Author Topic: [Resolved] Do I have a rootkit...please help?  (Read 3804 times)

Offline 10rand

  • Bronze Member
  • Posts: 6
[Resolved] Do I have a rootkit...please help?
« on: December 28, 2008, 11:42:56 AM »
Please help, I have just run a scan with GMER, and it shows that there is a 'rootkit-like behavior and copy of MBR'. I would like to be sure if I have a rootkit or not. Here is a copy of the GMER log. Thank you in advance.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-28 17:42:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwClose [0xF320D576]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwCreateKey [0xF320D432]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwDeleteValueKey [0xF320D910]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwDuplicateObject [0xF320D00A]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwOpenKey [0xF320D50C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwOpenProcess [0xF320CF4A]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwOpenThread [0xF320CFAE]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwQueryValueKey [0xF320D62C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwRestoreKey [0xF320D5EC]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                          ZwSetValueKey [0xF320D76C]
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)  ZwTerminateProcess [0xF32C8F20]

---- User IAT/EAT - GMER 1.0.14 ----

IAT             C:\WINDOWS\system32\services.exe[1264] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]  00380002
IAT             C:\WINDOWS\system32\services.exe[1264] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]        00380000

---- Devices - GMER 1.0.14 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                         aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                       pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                       aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Disk sectors - GMER 1.0.14 ----

Disk            \Device\Harddisk0\DR0                                                                                          sector 01: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 02: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 03: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 04: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 05: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 06: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 07: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 08: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 09: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 10: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 11: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 12: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 13: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 14: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 15: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 16: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 17: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 18: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 19: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 20: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 21: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 22: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 23: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 24: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 25: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 26: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 27: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 28: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 29: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 30: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 31: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 32: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 33: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 34: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 35: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 36: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 37: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 38: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 39: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 40: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 41: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 42: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 43: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 44: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 45: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 46: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 47: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 48: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 49: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 50: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 51: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 52: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 53: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 54: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 55: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 56: rootkit-like behavior; copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 57: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 58: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 59: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 60: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 61: copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 62: rootkit-like behavior; copy of MBR
Disk            \Device\Harddisk0\DR0                                                                                          sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----
« Last Edit: January 07, 2009, 11:42:14 AM by negster22 »

Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: Do I have a rootkit...please help?
« Reply #1 on: December 29, 2008, 09:33:32 PM »
Hi and Welcome to SpywareHammer,

I need some more information from you determine whether you are "rooted", but I don't think you are.

Please post a HijackThis (HJT) log by following the directions here.
http://spywarehammer.com/simplemachinesforum/index.php?topic=88.0

Then create and post an uninstall list using HJT:

1. Open Hijackthis, Click Open the Misc tools section Then click the "Open Uninstall Manager..." button.

2. The Add/Remove Programs Manager panel should appear.

3. In this panel click the Save list button.

4. Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply

Download mbr.exe to your desktop.

1. Double-click mbr.exe to run it. Alternatively,  if your operating system is Vista, please right-click mbr.exe and choose "Run as Administrator".

2. It will create a report called mbr.log on your desktop

3. Open mbr.log in Notepad by double-clicking it, and then post the contents of mbr.log in your next reply

Download and run the ESET MebRoot Removal Tool
 http://www.eset.sk/buxus/generate_page.php?page_id=20689

1. Double-click EMebRemover.exe to launch the program
2. It will quickly open a command console window with the results - either Mebroot was found or not found on your system. Please report back what it says.

Download random's system information tool (RSIT)  from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both C:\RSIT\log.txt (<<will be maximized) and C:\RSIT\info.txt (<<will be minimized)
______________________________________________________________________

So to sum it up, I need you to post back the following items:
1. HJT log
2. HJT Uninstaller list
3. mbr.log
4. The results of the ESET MebRoot Removal Tool
5. The RSIT logs (info.txt and log.txt)
« Last Edit: December 29, 2008, 10:17:14 PM by negster22 »
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

Offline 10rand

  • Bronze Member
  • Posts: 6
Re: [In Progress] Do I have a rootkit...please help?
« Reply #2 on: December 30, 2008, 09:58:14 AM »
What I did while waiting for help:

  • Turned off SUPERAntispyware realtime monitoring.
  • Used CCleaner to empty Temp Files.
  • Created a new Restore point and cleaned all the Restore points except for the latest.
  • Re-scanned with GMER twice. The results did not show the rootkit like behaviour shown in previous scans.
1.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:16 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Kana Reminder 2.0 beta\Reminder.exe
C:\Program Files\PopTray\PopTray.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Copernic Desktop Search - Home - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search - Home\DesktopSearchBand300000074.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Kana Reminder] "C:\Kana Reminder 2.0 beta\Reminder.exe"
O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\gprs.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199399808046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202144144328
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9134 bytes


2.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player
Amic Email Backup v2.0
Any Video Converter 2.6.7
Ashampoo Burning Studio 7.32
avast! Antivirus
Avery Wizard 3.1
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Belarc Advisor 7.2
Bluesoleil2.7.0.13 VoIP Release 071227
BOClean
Canon MP Navigator EX 1.0
Canon MP210 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner (remove only)
C-Media 3D Audio
C-Media WDM Audio Driver
Copernic Desktop Search - Home
Core FTP LE 2.1
Debugging Tools for Windows (x86)
DesignPro 5.4 Limited Edition
DH Driver Cleaner Professional Edition
DivX Codec
DivX Player
DriveImage XML (Private Edition)
DriverMax 4
DVD Shrink 3.2
ERUNT 1.1j
e-Sword
ExplorerXP (remove only)
ffdshow [rev 2107] [2008-09-08]
FileMenu Tools
getPlus(R) for Adobe
GUN
Haali Media Splitter
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Smart Web Printing
Iceows V4.20b
IsoBuster 2.4
Java(TM) 6 Update 11
Just Great Software EditPad Lite 6.4.3
KC Softwares SUMo
Malwarebytes' Anti-Malware
MapStudio Route Planner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (2.0.0.20)
MPlayer for Windows (Full Package)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
Opera 9.63
Orbit Downloader
Paragon Drive Backupô 9.0 Express
PC Tools Firewall Plus 5.0
PCI SoftV92 Modem
PDFCreator
PopTray 3.20
Portal
Prevx CSI
QuickTime
Registrar Lite 2.00
ScanSoft OmniPage SE 4
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SIMCardReaderPro
SnagIt 7
SpywareBlaster 4.1
Steam
Striata Reader
SUPERAntiSpyware Professional
System Requirements Lab
Team Fortress 2
Test and Improve your Memory
Tweak UI
Undelete Plus 2.97
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
VMware Server
Windows Defender
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2008
WinUpdatesList
XnView 1.95.4
ZSoft Uninstaller 2.4.1

3.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

4.

"MBR rootkit (Win32/Mebroot) was not found on your system"

5.

log.txt

Logfile of random's system information tool 1.05 (written by random/random)
Run by Vuyo-acc at 2008-12-30 17:29:04
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 21 GB (27%) free of 79 GB
Total RAM: 1023 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:07 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Kana Reminder 2.0 beta\Reminder.exe
C:\Program Files\PopTray\PopTray.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\Vuyo-acc\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Vuyo-acc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Copernic Desktop Search - Home - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search - Home\DesktopSearchBand300000074.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Kana Reminder] "C:\Kana Reminder 2.0 beta\Reminder.exe"
O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\gprs.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199399808046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202144144328
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9185 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2008-12-19 134344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HelperObject Class - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [2005-10-14 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2008-03-27 322880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-10 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-10 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-10 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2008-03-27 501056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-10-14 131072]
{968631B6-4729-440D-9BF4-251F5593EC9A} - Copernic Desktop Search - Home - C:\Program Files\Copernic Desktop Search - Home\DesktopSearchBand300000074.dll [2008-08-28 995328]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll [2008-12-19 482424]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BOC-427"=C:\PROGRA~1\Comodo\CBOClean\BOC427.exe [2008-07-14 351480]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-11-26 81000]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2008-10-09 333120]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-10-07 13574144]
"nwiz"=nwiz.exe /install []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-10 136600]
"00PCTFW"=C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe [2008-12-11 2652056]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-12-09 1809648]
"Kana Reminder"=C:\Kana Reminder 2.0 beta\Reminder.exe [2007-11-15 1198592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\gprs.exe

