Infected with Hijack.Windows.Update

[rushmann]

I keep finding the Hijack.Windows.Update when I run a scan. Here is the info requested

DDS (Ver_09-12-01.01) - NTFSx86

Run by Christian Rushmann at 11:20:58.68 on Sun 12/27/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1407.881 [GMT -6:00]

AV: Avanquest SystemSuite *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: Avanquest NetDefense Firewall *enabled* {E9CD9D09-CF58-4ec3-9B3F-E6B12C3E4171}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\pyTivo\pyTivoService.exe

C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

C:\Python26\python.exe

C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe

C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask2.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Christian Rushmann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.jsonline.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: XPL LinkScannerIE: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avanquest\systemsuite\LinkScannerIE.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: DataVault Object: {8373adc0-6330-11dd-9d77-22c856d89593} - c:\program files\avanquest\systemsuite\IE_ContextMenu_Vault.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AbacastDistributedOnDemand:11] c:\documents and settings\christian rushmann\local settings\application data\abacastdistributedondemand\node\11\AbacastDistributedOnDemand.exe -r:11 -x:1

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [nwiz] nwiz.exe /install

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: google sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260659840703

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\q2mydo3n.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.jsonline.com/

FF - plugin: c:\documents and settings\christian rushmann\application data\facebook\npfbplugin_1_0_0.dll

FF - plugin: c:\documents and settings\christian rushmann\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\christian rushmann\application data\mozilla\plugins\npAbacast.dll

FF - plugin: c:\documents and settings\christian rushmann\application data\mozilla\plugins\NPAbacheck.dll

FF - plugin: c:\documents and settings\christian rushmann\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-4-30 13360]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-4-30 202928]

R2 pytivo;pyTivo;c:\program files\pytivo\pyTivoService.exe [2008-5-2 77824]

R2 SBAMSvc;SystemSuite;c:\program files\common files\antivirus\SBAMSvc.exe [2008-10-28 886056]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-4-30 69168]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-5-1 9433]

R3 KFilter;KFilter;c:\progra~1\avanqu~1\system~1\KFilter.sys [2008-11-20 60272]

R3 TFilter;TFilter;c:\progra~1\avanqu~1\system~1\TFilter.sys [2008-9-22 20225]

S1 91113475;91113475;c:\windows\system32\drivers\91113475.sys --> c:\windows\system32\drivers\91113475.sys [?]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-5-1 115744]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2009-5-1 643072]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-4 38224]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-3 189792]

=============== Created Last 30 ================

2009-12-27 17:14:23 20 ----a-w- c:\documents and settings\christian rushmann\defogger_reenable

2009-12-22 01:15:56 0 dc-h--w- c:\windows\ie8

2009-12-20 16:01:52 0 d-----w- c:\docume~1\christ~1\applic~1\Facebook

2009-12-18 01:11:05 0 d-----w- c:\docume~1\christ~1\applic~1\LEGO Company

2009-12-18 01:10:44 0 d-----w- c:\program files\LEGO Company

==================== Find3M ====================

2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-04 01:34:08 41916 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 11:21:37.92 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 4/30/2009 2:03:39 PM

System Uptime: 12/27/2009 11:15:48 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8N-VM CSM

Processor: AMD Athlon 64 Processor 3200+ | CPU 1 | 2008/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 91.868 GiB free.

D: is FIXED (NTFS) - 466 GiB total, 144.754 GiB free.

E: is Removable

F: is Removable

G: is Removable

H: is Removable

I: is CDROM ()

J: is CDROM (CDFS)

K: is FIXED (FAT32) - 233 GiB total, 225.982 GiB free.

L: is FIXED (NTFS) - 466 GiB total, 394.018 GiB free.

M: is FIXED (NTFS) - 112 GiB total, 89.811 GiB free.

P: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Edited December 30, 2009 by Maurice Naggar
Logs place In-Line

[Maurice Naggar]

Hello rushmann and welcome to MalwareBytes' forums.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not rushmann and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

De-install

[rushmann]

Thanks. Followed instructions. Txt files are attached.

Avenger.txt log

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\windows\system32\drivers\91113475.sys" not found!

Deletion of file "c:\windows\system32\drivers\91113475.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "91113475" disabled successfully.

Driver "91113475" deleted successfully.

Folder "C:\recycler" deleted successfully.

Folder "D:\recycler" deleted successfully.

