Hi! I recently scanned and detected a virus in my computer named TR/crypt.morphine.gen and TR/crypt.FKM.gen through Avira Antivir personal edition. The infected files are btgetdf.dll.bak and wncepbpx.dll which are found in C:/windows/system32. I couldn't delete it because it says that the program is currently running. Antivir couldn't do something about it either. I tried deleting the infected files through "delete at reboot" but still it reappears. I would like to ask of your help on how to remove these unwanted files in my computer.
I've attached HiJackthis log and malwarebytes' log with this post.
Thanks in advance!

Welcome to SAF, kudamax.

I'll post the logs for convenience:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:49 AM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bndmss.exe,C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\620.exe,
O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [plfsetl] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ADWIND] C:\WINDOWS\system\msnfgg.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-18\..\Run: [Windows Network Data Management System Service] "C:\WINDOWS\system32\bndmss.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Network Data Management System Service] "C:\WINDOWS\system32\bndmss.exe" * (User 'Default user')
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5897 bytes

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/12/2009 5:27:53 AM
mbam-log-2009-08-12 (05-27-42).txt

Scan type: Quick Scan
Objects scanned: 93155
Time elapsed: 4 hour(s), 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wncepbpx.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0e09394e-7864-4b6c-adee-81c8f7297bc9} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0e09394e-7864-4b6c-adee-81c8f7297bc9} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0e09394e-7864-4b6c-adee-81c8f7297bc9} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wncepbpx.dll (Trojan.Vundo.H) -> No action taken.

The MBAM log shows 'No action taken'. You need to rerun MBAM and delete anything found.

Run HijackThis and click on 'Do a system scan only'. Put checkmarks in the boxes next to these lines:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bndmss.exe,C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\620.exe,

O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ADWIND] C:\WINDOWS\system\msnfgg.exe

O4 - HKLM\..\Policies\Explorer\Run: []


O4 - HKUS\S-1-5-18\..\Run: [Windows Network Data Management System Service] "C:\WINDOWS\system32\bndmss.exe" * (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Windows Network Data Management System Service] "C:\WINDOWS\system32\bndmss.exe" * (User 'Default user')

O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll

Click on 'Fix checked' and close HijackThis.

Download ATF-Cleaner to the desktop and run it there. Use it to delete all temp and temp internet files.

Download The Avenger and unzip it to the desktop. Run Avenger.exe and copy/paste the contents of the Code box below to the section under 'Input script here':



Click on Execute and reboot when prompted.

Post the Avenger log (C:\Avenger.txt) and a fresh HijackThis log.

Hi! sorry for my late reply...

I tried those suggestions you said but sad to say, it didn't solve the problem. malwarebytes detected the trojan vundo or morphine.gen and said that it will delete the file in restart. However, upon restart, the computer crashes or hangs up. Any ideas? so In other words, malware bytes wasn't able to delete the trojan... BTW, some of the viruses were deleted through avenger and HJT.. thanks for your help!
I'm posting the Avenger and HiJackThis Log with this post.
Thanks Again!

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system\msnfgg.exe" not found!
Deletion of file "C:\WINDOWS\system\msnfgg.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\WINDOWS\SYSTEM32\btgetdf.dll"
Deletion of file "C:\WINDOWS\SYSTEM32\btgetdf.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: file "C:\WINDOWS\system32\bndmss.exe" not found!
Deletion of file "C:\WINDOWS\system32\bndmss.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:03 AM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\RtkBtMnt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [plfsetl] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1250031667578
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5836 bytes

We'll use RSIT to ferret out the hidden malware files:

Download RSIT to the desktop and run it there. Post the logs it generates.