C:\Documents and Settings\Vuyo-acc\Start Menu\Programs\Startup
PopTray.lnk - C:\Program Files\PopTray\PopTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-12-09 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSharedDocuments"=1
"NoActiveDesktop"=00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"="C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-30 17:29:04 ----D---- C:\rsit
2008-12-29 18:34:50 ----D---- C:\Program Files\PrevxCSI
2008-12-29 18:34:44 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-12-23 21:09:26 ----A---- C:\WINDOWS\unvise32qt.exe
2008-12-23 21:09:08 ----D---- C:\WINDOWS\system32\QuickTime
2008-12-23 21:09:06 ----D---- C:\Program Files\QuickTime
2008-12-23 21:09:06 ----D---- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-12-23 21:08:21 ----D---- C:\Program Files\Happyneuron
2008-12-22 19:19:18 ----D---- C:\Program Files\Moai
2008-12-21 09:42:35 ----D---- C:\Documents and Settings\Vuyo-acc\Application Data\XnView
2008-12-21 09:41:42 ----D---- C:\Program Files\XnView
2008-12-20 22:50:39 ----D---- C:\Documents and Settings\Vuyo-acc\Application Data\Q-Dir
2008-12-20 22:50:35 ----A---- C:\WINDOWS\Q-Dir.ini
2008-12-20 22:45:47 ----D---- C:\Q-Dir
2008-12-18 17:31:46 ----D---- C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-12-18 17:20:43 ----D---- C:\Program Files\IVT Corporation
2008-12-14 20:25:10 ----D---- C:\Program Files\MPlayer for Windows
2008-12-13 19:31:26 ----A---- C:\WINDOWS\distlib.ini
2008-12-13 06:42:11 ----A---- C:\WINDOWS\system32\pgdfgsvc.exe
2008-12-12 15:25:15 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 15:21:40 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 15:21:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 15:21:03 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-08 20:44:18 ----D---- C:\Program Files\e-Sword
2008-12-06 17:40:50 ----D---- C:\Program Files\mapstudio route planner south africa
2008-12-06 17:40:50 ----D---- C:\Program Files\MapStudio
2008-12-06 17:40:50 ----D---- C:\Program Files\Common Files\mapserv
2008-12-06 17:40:50 ----D---- C:\Program Files\Common Files\gis
2008-12-06 07:10:32 ----D---- C:\Program Files\Secunia
2008-12-03 12:07:51 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-03 12:07:51 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-03 12:07:51 ----A---- C:\WINDOWS\system32\java.exe
2008-12-01 06:16:52 ----RA---- C:\WINDOWS\system32\vnetinst.dll
2008-12-01 06:16:39 ----A---- C:\WINDOWS\system32\vmnetdhcp.exe
2008-12-01 06:16:35 ----A---- C:\WINDOWS\system32\vmnat.exe
2008-12-01 06:16:25 ----A---- C:\WINDOWS\system32\vnetlib.dll
2008-12-01 06:11:02 ----D---- C:\Virtual Machines
2008-12-01 06:11:02 ----D---- C:\Program Files\Common Files\VMware