Error: could not open folder "e:\recycler"

Deletion of folder "e:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "f:\recycler"

Deletion of folder "f:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "g:\recycler"

Deletion of folder "g:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "h:\recycler"

Deletion of folder "h:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

MBAM log:

Malwarebytes' Anti-Malware 1.42

Database version: 3454

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/30/2009 12:50:10 AM

mbam-log-2009-12-30 (00-50-10).txt

Scan type: Quick Scan

Objects scanned: 132291

Time elapsed: 12 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Combofix.txt log

ComboFix 09-12-29.04 - Christian Rushmann 12/30/2009 0:54.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1407.922 [GMT -6:00]

Running from: c:\documents and settings\Christian Rushmann\Desktop\Combo-Fix.exe

AV: Avanquest SystemSuite *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\IomIcons.dll

c:\windows\system32\ioReady.dll

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))

.

2009-12-30 06:57 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-12-30 06:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-12-30 06:18 . 2009-12-30 06:18 -------- d-----w- c:\program files\ERUNT

2009-12-22 01:15 . 2009-12-22 01:17 -------- dc-h--w- c:\windows\ie8

2009-12-20 16:01 . 2009-12-20 16:01 50354 ----a-w- c:\documents and settings\Christian Rushmann\Application Data\Facebook\uninstall.exe

2009-12-20 16:01 . 2009-12-20 16:01 -------- d-----w- c:\documents and settings\Christian Rushmann\Application Data\Facebook

2009-12-18 01:11 . 2009-12-18 01:11 -------- d-----w- c:\documents and settings\Christian Rushmann\Application Data\LEGO Company

2009-12-18 01:10 . 2009-12-18 01:10 -------- d-----w- c:\program files\LEGO Company

2009-12-17 06:50 . 2009-12-17 06:50 847040 ----a-w- c:\documents and settings\Christian Rushmann\Application Data\Facebook\axfbootloader.dll

2009-12-17 06:49 . 2009-12-17 06:49 5562368 ----a-w- c:\documents and settings\Christian Rushmann\Application Data\Facebook\npfbplugin_1_0_0.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-30 07:01 . 2009-09-24 13:18 -------- d-----w- c:\documents and settings\Christian Rushmann\Application Data\Skype

2009-12-30 06:31 . 2009-12-30 06:31 674 ----a-w- C:\backup.reg

2009-12-30 06:31 . 2009-12-30 06:31 574 ----a-w- C:\cleanup.bat

2009-12-30 06:31 . 2009-12-30 06:31 135168 ----a-w- C:\zip.exe

2009-12-30 06:15 . 2009-09-24 13:19 -------- d-----w- c:\documents and settings\Christian Rushmann\Application Data\skypePM

2009-12-30 06:11 . 2009-04-30 20:26 -------- d-----w- c:\program files\OpenOffice.org 3

2009-12-30 06:02 . 2009-05-03 23:29 -------- d-----w- c:\program files\BitLord

2009-12-30 06:00 . 2009-09-12 00:31 -------- d-----w- c:\program files\uTorrent

2009-12-12 14:55 . 2009-05-05 01:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-12 03:50 . 2009-07-21 02:19 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-03 22:14 . 2009-05-05 01:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 22:13 . 2009-05-05 01:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-26 22:12 . 2009-11-26 22:10 218 ----a-w- c:\windows\PowerReg.dat

2009-11-26 22:09 . 2009-11-26 22:09 -------- d-----w- c:\program files\Hasbro Interactive

2009-11-12 03:38 . 2009-11-12 03:26 -------- d-----w- c:\documents and settings\Christian Rushmann\Application Data\Move Networks

2009-11-12 03:26 . 2009-11-12 03:26 127325 ----a-w- c:\documents and settings\Christian Rushmann\Application Data\Move Networks\uninstall.exe

2009-11-12 03:26 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Christian Rushmann\Application Data\Move Networks\plugins\npqmp071505000011.dll

2009-11-07 20:58 . 2009-09-02 02:00 -------- d-----w- c:\program files\Common Files\Adobe

2009-11-04 01:34 . 2009-11-04 01:34 41916 ---ha-w- c:\windows\system32\mlfcache.dat

2009-11-02 01:24 . 2009-07-25 21:05 -------- d-----w- c:\program files\pyTivo

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-02 39408]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2008-09-18 1657376]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-5-3 1421328]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/30/2009 9:30 PM 13360]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [4/30/2009 9:30 PM 202928]

R2 pytivo;pyTivo;c:\program files\pyTivo\pyTivoService.exe [5/2/2008 5:59 PM 77824]

R2 SBAMSvc;SystemSuite;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [10/28/2008 3:28 PM 886056]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/30/2009 9:30 PM 69168]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [5/1/2009 10:34 AM 9433]

R3 KFilter;KFilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [11/20/2008 12:56 PM 60272]

R3 TFilter;TFilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [9/22/2008 3:21 PM 20225]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [5/1/2009 10:34 AM 115744]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [5/1/2009 10:34 AM 643072]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/23/2008 3:09 AM 92464]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2009 8:10 AM 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PPA3

.

Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1035525444-839522115-1004Core.job

- c:\documents and settings\Rushmann Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 13:15]

2009-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1035525444-839522115-1004UA.job

- c:\documents and settings\Rushmann Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 13:15]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.jsonline.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: google sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Christian Rushmann\Application Data\Mozilla\Firefox\Profiles\q2mydo3n.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.jsonline.com/

FF - plugin: c:\documents and settings\Christian Rushmann\Application Data\Facebook\npfbplugin_1_0_0.dll

FF - plugin: c:\documents and settings\Christian Rushmann\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Christian Rushmann\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-30 01:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3936)

c:\progra~1\AVANQU~1\SYSTEM~1\WinHook.dll

c:\program files\Iomega\DriveIcons\IMGHOOK.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\system32\nvsvc32.exe

c:\python26\python.exe

c:\progra~1\AVANQU~1\SYSTEM~1\MXTask.exe

c:\progra~1\AVANQU~1\SYSTEM~1\mxtask2.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2009-12-30 01:04:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-30 07:04

Pre-Run: 99,562,098,688 bytes free

Post-Run: 99,693,858,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - FD58A55D2A0B7087ECB21BE7F086D7DA

Edited December 30, 2009 by Maurice Naggar
Logs placed In-line ~ Maurice

[Maurice Naggar]

I note a couple of peer-to-peer filesharing apps, Bitlord and uTorrent, which I must ask that you de-install before we continue removing malwares. De-install both along with any other such application, and confirm that for me.

I do not want this system re-infected by such apps while we try to clean this.

Filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Logoff and restart the system fresh after the de-installs.

Next step:

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  

Next:

Download RootRepeal from one of these links:

>> Link 1<<

or >>Link 2<<

or >>Link 3<<

• SAVE the zip download to your Desktop.
  
• Extract the archive to a folder you create such as C:\RootRepeal
  
• Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  
• Click the "File" tab (located at the bottom of the RootRepeal screen)
  
• Click the "Scan" button
  
• In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  
• Click OK and the file scan will begin
  
• When the scan is done, there will be files listed, but most if not all of them will be legitimate
  
• Click the "Save Report" Button
  
• Save the log file to your Documents folder
  
• Post the content of the RootRepeal file scan log in your next reply.
  

Next:

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
  

Reply with copy of Rootrepeal log

Log.txt

Info.txt

Do NOT use the attachment option to put your logs. Use NOTEPAD to open each log. Then COPY & Paste contents into your reply box. Thanks.

[rushmann]

The two peer to peer have been unistalled as completely as possible. There should be no traces of them currently.

I have run a complete scan twice now and seen no reports of the Hijack.Windows.Update and have run all the needed Microsoft Updates.

Here are the reports

Logfile of random's system information tool 1.06 (written by random/random)

Run by Christian Rushmann at 2009-12-30 19:08:15

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 94 GB (62%) free of 153 GB

Total RAM: 1407 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:08:33 PM, on 12/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\pyTivo\pyTivoService.exe

C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

C:\Python26\python.exe

C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe

C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask2.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Documents and Settings\Christian Rushmann\Desktop\RSIT.exe

C:\Program Files\trend micro\Christian Rushmann.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jsonline.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Data Vault - {8373ADC0-6330-11DD-9D77-22C856D89593} - C:\Program Files\Avanquest\SystemSuite\IE_ContextMenu_Vault.dll

O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: google sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1260659840703

O16 - DPF: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: pyTivo (pytivo) - Unknown owner - C:\Program Files\pyTivo\pyTivoService.exe

O23 - Service: SystemSuite (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

O23 - Service: SystemSuite Task Manager - Avanquest Software - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe

--

End of file - 6584 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1035525444-839522115-1004Core.job

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1035525444-839522115-1004UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18df081c-e8ad-4283-a596-fa578c2ebdc3}]

Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

AVG Safe Search - C:\Program Files\Avanquest\SystemSuite\avgssie.dll [2009-12-03 1454080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8373ADC0-6330-11DD-9D77-22C856D89593}]