Here are the RSIT logs:


info.txt logfile of random's system information tool 1.06 2009-08-21 06:39:40

======Uninstall list======

-->"c:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Atheros Driver v7.6.0.264 Installation Program-->C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe -runfromtemp -l0x0009 -removeonly
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Gateway ScreenSaver-->"C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -runfromtemp -l0x0009 -removeonly
GearDrvs-->MsiExec.exe /I{CB84F0F2-927B-458D-9DC5-87832E3DC653}
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB932716-v2)-->"C:\WINDOWS\$NtUninstallKB932716-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JMicron JMB38X Flash Media Controller-->"C:\Program Files\InstallShield Installation Information\{26604C7E-A313-4D12-867F-7C6E7820BE4C}\setup.exe" delpkg
Launch Manager-->C:\WINDOWS\UnInst32.exe LManager.UNI
LiveUpdate (Symantec Corporation)-->MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "c:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation)-->MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Suite Activation Assistant-->MsiExec.exe /X{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWudf01007$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Mobile Partner-->C:\Program Files\Mobile Partner\uninst.exe
MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Typing of The Dead US-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CE0803C-CA6A-4D7A-8FB8-055EBB4AF141}\SETUP.EXE"
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951618-v2)-->"C:\WINDOWS\$NtUninstallKB951618-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
WebCam-->C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x0009 -removeonly
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Zune Desktop Theme-->MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}

=====HijackThis Backups=====

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bndmss.exe,C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\620.exe, [2009-08-11]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bndmss.exe,C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\620.exe, [2009-08-11]
O4 - HKUS\S-1-5-18\..\Run: [Windows Network Data Management System Service] "C:\WINDOWS\system32\bndmss.exe" * (User 'SYSTEM') [2009-08-14]
O4 - HKLM\..\Policies\Explorer\Run: []
[2009-08-14]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-14]
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE [2009-08-14]
O4 - HKUS\.DEFAULT\..\Run: [Windows Network Data Management System Service] "C:\WINDOWS\system32\bndmss.exe" * (User 'Default user') [2009-08-14]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-14]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - (no file) [2009-08-14]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bndmss.exe,C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\620.exe, [2009-08-14]
O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll [2009-08-14]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-14]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-14]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-14]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-14]
O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll [2009-08-14]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-14]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-15]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-15]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-15]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-15]
O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll [2009-08-15]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-15]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-15]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-15]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-15]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-20]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-20]
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll [2009-08-21]
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll [2009-08-21]

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: GATEWAY-AFCE47A
Event Code: 7023
Message: The 6to4 service terminated with the following error:
The specified module could not be found.


Record Number: 37487
Source Name: Service Control Manager
Time Written: 20090806234253.000000+480
Event Type: error
User:

Computer Name: GATEWAY-AFCE47A
Event Code: 240
Message: A request to suspend power was denied by winlogon.exe.

Record Number: 37482
Source Name: Win32k
Time Written: 20090806214942.000000+480
Event Type: warning
User:

Computer Name: GATEWAY-AFCE47A
Event Code: 7000
Message: The Background Intelligent Transfer Service service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 37477
Source Name: Service Control Manager
Time Written: 20090806214047.000000+480
Event Type: error
User:

Computer Name: GATEWAY-AFCE47A
Event Code: 10005
Message: DCOM got error "%2" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Record Number: 37476
Source Name: DCOM
Time Written: 20090806214047.000000+480
Event Type: error
User: GATEWAY-AFCE47A\Acer's Client

Computer Name: GATEWAY-AFCE47A
Event Code: 7000
Message: The Background Intelligent Transfer Service service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 37475
Source Name: Service Control Manager
Time Written: 20090806214046.000000+480
Event Type: error
User:

=====Application event log=====

Computer Name: GATEWAY-AFCE47A
Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.FKM.Gen'
in the file
C:\WINDOWS\system32\btgetdf.dll

Record Number: 3053
Source Name: Avira AntiVir
Time Written: 20090808110723.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GATEWAY-AFCE47A
Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.Morphine.Gen'
in the file
C:\WINDOWS\system32\wncepbpx.dll

Record Number: 3052
Source Name: Avira AntiVir
Time Written: 20090808110722.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GATEWAY-AFCE47A
Event Code: 4113
Message: AntiVir has detected 'TR/Crypt.FKM.Gen'
in the file
C:\WINDOWS\system32\btgetdf.dll

Record Number: 3051
Source Name: Avira AntiVir
Time Written: 20090808110640.000000+480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GATEWAY-AFCE47A
Event Code: 32068
Message: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Record Number: 3050
Source Name: Microsoft Fax
Time Written: 20090808110554.000000+480
Event Type: warning
User:

Computer Name: GATEWAY-AFCE47A
Event Code: 32026
Message: Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Record Number: 3049
Source Name: Microsoft Fax
Time Written: 20090808110554.000000+480
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 28 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=1c02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Acer's Client at 2009-08-21 06:39:30
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 140 GB (92%) free of 153 GB
Total RAM: 1012 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:36 AM, on 8/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Acer's Client\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Acer's Client.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [plfsetl] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1250031667578
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6435 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1279371858-1653462319-1608279117-1006Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1279371858-1653462319-1608279117-1006UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0e09394e-7864-4b6c-adee-81c8f7297bc9}]
C:\WINDOWS\system32\wncepbpx.dll [2008-04-14 143872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c}]
c:\windows\system32\btgetdf.dll [2008-04-14 103424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-21 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-21 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-02-28 166424]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-07-31 1343488]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-09-09 16851968]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-21 149280]
"AzMixerSel"=C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe [2006-07-17 53248]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-02-28 141848]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-02-28 137752]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2008-08-18 817672]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"snp2uvc"=C:\WINDOWS\system32\csnp2uvc.dll [2008-11-03 196608]
"plfsetl"=C:\WINDOWS\PLFSetL.exe [2008-07-03 94208]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2008-04-14 208952]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-05 133104]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ioruiqhd]
C:\WINDOWS\system32\btgetdf.dll [2008-04-14 103424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-12 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableStatusMessages"=0
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\WINDOWS\system32\bndmss.exe"="C:\WINDOWS\system32\bndmss.exe:*:Enabled:BNDMSS"
"C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\620.exe"="C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\620.exe:*:Enabled:BNDMSS"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{248b76b6-6973-11de-b643-00242b198f09}]
shell\autorun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28756438-8ce5-11de-b6f3-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28756439-8ce5-11de-b6f3-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57e6207d-7dfb-11de-b691-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ac461e4-715d-11de-b65e-9e93ee2b03f2}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90386206-8d89-11de-b6f5-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90386207-8d89-11de-b6f5-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1854ed6-8b07-11de-b6f1-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1854ed7-8b07-11de-b6f1-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ade862d0-6f42-11de-b64f-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ade862d3-6f42-11de-b64f-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5deca40-71c2-11de-b65f-a5cfae8923f2}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7eb-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7ec-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7f0-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7f1-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7f4-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7f5-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7f6-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7f7-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6f8c7f8-894c-11de-b6f0-00242b198f09}]
shell\autorun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6f7ad63-7c56-11de-b67f-f2205338e5f2}]
shell\autorun\command - RECYCLER\autorun.exe
shell\open\command - RECYCLER\autorun.exe


======List of files/folders created in the last 1 months======

2009-08-21 06:39:30 ----D---- C:\rsit
2009-08-21 06:38:13 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-21 06:38:13 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-21 06:38:13 ----A---- C:\WINDOWS\system32\java.exe
2009-08-21 06:38:13 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-08-20 22:03:53 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-20 01:36:47 ----D---- C:\Documents and Settings\Acer's Client\Application Data\oqtllvwk
2009-08-16 23:57:35 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #4.txt
2009-08-15 14:44:28 ----D---- C:\Program Files\Sun Broadband Wireless
2009-08-15 14:38:33 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
2009-08-12 07:26:43 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-12 07:10:32 ----D---- C:\Program Files\Windows Live Safety Center
2009-08-11 11:56:39 ----D---- C:\Program Files\Avira
2009-08-11 11:56:39 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-08-11 06:27:07 ----D---- C:\Program Files\Trend Micro
2009-08-11 06:12:10 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-08-11 05:21:06 ----D---- C:\Documents and Settings\Acer's Client\Application Data\Mozilla
2009-08-08 11:31:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-08 01:50:54 ----D---- C:\Documents and Settings\Acer's Client\Application Data\Malwarebytes
2009-08-08 01:50:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-01 04:48:13 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt
2009-07-30 00:22:37 ----A---- C:\WINDOWS\ModemLog_Nokia 3120 classic USB Modem.txt
2009-07-30 00:16:51 ----HDC---- C:\WINDOWS\$NtUninstallWudf01007$
2009-07-30 00:16:27 ----N---- C:\WINDOWS\system32\spmsgXP_2k3.dll
2009-07-30 00:16:20 ----HDC---- C:\WINDOWS\$NtUninstallWdf01007$
2009-07-30 00:15:37 ----D---- C:\Documents and Settings\Acer's Client\Application Data\PC Suite
2009-07-30 00:15:36 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite
2009-07-30 00:15:36 ----D---- C:\Documents and Settings\Acer's Client\Application Data\Nokia
2009-07-30 00:14:49 ----D---- C:\Program Files\DIFX
2009-07-30 00:14:25 ----A---- C:\WINDOWS\system32\nmwcdcls.dll
2009-07-30 00:13:06 ----D---- C:\Documents and Settings\All Users\Application Data\Installations
2009-07-28 21:32:48 ----D---- C:\Program Files\Atheros
2009-07-28 21:32:39 ----D---- C:\temp
2009-07-23 22:02:11 ----D---- C:\Program Files\Audacity