======List of files/folders modified in the last 1 months======

2008-12-30 17:28:47 ----D---- C:\WINDOWS\Prefetch
2008-12-30 17:19:00 ----D---- C:\Program Files\Mozilla Firefox
2008-12-30 17:13:34 ----D---- C:\WINDOWS\erdnt
2008-12-30 16:36:36 ----D---- C:\Documents and Settings\Vuyo-acc\Application Data\HPAppData
2008-12-30 16:20:43 ----D---- C:\Documents and Settings\Vuyo-acc\Application Data\Orbit
2008-12-30 16:20:31 ----D---- C:\Downloads
2008-12-30 16:16:16 ----SD---- C:\WINDOWS\Tasks
2008-12-30 16:15:09 ----D---- C:\WINDOWS\Temp
2008-12-30 16:13:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-30 16:13:41 ----A---- C:\WINDOWS\BOC427.INI
2008-12-30 16:13:37 ----D---- C:\Documents and Settings\All Users\Application Data\VMware
2008-12-30 07:51:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-30 07:38:20 ----A---- C:\WINDOWS\gmer.ini
2008-12-30 07:31:03 ----D---- C:\WINDOWS
2008-12-30 06:16:23 ----D---- C:\WINDOWS\Minidump
2008-12-30 06:16:23 ----D---- C:\WINDOWS\Debug
2008-12-29 20:57:52 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-29 20:34:23 ----D---- C:\Spyware Removal Tools
2008-12-29 20:26:27 ----D---- C:\WINDOWS\system32\drivers
2008-12-29 19:28:37 ----D---- C:\Documents and Settings\Vuyo-acc\Application Data\VMware
2008-12-29 19:17:21 ----RD---- C:\Program Files
2008-12-29 19:17:19 ----A---- C:\Documents and Settings\Vuyo-acc\Application Data\inst.exe
2008-12-27 23:06:11 ----D---- C:\WINDOWS\system32\NtmsData
2008-12-26 15:41:39 ----D---- C:\WINDOWS\system32
2008-12-26 10:02:52 ----D---- C:\Documents and Settings\Vuyo-acc\Application Data\Adobe
2008-12-26 10:00:55 ----D---- C:\Program Files\SpywareBlaster
2008-12-25 10:59:50 ----D---- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-12-24 08:40:06 ----HD---- C:\WINDOWS\inf
2008-12-23 06:01:32 ----D---- C:\batch files practise
2008-12-22 19:19:22 ----SHD---- C:\WINDOWS\Installer
2008-12-22 19:19:22 ----SHD---- C:\Config.Msi
2008-12-22 19:18:58 ----D---- C:\WINDOWS\WinSxS
2008-12-20 18:19:03 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-20 15:40:43 ----D---- C:\Program Files\Orbitdownloader
2008-12-19 22:06:52 ----D---- C:\Program Files\Steam
2008-12-19 06:35:31 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-19 06:35:25 ----D---- C:\WINDOWS\ie7updates
2008-12-19 06:35:06 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-18 17:21:37 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-17 07:49:09 ----D---- C:\Program Files\Opera
2008-12-15 19:47:48 ----D---- C:\Program Files\PC Tools Firewall Plus
2008-12-15 19:45:44 ----D---- C:\Program Files\Common Files\PC Tools
2008-12-15 07:34:29 ----D---- C:\Program Files\CoreFTP
2008-12-14 07:27:35 ----D---- C:\WINDOWS\system32\wbem
2008-12-13 08:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 21:11:02 ----D---- C:\WINDOWS\system32\config
2008-12-12 21:10:51 ----D---- C:\WINDOWS\Registration
2008-12-12 21:02:08 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-12 15:25:00 ----A---- C:\WINDOWS\win.ini
2008-12-12 15:23:58 ----D---- C:\Program Files\Internet Explorer
2008-12-10 01:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-09 06:02:11 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-08 20:58:34 ----D---- C:\Program Files\Free Internet Window Washer
2008-12-08 20:44:18 ----RSD---- C:\WINDOWS\Fonts
2008-12-06 17:40:50 ----D---- C:\Program Files\Common Files
2008-12-04 17:48:01 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-03 16:27:47 ----D---- C:\BGT20
2008-12-03 16:19:18 ----A---- C:\WINDOWS\budgettracker.INI
2008-12-03 12:07:48 ----D---- C:\Program Files\Java
2008-12-01 06:23:12 ----D---- C:\WINDOWS\security
2008-12-01 06:10:39 ----D---- C:\Program Files\VMware