DataVault Object - C:\Program Files\Avanquest\SystemSuite\IE_ContextMenu_Vault.dll [2009-12-03 184088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa58ed58-01dd-4d91-8333-cf10577473f7}]

Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-11-26 263280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af69de43-7d58-4638-b6fa-ce66b5ad205d}]

Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-11-26 764912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-11-26 263280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"nwiz"=nwiz.exe /install []

"Iomega Drive Icons"=C:\Program Files\Iomega\DriveIcons\ImgIcon.exe [2002-08-13 86016]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]

"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe [2001-09-12 196608]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-09-05 417792]

"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-09-08 305440]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]

"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-09-01 39408]

"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-09-02 25623336]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SBAMSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

"NoDriveAutoRun"=

"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-12-30 19:08:18 ----D---- C:\Program Files\trend micro

2009-12-30 19:08:15 ----D---- C:\rsit

2009-12-30 09:34:35 ----A---- C:\WINDOWS\system32\mxntdfg.exe

2009-12-30 09:25:29 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2009-12-30 01:29:37 ----SHD---- C:\RECYCLER

2009-12-30 01:17:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$

2009-12-30 01:17:48 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$

2009-12-30 01:17:43 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$

2009-12-30 01:17:37 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$

2009-12-30 01:17:00 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$

2009-12-30 01:16:47 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$

2009-12-30 01:16:40 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$

2009-12-30 01:16:35 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$

2009-12-30 01:16:27 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$

2009-12-30 01:16:20 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$

2009-12-30 01:16:16 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$

2009-12-30 01:16:09 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$

2009-12-30 01:15:57 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$

2009-12-30 01:15:53 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$

2009-12-30 01:15:48 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$

2009-12-30 01:15:44 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$

2009-12-30 01:15:39 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$

2009-12-30 01:12:59 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$

2009-12-30 01:12:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$

2009-12-30 01:12:46 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$

2009-12-30 01:12:42 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$

2009-12-30 01:12:37 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$

2009-12-30 01:12:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$

2009-12-30 01:12:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$

2009-12-30 01:12:24 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$

2009-12-30 01:12:19 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$

2009-12-30 01:12:14 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$

2009-12-30 01:12:07 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$

2009-12-30 01:12:03 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$

2009-12-30 01:11:54 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$

2009-12-30 01:04:04 ----D---- C:\WINDOWS\temp

2009-12-30 01:04:03 ----A---- C:\ComboFix.txt

2009-12-30 00:57:12 ----A---- C:\WINDOWS\system32\proquota.exe

2009-12-30 00:53:20 ----A---- C:\Boot.bak

2009-12-30 00:53:13 ----RASHD---- C:\cmdcons

2009-12-30 00:52:30 ----A---- C:\WINDOWS\zip.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\SWXCACLS.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\SWSC.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\SWREG.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\sed.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\PEV.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\NIRCMD.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\MBR.exe

2009-12-30 00:52:30 ----A---- C:\WINDOWS\grep.exe

2009-12-30 00:52:03 ----D---- C:\Qoobox

2009-12-30 00:33:54 ----D---- C:\Avenger

2009-12-30 00:33:54 ----A---- C:\avenger.txt

2009-12-30 00:31:38 ----A---- C:\cleanup.bat

2009-12-30 00:31:37 ----A---- C:\zip.exe

2009-12-30 00:19:05 ----D---- C:\WINDOWS\ERDNT

2009-12-30 00:18:17 ----D---- C:\Program Files\ERUNT

2009-12-21 19:15:56 ----HDC---- C:\WINDOWS\ie8

2009-12-20 10:01:52 ----D---- C:\Documents and Settings\Christian Rushmann\Application Data\Facebook

2009-12-17 19:11:05 ----D---- C:\Documents and Settings\Christian Rushmann\Application Data\LEGO Company

2009-12-17 19:10:44 ----D---- C:\Program Files\LEGO Company

2009-12-13 01:00:29 ----D---- C:\Documents and Settings\Christian Rushmann\Application Data\WinRAR

2009-12-13 00:59:49 ----D---- C:\Program Files\WinRAR

======List of files/folders modified in the last 1 months======

2009-12-30 19:08:24 ----D---- C:\WINDOWS\Prefetch

2009-12-30 19:08:18 ----RD---- C:\Program Files

2009-12-30 19:01:43 ----D---- C:\WINDOWS\system32\drivers

2009-12-30 19:01:43 ----D---- C:\_Backup

2009-12-30 17:53:57 ----D---- C:\WINDOWS\system32

2009-12-30 17:52:58 ----D---- C:\Documents and Settings\Christian Rushmann\Application Data\Skype

