Enable Resident Shield" again.
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Malwarebytes' Anti-Malware

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

• Open Malwarebytes' Anti-Malware
• Select the Update tab
• Click Check for Updates
• After the update have been completed, Select the Scanner tab.
• Select Perform full scan, then click on Scan
• Leave the default options as it is and click on Start Scan
• When done, you will be prompted. Click OK, then click on Show Results
• Check all items except items in the C:\System Volume Information folder... then click on Remove Selected
• After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.


ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
  QUOTE
  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


In your next reply:

1. Combofix.txt
2. MBAM log
3. ESET online scan log
4. How are things running?

Things have run well all along except that mbam.exe could not be found. I will try to run Malwarebytes now and post that separately. I did ty to boot up in safe mode using F8 last night and it would not boot up. It just stopped when I used F8.

Thanks.


ComboFix 09-11-04.02 - Owner 11/04/2009 21:59.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.329 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\melboy1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\docume~1\Sarah\LOCALS~1\Temp\yaywvuSk.dll"
"c:\documents and settings\Sarah\Application Data\Google\pzpsp23511834.exe"
.

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-03 21:42 . 2009-11-03 21:43 -------- d-----w- c:\program files\trend micro
2009-11-03 21:42 . 2009-11-03 21:43 -------- d-----w- C:\rsit
2009-11-03 21:38 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 21:38 . 2009-11-03 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 21:38 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 20:46 . 2009-11-03 21:04 -------- d-----w- C:\melboy1
2009-11-03 14:26 . 2009-10-17 15:16 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-02 12:59 . 2009-11-02 17:47 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 23:20 . 2009-10-30 23:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-10-30 01:43 . 2009-10-30 01:43 -------- d-----w- c:\documents and settings\Owner\NTI-Shadow
2009-10-20 19:05 . 2009-10-20 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-10-20 19:01 . 2009-11-02 17:47 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 14:06 . 2006-10-03 23:19 -------- d-----w- c:\program files\Lx_cats
2009-11-04 13:38 . 2009-08-25 16:46 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-03 21:33 . 2003-12-23 21:34 -------- d-----w- c:\program files\Java
2009-11-03 21:27 . 2003-08-23 14:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 21:19 . 2003-12-29 20:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-02 13:00 . 2009-04-24 02:21 -------- d-----w- c:\program files\Easy DVD Player
2009-10-30 17:20 . 2009-08-06 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-28 00:57 . 2009-09-28 00:57 9896868 ----a-w- c:\documents and settings\Sarah\Application Data\InstallShield Installation Information\{81DCEC2B-E069-4985-978B-3230292AB744}\ISSetup.dll
2009-09-28 00:57 . 2009-09-28 00:57 -------- d-----w- c:\documents and settings\Sarah\Application Data\InstallShield Installation Information
2009-09-28 00:57 . 2009-09-28 00:57 14846 ----a-r- c:\documents and settings\Sarah\Application Data\Microsoft\Installer\{81DCEC2B-E069-4985-978B-3230292AB744}\ARPPRODUCTICON.exe
2009-09-28 00:56 . 2009-09-28 00:56 -------- d-----w- c:\program files\NewTech Infosystems
2009-09-28 00:56 . 2009-09-28 00:57 316736 ----a-w- c:\documents and settings\Sarah\Application Data\InstallShield Installation Information\{81DCEC2B-E069-4985-978B-3230292AB744}\setup.exe
2009-09-26 19:20 . 2004-05-30 21:39 -------- d-----w- c:\program files\Google
2009-09-08 02:25 . 2009-09-03 01:30 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-08-30 07:10 . 2005-12-28 22:50 39896 ----a-w- c:\documents and settings\Geoffrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 12:32 . 2003-08-23 14:12 39896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 17:39 . 2009-08-25 17:39 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-25 11:41 . 2009-08-25 11:41 7424000 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-08-25 11:15 . 2008-07-14 15:16 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-08-08 00:50 . 2009-02-04 00:36 1 ----a-w- c:\documents and settings\Sarah\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2004-01-08 02:27 . 2004-01-08 02:27 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-02_17.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 00:20 . 2009-11-05 00:20 16384 c:\windows\temp\Perflib_Perfdata_620.dat
+ 2009-11-03 21:20 . 2009-11-03 21:20 3940352 c:\windows\Installer\3495e6.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 01:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear ARIA Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear ARIA Device Manager.lnk
backup=c:\windows\pss\Philips GoGear ARIA Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sarah^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Sarah\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ATTNaturalVoices\\TTS1.2\\Desktop\\bin\\ttsdesktopproxy.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\Patcher.exe"=
"c:\\Program Files\\WIZET\\MSEA\\NewPatcher.exe"=
"c:\\Documents and Settings\\Geoffrey\\Desktop\\Geoff's Crap\\MapleStory.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 7:19 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 7:19 PM 108552]
R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\GEARASPISYS.SYS [2/6/2004 10:23 PM 53412]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 7:18 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2009 1:15 PM 133104]
S2 mrtRate;mrtRate; [x]
S3 2874e298-29f2-4b77-b190-2895f2a8df59;2874e298-29f2-4b77-b190-2895f2a8df59;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 19:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 22:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6080)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-05 22:18
ComboFix-quarantined-files.txt 2009-11-05 04:18
ComboFix2.txt 2009-11-03 21:04
ComboFix3.txt 2009-11-03 13:27
ComboFix4.txt 2009-11-02 17:55