======List of files/folders modified in the last 1 months======

2009-08-21 06:38:18 ----SHD---- C:\WINDOWS\Installer
2009-08-21 06:38:13 ----AD---- C:\WINDOWS\system32
2009-08-21 06:37:53 ----D---- C:\Program Files\Java
2009-08-21 06:20:10 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-21 06:15:54 ----SHD---- C:\System Volume Information
2009-08-21 06:15:54 ----D---- C:\WINDOWS\system32\Restore
2009-08-21 06:15:54 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-21 06:15:46 ----D---- C:\WINDOWS\Temp
2009-08-20 22:48:39 ----D---- C:\WINDOWS\system32\drivers
2009-08-20 22:48:39 ----D---- C:\WINDOWS
2009-08-20 22:03:33 ----RD---- C:\Program Files
2009-08-20 22:02:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-20 16:09:25 ----D---- C:\WINDOWS\Prefetch
2009-08-20 01:41:37 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2009-08-20 01:24:25 ----HD---- C:\WINDOWS\inf
2009-08-17 16:41:21 ----D---- C:\Program Files\Mobile Partner
2009-08-16 09:21:38 ----D---- C:\Documents and Settings\Acer's Client\Application Data\U3
2009-08-12 08:00:06 ----D---- C:\Program Files\Common Files
2009-08-12 07:52:03 ----D---- C:\WINDOWS\Help
2009-08-12 07:10:33 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-11 17:12:27 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-11 15:58:24 ----RASH---- C:\boot.ini
2009-08-11 15:58:24 ----A---- C:\WINDOWS\win.ini
2009-08-11 15:58:24 ----A---- C:\WINDOWS\system.ini
2009-08-11 11:56:25 ----D---- C:\WINDOWS\WinSxS
2009-08-11 11:52:49 ----SD---- C:\Documents and Settings\Acer's Client\Application Data\Microsoft
2009-08-11 06:09:03 ----D---- C:\WINDOWS\SoftwareDistribution
2009-08-06 17:01:37 ----SD---- C:\WINDOWS\Tasks
2009-08-06 16:59:13 ----D---- C:\WINDOWS\system
2009-08-01 05:39:39 ----SHD---- C:\RECYCLER
2009-08-01 05:26:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-30 21:59:26 ----D---- C:\Documents and Settings
2009-07-30 00:17:16 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-07-28 21:34:50 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-28 21:32:48 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-23 23:05:10 ----D---- C:\Program Files\Realtek

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-08-20 96104]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-08-20 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-08-20 55656]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-08-20 1318464]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2006-01-20 17408]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2007-08-24 101120]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-09-09 4813824]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-08-07 111360]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2007-10-01 1769984]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-07-31 230464]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S1 1ed7c0;1ed7c0; C:\WINDOWS\System32\drivers\1ed7c0.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 int15.sys;int15.sys; \??\c:\acernb\int15.sys []
S3 JMCR;JMCR; C:\WINDOWS\system32\DRIVERS\jmcr.sys [2008-09-03 94608]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys []
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 antivirschedulerservice;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-08-20 108289]
R2 antivirservice;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-20 185089]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2008-02-21 238968]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-21 153376]
R2 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2001-02-13 1245064]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 yjphwiep;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Controller; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 6to4;6to4; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 AntiVirUpgradeService;Avira Upgrade Service; C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe /TEMPSTART:C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\setup.exe /NOTEMPCLEANUP /CROSSUPGRADE []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S2 LiveUpdate;LiveUpdate; c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2008-09-05 3220856]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-27 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