2009-12-30 17:47:52 ----D---- C:\Documents and Settings\Christian Rushmann\Application Data\skypePM

2009-12-30 09:45:21 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-12-30 09:34:35 ----D---- C:\WINDOWS

2009-12-30 09:34:34 ----SHD---- C:\WINDOWS\Installer

2009-12-30 09:31:14 ----D---- C:\WINDOWS\WinSxS

2009-12-30 09:31:12 ----D---- C:\Program Files\Common Files\AntiVirus

2009-12-30 01:59:13 ----D---- C:\WINDOWS\Microsoft.NET

2009-12-30 01:59:08 ----RSD---- C:\WINDOWS\assembly

2009-12-30 01:46:05 ----D---- C:\WINDOWS\system32\CatRoot2

2009-12-30 01:26:37 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-12-30 01:24:26 ----D---- C:\WINDOWS\AppPatch

2009-12-30 01:24:26 ----D---- C:\Program Files\Internet Explorer

2009-12-30 01:17:59 ----HD---- C:\WINDOWS\inf

2009-12-30 01:17:54 ----HD---- C:\WINDOWS\$hf_mig$

2009-12-30 01:17:52 ----A---- C:\WINDOWS\imsins.BAK

2009-12-30 01:17:09 ----D---- C:\WINDOWS\ie8updates

2009-12-30 01:15:25 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-12-30 01:12:26 ----D---- C:\Program Files\Outlook Express

2009-12-30 01:06:19 ----D---- C:\WINDOWS\Help

2009-12-30 00:59:51 ----A---- C:\WINDOWS\system.ini

2009-12-30 00:55:58 ----D---- C:\Program Files\Common Files

2009-12-30 00:53:20 ----RASH---- C:\boot.ini

2009-12-30 00:52:29 ----SHD---- C:\System Volume Information

2009-12-30 00:52:29 ----D---- C:\WINDOWS\system32\Restore

2009-12-30 00:11:49 ----D---- C:\Program Files\OpenOffice.org 3

2009-12-30 00:02:28 ----D---- C:\Program Files\BitLord

2009-12-30 00:00:06 ----D---- C:\Program Files\uTorrent

2009-12-29 23:10:38 ----D---- C:\Program Files\Mozilla Firefox

2009-12-21 19:17:05 ----D---- C:\WINDOWS\WBEM

2009-12-21 19:17:05 ----D---- C:\WINDOWS\system32\en-us

2009-12-21 19:16:57 ----D---- C:\WINDOWS\Media

2009-12-12 21:41:02 ----A---- C:\WINDOWS\NeroDigital.ini

2009-12-12 17:17:27 ----SD---- C:\WINDOWS\Downloaded Program Files

2009-12-12 08:55:10 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-12-05 14:37:12 ----D---- C:\Documents and Settings\Christian Rushmann\Application Data\Adobe

2009-12-05 14:37:09 ----D---- C:\WINDOWS\system32\Macromed

2009-12-01 12:06:20 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]

R1 sbaphd;sbaphd; C:\WINDOWS\system32\drivers\sbaphd.sys [2009-05-13 13360]

R1 sbtis;sbtis; C:\WINDOWS\system32\drivers\sbtis.sys [2009-07-15 203056]

R2 CVPNDRVA;Cisco Systems IPsec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []

R2 CX23880;WinFast CX2388x WDM Video Capture.; C:\WINDOWS\system32\drivers\cx88vid.sys [2005-06-27 163584]

R2 CXTUNE;WinFast CX2388x WDM TVTuner.; C:\WINDOWS\system32\drivers\CX88TUNE.sys [2005-06-27 30976]

R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\PfModNT.sys []

R2 sbapifs;sbapifs; C:\WINDOWS\system32\drivers\sbapifs.sys [2009-08-10 69936]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]

R3 CamDrL;Logitech QuickCam Pro 3000(CamDrl); C:\WINDOWS\system32\DRIVERS\Camdrl.sys [2004-10-08 326656]

R3 CXAVXBAR;WinFast CX2388x WDM Crossbar.; C:\WINDOWS\system32\drivers\cxavxbar.sys [2005-06-27 9728]

R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2003-07-24 139604]

R3 Eacfilt;Eacfilt Miniport; C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2003-11-24 9433]

R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]

R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]