Pre-Run: 15,101,255,680 bytes free
Post-Run: 15,246,225,408 bytes free

Hi Melboy. I Just realized I did not read your instructions through full on the malwarebytes scan and had it delete all included the system volume information. Here is the log. Let me know if I need to, or can, go back to correct this. Here is the log.

Malwarebytes' Anti-Malware 1.41
Database version: 3103
Windows 5.1.2600 Service Pack 3

11/5/2009 2:40:54 AM
mbam-log-2009-11-05 (02-40-54).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 267357
Time elapsed: 1 hour(s), 56 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\dakagego.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\duhavevo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gadonesi.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nopulana.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\petolahu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sibogaya.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ziluyuda.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zuhuyaba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1372\A0143053.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1376\A0144160.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1428\A0149741.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1428\A0149742.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1429\A0149840.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1429\A0149841.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1429\A0149842.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1429\A0149843.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1429\A0149844.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150125.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150115.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150119.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150120.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150123.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150130.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150133.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150134.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I have tried to reun the ESET scan, but every time I try to add the active x application (clicking on bar at top of screen, then "add for all users), internet explorer shuts it down and will not let it in. I tried this numerous times with the same result. I don't know if I still have Mozilla on here, but If I do, I will try it with Firefox.

Here is the ESET scan log.

Thanks.

C:\Documents and Settings\Sarah\Application Data\Sun\Java\Deployment\cache\6.0\42\6304da6a-14f44ef9 probably a variant of Win32/Agent trojan
C:\Documents and Settings\Sarah\Application Data\Sun\Java\Deployment\cache\6.0\57\3967d2b9-1b47269d probably a variant of Win32/Agent trojan
C:\Documents and Settings\Sarah\Application Data\Sun\Java\Deployment\cache\6.0\58\6c282b7a-236a2ed4 probably a variant of Win32/Agent trojan
C:\Documents and Settings\Sarah\Application Data\Sun\Java\Deployment\cache\6.0\7\3403c2c7-5cedc132 probably a variant of Win32/Agent trojan
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent trojan
C:\Qoobox\Quarantine\[4]-Submit_2009-11-03_07.02.37.zip multiple threats
C:\Qoobox\Quarantine\[4]-Submit_2009-11-03_14.48.02.zip a variant of Win32/Kryptik.ACU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmkmudme.ini.vir Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1430\A0150126.ini Win32/Adware.Virtumonde.NEO application

Hi CSF

It looks like one of the previous file uploads didn't make it.

Please visit this site & follow the instructions for uploading the [4]-Submit_2009-11-03_07.02.37.zip file.

• Copy/paste the contents of the Code Box below into the Link to topic where this file was requested: box:
  
  CODE
  http://www.malwarebytes.org/forums/index.php?showtopic=29441
  
  
• Click Browse & navigate to:
  
  
  • C:\Qoobox\Quarantine\[4]-Submit_2009-11-03_07.02.37.zip.
  
  
• Click Open then Send File.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

• Save it to your desktop
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  If you use Firefox browser
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords
  please click No at the prompt.
  
  If you use Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords
  please click No at the prompt.
  
  
• Click Exit on the Main menu to close the program.

SafeBoot Repair

Download and run SafeBootKeyRepair.exe by sUBs.

• A log will be produced at C:\SafeBoot_Repair.txt
• Please post that in your next reply.
• Let me know if you can boot into Safe Mode now.

Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.