Run HijackThis and fix the following lines:

O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll

O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll

O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll

Run Avenger again and use this code:



Post back with fresh Avenger and HijackThis logs please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:26 PM, on 8/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\DNA\btdna.exe
C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {0e09394e-7864-4b6c-adee-81c8f7297bc9} - C:\WINDOWS\system32\wncepbpx.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: (no name) - {b4ea0cf0-71bc-4148-8f59-c3a1f4befa9c} - c:\windows\system32\btgetdf.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [plfsetl] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1250031667578
O20 - Winlogon Notify: ioruiqhd - C:\WINDOWS\SYSTEM32\btgetdf.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7214 bytes




Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "C:\WINDOWS\system32\wncepbpx.dll"
Deletion of file "C:\WINDOWS\system32\wncepbpx.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open file "C:\windows\system32\btgetdf.dll"
Deletion of file "C:\windows\system32\btgetdf.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.



Virus, still here =(

I did a couple of research on google and found out that morphine.gen is also called vundo trojan... Tried Spyware Doctor either detected the trojan, restarted but suddenly, virus reappears again... sigh... i hope i could fix this soon... thanks for all the effort!

Vundo is a very generic term by now. There have been so many variants....

Something hidden is preventing Avenger from deleting those files. it's just a question of finding what the 'something' is.

Can you open the Device Manager and click on the View menu, then click on 'Show Hidden Devices'. In the Device Manager list, expand 'Non Plug and Play Drivers'. Is there anything beginning with TDSS or UAC, or a long sting of gibberish in the list?

Download GMER to the desktop. It will arrive as a randomly-named file. Run it and wait for its initial scan to complete, then click the Scan button. After the scan, click on the Save button and post the log it generates.

Hi! Here's the GMER log you requested... Didn't found anything like TDS or UAC stuff in device manager hidden devices... But i'll attach the list with this post.. =) Thanks again for your help! =)


GMER 1.0.15.15077 [n4k6ienr.exe] - http://www.gmer.net
Rootkit scan 2009-08-25 05:34:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\1b03efc.sys ZwCreateEvent [0xF799082D]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7708514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF76F7282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF76F7474]
SSDT F7EB141C ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7708D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7708FB8]
SSDT F7EB143A ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF77073FA]
SSDT F7EB1408 ZwOpenProcess
SSDT F7EB140D ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7709422]
SSDT F7EB1444 ZwReplaceKey
SSDT F7EB143F ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF77087D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF76F6F32]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ExAcquireRundownProtection + 1AF 80570323 7 Bytes JMP 873C6998
? C:\WINDOWS\System32\drivers\1b03efc.sys The system cannot find the file specified.
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EAFC
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EB6D
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90EC9B
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2016] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EAFC
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EB6D
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90EC9B
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 15, 00]
.text C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2028] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 1b03efc.sys
Device \Driver\Tcpip \Device\Ip 1b03efc.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp 1b03efc.sys
Device \Driver\Tcpip \Device\Udp 1b03efc.sys
Device \Driver\Tcpip \Device\RawIp 1b03efc.sys
Device \Driver\Tcpip \Device\IPMULTICAST 1b03efc.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\1b03efc.sys (*** hidden *** ) [SYSTEM] 1b03efc <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\1b03efc@ImagePath \SystemRoot\System32\drivers\1b03efc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\1b03efc@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\1b03efc@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\1b03efc@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\1b03efc@F96ZK6nPB YWR2YW50YXN0YXIudXM=
Reg HKLM\SYSTEM\ControlSet004\Services\1b03efc@ImagePath \SystemRoot\System32\drivers\1b03efc.sys
Reg HKLM\SYSTEM\ControlSet004\Services\1b03efc@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\1b03efc@Start 1
Reg HKLM\SYSTEM\ControlSet004\Services\1b03efc@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet004\Services\1b03efc@F96ZK6nPB YWR2YW50YXN0YXIudXM=

---- EOF - GMER 1.0.15 ----

Download Combofix to the desktop and follow the directions for using it. Remember to disable Avira's real-time protection - right-click on the taskbar icon and select 'Antivir Guard disable' - as well as Spyware Doctor. You have some Norton files running as well, but not the full package. Did you uninstall Norton recently?