R3 IPSECSHM;Nortel IPSECSHM Adapter; C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-11-24 115744]

R3 KFilter;KFilter; \??\C:\PROGRA~1\AVANQU~1\SYSTEM~1\KFilter.sys []

R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys [2004-10-08 22016]

R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]

R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]

R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]

R3 sbpci;SB PCI Family Audio Driver (WDM); C:\WINDOWS\system32\drivers\sbpci.sys [2002-10-22 668160]

R3 SBRE;SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys []

R3 TFilter;TFilter; \??\C:\PROGRA~1\AVANQU~1\SYSTEM~1\TFilter.sys []

R3 ULCDRHlp;ULCDRHlp; C:\WINDOWS\System32\Drivers\ULCDRHlp.sys [2004-12-23 27392]

R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]

R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]

R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

S1 catchme;catchme; \??\C:\Combo-Fix\catchme.sys []

S2 IPSECEXT;Nortel Extranet Access Protocol; C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-11-24 115744]

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]

S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2003-05-01 5220]

S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]

S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]

S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2009-05-01 721904]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-05-29 144712]

R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2005-01-07 1409048]

R2 pytivo;pyTivo; C:\Program Files\pyTivo\pyTivoService.exe [2008-05-02 77824]

R2 SBAMSvc;SystemSuite; C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe [2009-09-08 1012040]

R2 SystemSuite Task Manager;SystemSuite Task Manager; C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe [2009-12-03 529688]

R3 ipod service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-08 545568]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 ExtranetAccess;Contivity VPN Service; C:\Program Files\Nortel Networks\Extranet_serv.exe [2003-11-24 643072]

S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-01 182768]

S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

S4 _IOMEGA_ACTIVE_DISK_SERVICE_;Iomega Active Disk; C:\Program Files\Iomega\AutoDisk\ADService.exe [2002-09-24 151552]

S4 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S4 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

S4 Iomega Activity Disk2;Iomega Activity Disk2; []

S4 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 73728]

S4 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-03-14 779824]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-03-12 271920]

S4 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-12-13 49152]

S4 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-12-30 19:08:35

======Uninstall list======

-->"C:\Program Files\Creative\CTSetup\CTSetup.exe"

-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL

-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL

-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL

-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL

-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL

-->C:\WINDOWS\UNRecode.exe /UNINSTALL

-->MsiExec.exe /X{4B45B12B-CD31-4235-9D44-03A368510635}

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}

HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall

Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

======Security center information======

AV: Avanquest SystemSuite

FW: Avanquest NetDefense Firewall

======System event log======

Computer Name: YOUR-599811494C

Event Code: 10005

Message: DCOM got error "%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Record Number: 3787

Source Name: DCOM

Time Written: 20091022200544.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 10005

Message: DCOM got error "%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Record Number: 3784

Source Name: DCOM

Time Written: 20091022183422.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 10005

Message: DCOM got error "%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Record Number: 3783

Source Name: DCOM

Time Written: 20091022183021.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 10005

Message: DCOM got error "%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Record Number: 3782

Source Name: DCOM

Time Written: 20091022175339.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 10005

Message: DCOM got error "%1058" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Record Number: 3781

Source Name: DCOM

Time Written: 20091022171515.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

=====Application event log=====

Computer Name: YOUR-599811494C

Event Code: 20

Message:

Record Number: 708

Source Name: Google Update

Time Written: 20090709051116.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 20

Message:

Record Number: 707

Source Name: Google Update

Time Written: 20090709041116.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 20

Message:

Record Number: 706

Source Name: Google Update

Time Written: 20090709031116.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 20

Message:

Record Number: 705

Source Name: Google Update

Time Written: 20090709021116.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

Computer Name: YOUR-599811494C

Event Code: 20

Message:

Record Number: 703

Source Name: Google Update

Time Written: 20090708151117.000000-300

Event Type: error

User: YOUR-599811494C\Christian Rushmann

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\QuickTime\QTSystem

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=15

"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD

"PROCESSOR_REVISION"=2f02

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/12/30 19:07

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: c:\documents and settings\christian rushmann\local settings\temp\~dfeae2.tmp

Status: Allocation size mismatch (API: 16384, Raw: 0)

[Maurice Naggar]

Older or out of date Adobe Reader versions, and or the Sun Java runtime, pose some security concerns.

Do get the latest updates for both.

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader.

Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=42611

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
  

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Reply with copy of Checkup.txt

and tell me, How is your system now?

Given you ran Windows Updates with no issues, that sure is excellent news.