• Double click on RSIT.exe to run it.
• Click Continue at the disclaimer screen.
  RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
• Please post ONLY the "log.txt", file contents in your next reply.

In your next reply:

1. C:\SafeBoot_Repair.txt
2. RSIT Log.txt
3. Let me know if you can boot into Safe Mode

Thanks Melboy. Here is the safeboot log:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AVG Anti-Spyware Driver]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AVG Anti-Spyware Driver]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sharedaccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\UploadMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PEVSystemStart
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\procexp90.Sys



And here is the RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-11-07 09:37:13
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 14 GB (13%) free of 109 GB
Total RAM: 703 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:29 AM, on 11/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\spider.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144238640765
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7420 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11222041-111B-46E3-BD29-EFB2449479B1}]
IEPlugin Class - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL [2008-12-24 145920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-07-25 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-17 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - HP View - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll [2003-06-16 98304]

{ACB1E670-3217-45C4-A021-6B829A8A27CB}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-08-27 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-02-23 3026944]
"LXCGCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-11-03 2028312]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-20 68856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2009-10-10 203264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE [2003-06-18 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe [2003-06-22 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe [2002-10-07 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
C:\Program Files\Lexmark 2300 Series\ezprint.exe [2005-08-01 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2005-07-12 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe [2003-04-07 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-16 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe [2003-05-23 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe [2003-05-23 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe [1998-05-07 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE [2003-02-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe [2005-07-21 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe [2005-04-27 6856704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe [2007-09-11 95536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe [2002-10-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealOne Player\realplay.exe /RunUPGToolCommandReBoot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
C:\Program Files\Multimedia Card Reader\shwicon2k.exe [2003-08-09 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-20 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqtra08.exe [2003-06-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear ARIA Device Manager.lnk]
C:\PROGRA~1\Philips\GOGEAR~1\GOGEAR~1.EXE [2009-03-13 1611152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
C:\PROGRA~1\Quicken\bagent.exe [2002-09-20 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
C:\PROGRA~1\INTERM~1\SPAMSU~1\SPAMSU~1.EXE -q []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sarah^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
C:\PROGRA~1\OPENOF~1.4\program\QUICKS~1.EXE []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-05 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-07 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\dplaysvr.exe"="C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\Program Files\ATTNaturalVoices\TTS1.2\Desktop\bin\ttsdesktopproxy.exe"="C:\Program Files\ATTNaturalVoices\TTS1.2\Desktop\bin\ttsdesktopproxy.exe:*:Enabled:ttsdesktopproxy"
"C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\Patcher.exe"="C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\Program Files\WIZET\MSEA\NewPatcher.exe"="C:\Program Files\WIZET\MSEA\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\MapleStory.exe"="C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\MapleStory.exe:*:Enabled:MapleStory"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe"="C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe:*:Enabled:Abaclient"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"

======List of files/folders created in the last 1 months======

2009-11-07 09:01:45 ----A---- C:\SAFEBOOT_REPAIR.TXT
2009-11-05 06:32:03 ----D---- C:\Program Files\Mozilla Firefox
2009-11-04 22:18:17 ----A---- C:\ComboFix.txt
2009-11-04 21:57:07 ----D---- C:\melboy131819m
2009-11-03 15:42:48 ----D---- C:\Program Files\trend micro
2009-11-03 15:42:45 ----D---- C:\rsit
2009-11-03 15:38:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-03 15:18:30 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-03 15:04:05 ----D---- C:\WINDOWS\temp
2009-11-03 14:46:07 ----D---- C:\melboy1
2009-11-02 11:28:50 ----A---- C:\WINDOWS\zip.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\SWSC.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\SWREG.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\sed.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\PEV.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\MBR.exe
2009-11-02 11:28:50 ----A---- C:\WINDOWS\grep.exe
2009-11-02 11:28:44 ----D---- C:\WINDOWS\ERDNT
2009-11-02 06:59:59 ----D---- C:\WINDOWS\SxsCaPendDel
2009-10-29 19:47:00 ----AD---- C:\Qoobox
2009-10-20 13:05:01 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
2009-10-20 13:01:27 ----D---- C:\Program Files\DivX