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-11-26 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-11-26 111184]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-11-26 50864]
R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2008-02-27 3840]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-11-26 94032]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 hcmon;VMware hcmon; \??\C:\WINDOWS\system32\Drivers\hcmon.sys []
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 PCTAppEvent;PCTAppEvent Driver; \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys []
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R2 VMnetBridge;VMware Bridge Protocol; C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys [2008-10-30 23296]
R2 VMnetuserif;VMware Network Application Interface; \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys []
R2 VMparport;VMware VMparport; \??\C:\WINDOWS\system32\Drivers\VMparport.sys []
R2 vmx86;VMware vmx86; \??\C:\WINDOWS\system32\Drivers\vmx86.sys []
R2 vstor2;Vstor2 Virtual Storage Driver; \??\C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys []
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-11-26 23152]
R3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [2007-06-24 34312]
R3 BlueletSCOAudio;Bluetooth SCO Audio Service; C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys [2007-06-24 27656]
R3 BOCDRIVE;BOClean Kernel Monitor.; \??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
R3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [2007-03-05 18320]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2005-12-15 1368000]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-09-22 43520]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-04-26 988032]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2007-04-26 267520]
R3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-10-07 6133856]
R3 pctplfw;pctplfw; \??\C:\WINDOWS\system32\drivers\pctplfw.sys []
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2003-03-31 5888]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SFilter;PCTools Driver; C:\WINDOWS\system32\DRIVERS\pctfw.sys [2008-09-22 97408]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys [2007-03-05 34448]
R3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys [2007-03-05 44304]
R3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys [2008-10-30 9600]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2007-04-26 731136]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; C:\WINDOWS\system32\drivers\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}.sys []
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys [2007-06-24 38920]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-09-22 43520]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-08-09 85969]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys [2004-08-04 1041536]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 MBAMDrvService;MBAMDrvService; \??\C:\WINDOWS\system32\drivers\mbam.sys []
S3 mbr;mbr; \??\C:\DOCUME~1\Vuyo-acc\LOCALS~1\Temp\mbr.sys []
S3 MotDev;Motorola Inc. USB Device; C:\WINDOWS\system32\DRIVERS\motodrv.sys []
S3 MS1000;MS1000; C:\WINDOWS\System32\DRIVERS\MS1000.sys [2008-09-20 3968]
S3 PhSerUsb;PHILOG USB Serial Driver; C:\WINDOWS\system32\DRIVERS\PhSerUsb.sys [2006-06-29 48896]
S3 PSI;PSI; C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-12-10 7808]
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-26 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-26 155160]
R2 BlueSoleil Hid Service;BlueSoleil Hid Service; C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe [2007-12-27 166520]
R2 BOCore;BOCore; C:\Program Files\Comodo\CBOClean\BOCORE.exe [2008-07-14 73464]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-10 152984]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-12-03 170640]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-10-07 163908]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus; C:\Program Files\PC Tools Firewall Plus\FWService.exe [2008-12-11 146800]
R2 Start BT in service;Start BT in service; C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]
R2 VMAuthdService;VMware Authorization Service; C:\Program Files\VMware\VMware Server\vmware-authd.exe [2008-10-30 147548]
R2 VMnetDHCP;VMware DHCP Service; C:\WINDOWS\system32\vmnetdhcp.exe [2008-10-30 106496]
R2 vmount2;VMware Virtual Mount Manager Extended; C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe [2007-05-01 269104]
R2 vmserverdWin32;VMware Registration Service; C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2008-10-30 1650782]
R2 VMware NAT Service;VMware NAT Service; C:\WINDOWS\system32\vmnat.exe [2008-10-30 135168]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-26 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-26 352920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 CSIScanner;CSIScanner; C:\Program Files\PrevxCSI\prevxcsi.exe [2008-12-29 927288]
S4 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-10-06 33752]

-----------------EOF-----------------


Offline 10rand

  • Bronze Member
  • Posts: 6
Re: [In Progress] Do I have a rootkit...please help?
« Reply #3 on: December 30, 2008, 10:01:56 AM »
5.