Post the Combofix log when done.

Thanks for attaching the Device Manager images. There's nothing listed there - this infection is well hidden.

One more thing...the link at the Combofix site takes you to the BleepingComputer download site. Right-click on the download link and select 'Save Target As'. In the Save As box that opens, click in the File Name field and rename Combofix.exe to abc123.com before downloading the file. Some recent rootkits can detect Combofix and take evasive measures.

Hi! I've finished running combofix... however, I forgot to name it as abc123.com. I selected "application" instead of "all files" when i was saving it. So the name was abc123.com.exe.
I'll post the combo fix log with this reply.

Yes, I have uninstalled norton.

And i would like to add another problem. I couldn't uninstall spyware doctor, i don't know why. After clicking the uninstall button, the uninstall box just popped and closed itself. i installed Spyware doctor through google updater. i wasn't able to uninstall it with google updater too, so i'd like to ask how to remove it. Is this problem connected with that Vundo virus?

I found that wncepbpx.dll on system32 was successfully deleted, i'm relieved. =)
Alot of thanks to you! But again, here's the log of combofix, hope you won't find any malicious stuff.
again, alot of thanks!

------------------------------------------------------------------------------------------
ComboFix 09-08-29.01 - Acer's Client 08/30/2009 7:09.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.590 [GMT 8:00]
Running from: c:\documents and settings\Acer's Client\Desktop\abc123.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-0268990709-7876278204-434946927-7502
c:\recycler\S-1-5-21-1854041670-2610712516-768467808-3024
c:\recycler\S-1-5-21-4365395550-4667017319-920669000-6836
c:\recycler\S-1-5-21-4579176922-0930863705-417092711-1149
c:\recycler\S-1-5-21-5294947331-1767954701-102276800-1008
c:\recycler\S-1-5-21-5580628676-8857573281-355204414-4451
c:\recycler\S-1-5-21-6490458065-0051190522-972341008-2959
c:\recycler\S-1-5-21-8135370799-5445713566-012202310-6165
c:\recycler\S-1-5-21-8167844366-5058713404-798005661-1901
c:\recycler\S-1-5-21-9246267197-9436906298-955467459-9915
c:\recycler\S-1-5-21-9355103301-8502731866-050469195-3034
c:\recycler\S-1-5-21-9436788084-0830820529-035889695-0226
c:\recycler\S-1-5-21-9662413469-8677598452-733471081-4334
c:\windows\Fonts\mlog
c:\windows\system32\btgetdf.dll
c:\windows\system32\drivers\fdvqmrsg.sys
c:\windows\system32\drivers\gopfswdc.sys
c:\windows\system32\ixkufcj.dll
c:\windows\system32\tyrdtpvm.dll
c:\windows\system32\wncepbpx.dll
c:\windows\Tasks\At1.job
c:\windows\system32\drivers\1b03efc.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_avast!antivirus
-------\Legacy_BNDMSS
-------\Legacy_fdvqmrsg
-------\Legacy_msncache
-------\Legacy_pcmstub
-------\Legacy_sopidkc
-------\Legacy_yjphwiep
-------\Service_6to4
-------\Service_fdvqmrsg
-------\Service_yjphwiep
-------\Service_1b03efc