======List of files/folders modified in the last 1 months======

2009-11-07 09:37:17 ----D---- C:\WINDOWS\Prefetch
2009-11-07 09:11:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-06 15:46:51 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-06 07:21:36 ----D---- C:\Program Files\Lx_cats
2009-11-05 21:53:59 ----AD---- C:\Program Files
2009-11-04 22:13:46 ----AD---- C:\WINDOWS
2009-11-04 22:13:46 ----A---- C:\WINDOWS\system.ini
2009-11-04 22:05:37 ----D---- C:\WINDOWS\system32\drivers
2009-11-04 22:05:37 ----D---- C:\WINDOWS\system32
2009-11-04 22:05:37 ----D---- C:\WINDOWS\AppPatch
2009-11-04 22:05:18 ----AD---- C:\Program Files\Common Files
2009-11-03 15:33:13 ----SHD---- C:\WINDOWS\Installer
2009-11-03 15:33:06 ----D---- C:\Program Files\Java
2009-11-03 15:27:18 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-03 15:19:24 ----D---- C:\Program Files\Common Files\Adobe
2009-11-03 15:16:45 ----D---- C:\Program Files\Adobe
2009-11-03 07:16:08 ----D---- C:\WINDOWS\system32\config
2009-11-02 11:42:14 ----SD---- C:\WINDOWS\Tasks
2009-11-02 11:42:06 ----RSD---- C:\WINDOWS\Fonts
2009-11-02 07:00:12 ----D---- C:\Program Files\Easy DVD Player
2009-11-01 10:01:37 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-31 09:57:34 ----D---- C:\$AVG8.VAULT$
2009-10-30 11:20:50 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-10-24 09:11:22 ----D---- C:\WINDOWS\network diagnostic
2009-10-20 13:01:35 ----D---- C:\WINDOWS\WinSxS
2009-10-20 06:16:19 ----ASH---- C:\boot.ini
2009-10-20 06:16:19 ----A---- C:\WINDOWS\win.ini
2009-10-20 06:16:17 ----D---- C:\WINDOWS\pss

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-05-26 43672]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-05 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-05 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-08-05 108552]
R1 GearAspiSys;GearAspiSys; C:\WINDOWS\System32\drivers\gearaspisys.sys [2002-06-24 53412]
R1 SbcpHid;SbcpHid; \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys []
R1 sdcplh;sdcplh; C:\WINDOWS\System32\drivers\sdcplh.sys [2005-08-18 55808]
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2003-04-11 10624]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2002-05-06 16512]
R2 npkcrypt;npkcrypt; \??\C:\Documents and Settings\Geoffrey\Desktop\Geoff's Crap\npkcrypt.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2003-08-23 28276]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-02-23 1624491]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2005-07-12 10368]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbcm;USB Cable Modem 351000 NDIS Driver; C:\WINDOWS\System32\DRIVERS\usbcm.sys [2002-04-11 13335]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 2874e298-29f2-4b77-b190-2895f2a8df59;2874e298-29f2-4b77-b190-2895f2a8df59; \??\E:\Player\cds300.dll []
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-17 391424]
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS []
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
S3 nvax;Service for NVIDIA® nForce™ Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2004-10-22 53376]
S3 NVENET;NVIDIA nForce MCP Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENET.sys [2003-04-21 54784]
S3 nvnforce;Service for NVIDIA® nForce™ Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2004-10-22 413824]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2004-08-03 166912]
S3 SilverLink;Texas Instruments SilverLink (USB GraphLink) Cable; C:\WINDOWS\System32\Drivers\SilvrLnk.sys [2002-10-22 21456]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2003-05-06 394752]
S3 StMp3Rec;Player Recovery Device Control Driver; C:\WINDOWS\System32\Drivers\StMp3Rec.sys [2004-03-02 34308]
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WUDFRd;WUDFRd; C:\WINDOWS\system32\DRIVERS\WUDFRd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2009-09-28 109056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-05 297752]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 73728]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2004-02-23 77824]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-08-08 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-09-26 133104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-15 182768]
S3 lxcg_device;lxcg_device; C:\WINDOWS\system32\lxcgcoms.exe [2005-07-25 491520]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------


I have tried several times this morning to boot up in safe mode using the F8 key with no success.

Thanks again.

Hi CSF

Follow the instructions below exactly, once using F8, and once using F5 and see if it boots to safe mode.

If it does not boot to safe mode, can you best describe the sequence of events that it goes through in your next reply.

http://www.malwareremoval.com/tutorials/safemodeboot.php

Hello Melboy.

I tried several times and my computer will not boot up at all using the F8 or F5 keys.

The hard drive stops spinning and the little light that blinks when the machine is working just stops and does not come back on. I do not get the menu at all.

Thanks.

Hi CSF

Your inability to boot to the Windows Advanced Options Menu may or may not stem from the malware infection. We'll attempt to find out.