info.txt

info.txt logfile of random's system information tool 1.05 2008-12-30 17:29:09

======Uninstall list======

-->MsiExec.exe /I{09715083-BF10-4834-9E28-B5D8820513CA}
-->MsiExec.exe /I{1E049668-AD90-4008-B213-E20CED2324DD}
-->MsiExec.exe /I{35103A8A-E9D8-40FA-AEC7-4D138952DB30}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Amic Email Backup v2.0-->"C:\Program Files\Amic Tools\Amic Email Backup\unins000.exe"
Any Video Converter 2.6.7-->"C:\Program Files\Any Video Converter\unins000.exe"
Ashampoo Burning Studio 7.32-->"C:\Program Files\Ashampoo\Ashampoo Burning Studio 7\unins000.exe"
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Avery Wizard 3.1-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{EB7A2041-6A16-4BAC-8079-43B985673C2C}
Avi2Dvd 0.4.5 beta-->C:\Program Files\Avi2Dvd\uninst.exe
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Belarc Advisor 7.2-->C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Bluesoleil2.7.0.13 VoIP Release 071227-->MsiExec.exe /X{8F85CC2C-4B26-4CF6-B835-DC59BCEDD287}
BOClean-->C:\WINDOWS\UNBOC.EXE
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MP210 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP210_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP210_series /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
C-Media 3D Audio-->C:\WINDOWS\CMIUnInstall.exe
C-Media WDM Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
Copernic Desktop Search - Home-->C:\Program Files\Copernic Desktop Search - Home\uninst.exe
Core FTP LE 2.1-->C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
Debugging Tools for Windows (x86)-->MsiExec.exe /I{1CD0C3C5-809D-4CFC-904A-1B67C6243637}
DesignPro 5.4 Limited Edition-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}
DH Driver Cleaner Professional Edition-->C:\Program Files\Driver Cleaner Pro\Uninstall.exe
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DriveImage XML (Private Edition)-->"C:\Program Files\Runtime Software\DriveImage XML\Uninstall.exe" "C:\Program Files\Runtime Software\DriveImage XML\install.log" -u
DriverMax 4-->"C:\Program Files\Innovative Solutions\DriverMax\unins000.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
e-Sword-->MsiExec.exe /I{81B1E96C-AA1A-4BCD-9261-0389F1E2A2FA}
ExplorerXP (remove only)-->C:\Program Files\ExplorerXP\Uninst.exe
ffdshow [rev 2107] [2008-09-08]-->"C:\Program Files\ffdshow\unins000.exe"
FileMenu Tools-->"C:\Program Files\LopeSoft\FileMenu Tools\unins000.exe"
getPlus(R) for Adobe-->"C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1
GUN-->"C:\Program Files\Steam\steam.exe" steam://uninstall/2610
Haali Media Splitter-->"C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
Half-Life 2: Episode One-->"C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two-->"C:\Program Files\Steam\steam.exe" steam://uninstall/420
Half-Life 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/220
HijackThis 2.0.2-->"C:\Documents and Settings\Vuyo-acc\My Documents\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Smart Web Printing-->C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat
Iceows V4.20b-->C:\Program Files\ICEOWS\Setup.exe /uninstall
IsoBuster 2.4-->"C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Just Great Software EditPad Lite 6.4.3-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\EditPadLite\Deploy.log"
KC Softwares SUMo-->"C:\Program Files\KC Softwares\SUMo\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapStudio Route Planner-->MsiExec.exe /I{B02AB99A-0690-4096-A8E5-5A070ECB2DC5}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (2.0.0.20)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MPlayer for Windows (Full Package)-->C:\Program Files\MPlayer for Windows\Uninstall.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Opera 9.63-->MsiExec.exe /X{2C0CD17D-0B06-4700-83FA-7344B868B0A2}
Orbit Downloader-->"C:\Program Files\Orbitdownloader\unins000.exe"
Paragon Drive Backupô 9.0 Express-->MsiExec.exe /I{985F828E-0E98-429F-9C05-EF3BDE7568F7}
PC Tools Firewall Plus 5.0-->C:\Program Files\PC Tools Firewall Plus\unins000.exe /LOG
PCI SoftV92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe -U -IPSCRCSR5K.inf
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
PopTray 3.20-->C:\Program Files\PopTray\Uninstall.exe
Portal-->"C:\Program Files\Steam\steam.exe" steam://uninstall/400
Prevx CSI-->"C:\Program Files\PrevxCSI\prevxcsi.exe" /prop UNINSTALL=Y
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Registrar Lite 2.00-->"C:\Program Files\Registrar Lite\unwise.exe" C:\PROGRA~1\REGIST~1\INSTALL.LOG
ScanSoft OmniPage SE 4-->MsiExec.exe /I{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
Secunia PSI-->"C:\Program Files\Secunia\PSI\uninstall.exe"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SIMCardReaderPro-->MsiExec.exe /I{79F11E6C-C940-40C1-9694-E6FCD434D46B}
SnagIt 7-->MsiExec.exe /I{4360BB46-507E-4361-8DCB-4FF9BDC9907B}
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Striata Reader-->rundll32.exe C:\WINDOWS\system32\keymail.dll,UninstallDll
SUPERAntiSpyware Professional-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Team Fortress 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/440
Test and Improve your Memory-->C:\PROGRA~1\HAPPYN~1\TESTAN~1\UNWISE.EXE C:\PROGRA~1\HAPPYN~1\TESTAN~1\INSTALL.LOG
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Undelete Plus 2.97-->"C:\Program Files\TouchStoneSoftware\UndeletePlus\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast-Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VMware Server-->MsiExec.exe /I{FEE84D71-7FF0-46C1-AED4-1BD821D53A9F}
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPatrol 2008-->C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinUpdatesList-->C:\WINDOWS\zipinst.exe /uninst "C:\Program Files\WinUpdatesList\uninst1~.nsu"
XnView 1.95.4-->"C:\Program Files\XnView\unins000.exe"
ZSoft Uninstaller 2.4.1-->C:\Program Files\ZSoft\Uninstaller\uninst.exe