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-28 23:55 . 2009-08-28 23:55 -------- d--h--w- c:\windows\PIF
2009-08-28 23:46 . 2009-08-28 23:46 -------- d-----w- c:\documents and settings\Acer's Client\Application Data\oqtllvwk
2009-08-28 23:46 . 2009-08-28 23:46 -------- d-----w- c:\documents and settings\Acer's Client\Local Settings\Application Data\oqtllvwk
2009-08-25 00:47 . 2009-08-25 00:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\oqtllvwk
2009-08-25 00:47 . 2009-08-25 00:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\oqtllvwk
2009-08-21 06:14 . 2009-08-21 06:14 -------- d-----w- c:\program files\Java
2009-08-21 06:14 . 2009-08-21 06:14 152576 ----a-w- c:\documents and settings\Acer's Client\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-20 23:23 . 2008-12-11 00:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-20 23:23 . 2009-04-03 03:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-20 23:23 . 2008-12-18 04:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-20 23:22 . 2009-08-20 23:23 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-20 23:22 . 2008-12-10 03:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-20 23:22 . 2009-08-21 06:58 -------- d-----w- c:\program files\Spyware Doctor
2009-08-20 23:22 . 2009-08-20 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-20 23:22 . 2009-08-20 23:22 -------- d-----w- c:\documents and settings\Acer's Client\Application Data\PC Tools
2009-08-20 23:05 . 2009-08-20 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-20 22:39 . 2009-08-20 22:39 -------- d-----w- C:\rsit
2009-08-20 22:38 . 2009-08-21 06:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-17 08:41 . 2007-08-24 11:45 101120 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys
2009-08-17 08:41 . 2007-08-24 11:45 24448 ----a-r- c:\windows\system32\drivers\ewdcsc.sys
2009-08-15 06:44 . 2009-08-17 08:20 -------- d-----w- c:\program files\Sun Broadband Wireless
2009-08-11 23:57 . 2009-08-11 23:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-11 23:26 . 2009-08-27 13:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 03:56 . 2009-08-19 17:38 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-11 03:56 . 2009-02-13 03:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-11 03:56 . 2009-02-13 03:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-11 03:56 . 2009-08-11 03:56 -------- d-----w- c:\program files\Avira
2009-08-11 03:56 . 2009-08-11 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-10 22:27 . 2009-08-10 22:27 -------- d-----w- c:\program files\Trend Micro
2009-08-10 22:12 . 2009-08-11 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-08 03:31 . 2009-08-03 05:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 03:31 . 2009-08-08 03:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 03:31 . 2009-08-03 05:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 17:50 . 2009-08-07 17:50 -------- d-----w- c:\documents and settings\Acer's Client\Application Data\Malwarebytes
2009-08-07 17:50 . 2009-08-07 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-31 21:26 . 2009-08-29 23:19 107724 ----a-w- c:\windows\system32\drivers\1b03efc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 23:32 . 2001-02-13 02:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-20 23:05 . 2009-06-22 19:19 -------- d-----w- c:\program files\Google
2009-08-19 17:38 . 2009-07-21 15:50 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-17 08:41 . 2009-07-14 14:10 -------- d-----w- c:\program files\Mobile Partner
2009-08-16 01:21 . 2009-07-06 08:14 -------- d-----w- c:\documents and settings\Acer's Client\Application Data\U3
2009-08-11 07:51 . 2009-07-29 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-07-29 16:17 . 2009-07-29 16:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-29 16:17 . 2009-07-29 16:17 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-29 16:16 . 2009-07-29 16:15 -------- d-----w- c:\documents and settings\Acer's Client\Application Data\PC Suite
2009-07-29 16:16 . 2009-07-29 16:15 -------- d-----w- c:\documents and settings\Acer's Client\Application Data\Nokia
2009-07-29 16:16 . 2009-07-29 16:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-07-29 16:16 . 2009-07-29 16:16 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-07-29 16:14 . 2009-07-29 16:14 -------- d-----w- c:\program files\DIFX
2009-07-29 16:13 . 2009-07-29 16:13 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-07-29 16:13 . 2009-07-29 16:13 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-07-29 16:13 . 2009-07-29 16:13 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-07-29 16:13 . 2009-07-29 16:13 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-07-29 16:13 . 2009-07-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-07-29 08:06 . 2009-07-29 16:13 33712776 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_tgl_web.exe
2009-07-28 13:32 . 2009-07-28 13:32 -------- d-----w- c:\program files\Atheros
2009-07-28 13:32 . 2001-02-13 02:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 15:05 . 2001-02-13 02:01 -------- d-----w- c:\program files\Realtek
2009-07-23 14:02 . 2009-07-23 14:02 -------- d-----w- c:\program files\Audacity
2009-07-15 09:16 . 2009-06-22 19:12 -------- d-----w- c:\documents and settings\Acer's Client\Application Data\Symantec
2009-07-15 09:01 . 2001-02-13 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-14 23:50 . 2009-07-14 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-07-12 05:29 . 2009-07-12 05:29 -------- d-----w- c:\program files\directx
2009-07-12 05:28 . 2009-07-12 05:28 4096 ----a-w- c:\windows\d3dx.dat
2009-07-12 05:07 . 2009-07-12 05:07 -------- d-----w- c:\program files\SEGA
2009-07-12 05:05 . 2009-07-12 05:05 -------- d-----w- c:\program files\CCleaner
2009-07-05 14:26 . 2009-07-05 14:26 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-05 09:37 . 2009-07-05 09:37 60664 ----a-w- c:\documents and settings\Acer's Client\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 22:53 . 2001-02-13 01:02 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-08-18 817672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2008-11-03 196608]
"plfsetl"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-21 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-09 16851968]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/21/2009 7:23 AM 130936]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/11/2009 11:56 AM 108289]
S1 1ed7c0;1ed7c0;c:\windows\system32\drivers\1ed7c0.sys --> c:\windows\system32\drivers\1ed7c0.sys [?]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe" /TEMPSTART:""c:\docume~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\docume~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe [?]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/13/2001 10:05 AM 94608]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/21/2009 7:22 AM 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-20 23:05]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1279371858-1653462319-1608279117-1006Core.job
- c:\documents and settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-05 09:39]