Boot.ini Check:
I would like to check the current state of the Boot.ini file to check if it is corrupted or not as follows:

• Open Notepad.
• Copy and Paste everything from the Code Box below into Notepad: <----Start >> Run... type in notepad and select OK

• Go to File >> Save As
• Save File name as "Look.bat" <-- Make sure to include the aprostrious.
• Change Save as Type to All Files and save the file to your Desktop.
• It should look like this:

Now double click on the desktop Look.bat to run the batch file. It will self-delete when completed and produce a notepad text file named bootini on your desktop.
Post the contents of that file in your next reply.



Gmer

Download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
• Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.


In your next reply:

1. GMER log
2. bootini.txt

Here is the boot ini log.

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


And here is the GMER log.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-10 15:30:30
Windows 5.1.2600 Service Pack 3
Running: y33sl4cv[1].exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\awxoqpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdePort0 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdePort1 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f sdcplh.sys (SDCPLH/Macrovision Europe Ltd)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Thanks.

Hi CSF

SafebootCreator
Download SafebootCreator by Noahdfear & save it to your Desktop.

• Double click SafebootCreator.exe to launch it
• Select Option 1 by hitting your 1 key then hit Enter
• A text box will open, read the content then close the box
• A Notepad file will open showing the contents of your new Boot.ini file
• Copy/Paste the contents in your next reply please.
• Do not re-boot your computer until I've looked at your new Boot.ini file and told you it's OK to do so

Thanks Melboy.

Here it is. I'll leave this computer running until I get your reply.

Thanks.


[boot loader]
timeout=10
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Safe Mode Microsoft Windows XP Home Edition" /safeboot:minimal

Hi CSF

That looks good.

When you reboot now, you should see three options:


Use your arrow keys to select which boot option you would like and press enter.

If you don't choose anything, Windows should boot normally after a short time.

Go ahead and try Safe Mode Microsoft Windows XP Home Edition.

Post back with how you did.

Hi Melboy.

I am not getting the menu you describe. It boots up normally. I am not tapping on F8. Am I supposed to do that?

Thanks

Hi CSF


No, no need to tap F8. There is a problem somewhere.

As your logs look free of malware, that problem does not appear to be malware related.

I suggest you try a general PC troubleshooting forum for this.
These sites have a variety of experts with experience in other areas of Computing & Technology that are better equipped to investigate and resolve these kinds of issues.

Links for some recommended forums are provided below. Registration is free, it only takes a few minutes.
The Elder Geek on Windows

BleepingComputer.com

WhattheTech

Sorry I couldn't be of further help.

======================================================================

SafebootCreator

• Double click SafebootCreator.exe to launch it
• Select Option 2 by hitting your 2 key then hit Enter
• A Notepad file will open showing the contents of your restored original Boot.ini file which should match:
  
  CODE
  [boot loader]
  timeout=3
  default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
  [operating systems]
  multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
  C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
• If it doesn't match the above Do not proceed. Do not re-boot your computer and Copy/Paste the contents of the notepad file in your next reply please.
  
  
• If it does match the above, please continue with the instructions below.

======================================================================

We need to remove some of the programs I had you use.

Uninstall Combofix
We Need to Remove ComboFix

1. Please go to Start -> Run
2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
   
3. Press OK (Or hit enter).
4. Allow ComboFix to remove itself.

OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

• Double-click OTC.exe
• Click the CleanUp! button
• Select Yes when the Begin cleanup Process? Prompt appears
• If you are prompted to Reboot during the cleanup, select Yes
• The tool will delete itself once it finishes, if not delete it by yourself

======================================================================

This is my general post for when your logs show no more signs of malware, although please remember the advice in my previous reply appertaining to the Backdoor infection you had. Although your logs look clean - I can't guarantee that it is at all secure.


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

• Make sure that you keep your antivirus updated
  New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  Uninstall Tools for Major Antivirus Products
• Security Updates for Windows, Internet Explorer & Microsoft Office
  Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
  Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
• Update Non-Microsoft Programs
  Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  
• Malwarebytes' Anti-Malware
  As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
  Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  
• Hosts File
  For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  
• Use an alternative Internet Browser
  Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
  Firefox
  Opera
  
• Install and use a firewall with outbound protection
  The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
  Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  Suggestions:
  
  • Online Armor Free
  • PcTools Firewall (Free)
  • Outpost Firewall Free
  
  [Please note that trial pay is not needed to get any product for free.]

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!