=====HijackThis Backups=====

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: avast! antivirus 4.8.1296 [VPS 081229-0]
FW: PC Tools Firewall Plus

System event log

Computer Name: VUYO
Event Code: 7034
Message: The VMware Authorization Service service terminated unexpectedly.  It has done this 1 time(s).

Record Number: 37498
Source Name: Service Control Manager
Time Written: 20081209213005.000000+120
Event Type: error
User:

Computer Name: VUYO
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 37497
Source Name: Service Control Manager
Time Written: 20081209194151.000000+120
Event Type: information
User:

Computer Name: VUYO
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 37496
Source Name: Service Control Manager
Time Written: 20081209194150.000000+120
Event Type: information
User:

Computer Name: VUYO
Event Code: 7035
Message: The SASENUM service was successfully sent a start control.

Record Number: 37495
Source Name: Service Control Manager
Time Written: 20081209194147.000000+120
Event Type: information
User: VUYO\Vuyo-acc

Computer Name: VUYO
Event Code: 7036
Message: The Application Layer Gateway Service service entered the running state.

Record Number: 37494
Source Name: Service Control Manager
Time Written: 20081209194147.000000+120
Event Type: information
User:

Application event log

Computer Name: VUYO
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 3501
Source Name: SecurityCenter
Time Written: 20081018224719.000000+120
Event Type: information
User:

Computer Name: VUYO
Event Code: 1000
Message: Using configuration file: C:\Documents and Settings\All Users\Application Data\VMware\vmnetnat.conf.
IP address: 192.168.203.2
 Subnet: 255.255.255.0
External IP address: 0.0.0.0
Device: vmnet8.
MAC address: 00:50:56:FA:45:A6.
Ignoring host MAC address: 00:50:56:C0:00:08.


Record Number: 3500
Source Name: VMware NAT Service
Time Written: 20081018224704.000000+120
Event Type: information
User:

Computer Name: VUYO
Event Code: 1000
Message: Service started

Record Number: 3499
Source Name: VMware NAT Service
Time Written: 20081018224704.000000+120
Event Type: information
User:

Computer Name: VUYO
Event Code: 1
Message: vmount2 service started 1.5.2 build-45706 

Record Number: 3498
Source Name: VMware Virtual Mount Service Extended
Time Written: 20081018224703.000000+120
Event Type: information
User:

Computer Name: VUYO
Event Code: 1103
Message: Virtual machine was added to the inventory: C:\Virtual Machines\ubuntu804desktop\Ubuntu.vmx

Record Number: 3497
Source Name: VMware Server
Time Written: 20081018081718.000000+120
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem

-----------------EOF-----------------


-------------------------------------------------------------------------------------

Thanks.



Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] Do I have a rootkit...please help?
« Reply #4 on: December 31, 2008, 03:42:41 PM »
Quote
What I did while waiting for help:

    * Turned off SUPERAntispyware realtime monitoring.
    * Used CCleaner to empty Temp Files.
    * Created a new Restore point and cleaned all the Restore points except for the latest.
    * Re-scanned with GMER twice. The results did not show the rootkit like behaviour shown in previous scans.

Excellent because temps, browser cache, and unning programs (especially ones with loaded drivers) can create entries in the Gmer log. You've done your homework.

The logs indicate that you are not infected with the MBR rootkit.  Even the first Gmer log didn't show the usual entries that are consistent with that infection (just multiple copies of the MBR stored in various sectors).

These unidentified hooks are created by Avast:

Quote
---- User IAT/EAT - GMER 1.0.14 ----

IAT             C:\WINDOWS\system32\services.exe[1264] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]  00380002
IAT             C:\WINDOWS\system32\services.exe[1264] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]        00380000

Upon doing your "housekeeping", the subsequent scans were negative plus the tools dedicated to detecting the MBR rootkit yielded negative results.  There is additional testing that we could do, but I do not see that it is necessary.

There are benign programs that alter the MBR such as imaging and partitioning programs, plus some computer OEMs like Dell insert proprietary code into the MBR so it is not advisable to restore the MBR, unless it is really infected.

Your HJT log is clean, though you may want to set the BlueSoleil service called "BlueSoleil Hid Service" to manual startup so it is only running when you need it:

To do that:  Click Start -> type services.msc and hit Enter. Scroll down the list of alphabetically arranged list of services and double-click "BlueSoleil Hid Service". In the Startup Type section, set the startup type to "Manual" in the pull down menu. Click Apply, click OK, and then close the Services Console.

I still have to look at your RSIT log and will be back after I have done so.

Happy New Year :)


Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

Offline 10rand

  • Bronze Member
  • Posts: 6
Re: [In Progress] Do I have a rootkit...please help?
« Reply #5 on: January 01, 2009, 05:07:22 AM »
Quote
Your HJT log is clean, though you may want to set the BlueSoleil service called "BlueSoleil Hid Service" to manual startup so it is only running when you need it:

Done. Will wait for your further instructions, there is no rush. I just wanted to make sure that I  did not have a rootkit.

Many thanks for your help! Have a blessed and prosperous New Year, you and your family.  ;D

Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] Do I have a rootkit...please help?
« Reply #6 on: January 01, 2009, 08:30:55 PM »
You're welcome, same to you.  If I don't get back to you by Friday - it will have to be Monday because I will be away this weekend.  A quick perusal isn't revealing any infections so I don't anticipate any problems.
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

Offline 10rand

  • Bronze Member
  • Posts: 6
Re: [In Progress] Do I have a rootkit...please help?
« Reply #7 on: January 04, 2009, 02:47:05 AM »
That is alright. Thanks

Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] Do I have a rootkit...please help?
« Reply #8 on: January 06, 2009, 09:01:25 PM »
I checked out your RSIT log and I do not see anything suspect. I did notice that you have two disk imaging/partitioning programs installed, so perhaps those created the initial MBR anomolies which have since disappeared.

At any rate, I consider your system to be clean - so no worries, and you're good to go.
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

Offline 10rand

  • Bronze Member
  • Posts: 6
Re: [In Progress] Do I have a rootkit...please help?
« Reply #9 on: January 06, 2009, 09:57:52 PM »
Quote
I did notice that you have two disk imaging/partitioning programs installed, so perhaps those created the initial MBR anomolies which have since disappeared.

I will remove one of them. Thank you very much for your efforts.

Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] Do I have a rootkit...please help?
« Reply #10 on: January 07, 2009, 11:41:36 AM »
You're very welcome and safe surfing!  :)

I'm going to close this topic now and mark it as resolved.
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's