2009-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1279371858-1653462319-1608279117-1006UA.job
- c:\documents and settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-05 09:39]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0c400d81-fbfb-4739-b7a4-ba87f5635b44} - c:\windows\system32\wncepbpx.dll
BHO-{0e09394e-7864-4b6c-adee-81c8f7297bc9} - c:\windows\system32\wncepbpx.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 07:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\1b03efc]
"ImagePath"="\SystemRoot\System32\drivers\1b03efc.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1604)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\ACER'S~1\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-08-29 7:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-29 23:21

Pre-Run: 147,228,028,928 bytes free
Post-Run: 147,185,029,120 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
230

Don't worry about Spyware Doctor for the moment. I'd like to see the system clean first.

Download The Avenger and unzip it to the desktop. Run Avenger.exe and copy/paste the contents of the Code box below to the section under 'Input script here':



Click on Execute and reboot when prompted.

Run RSIT.

Post the Avenger log (C:\Avenger.txt) and the RSIT log.

here's the log of RSIT and Avenger...

Logfile of random's system information tool 1.06 (written by random/random)
Run by Acer's Client at 2009-09-03 08:28:57
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 138 GB (90%) free of 153 GB
Total RAM: 1012 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:05 AM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Mobile Partner\Mobile Partner.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Acer's Client\Desktop\Virus fixers\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Acer's Client.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [plfsetl] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1250031667578
O17 - HKLM\System\CCS\Services\Tcpip\..\{b014718b-ed35-41b6-a2bc-6246c215fd87}: NameServer = 202.126.40.5 222.127.143.5
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5628 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1279371858-1653462319-1608279117-1006Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1279371858-1653462319-1608279117-1006UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af69de43-7d58-4638-b6fa-ce66b5ad205d}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll [2009-08-21 761840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-21 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-21 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-02-28 166424]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-07-31 1343488]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-09-09 16851968]
"AzMixerSel"=C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe [2006-07-17 53248]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-02-28 141848]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-02-28 137752]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2008-08-18 817672]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"snp2uvc"=C:\WINDOWS\system32\csnp2uvc.dll [2008-11-03 196608]
"plfsetl"=C:\WINDOWS\PLFSetL.exe [2008-07-03 94208]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2008-04-14 208952]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-21 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Documents and Settings\Acer's Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-05 133104]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-12 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableStatusMessages"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{248b76b6-6973-11de-b643-00242b198f09}]
shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{248b76b7-6973-11de-b643-00242b198f09}]
shell\AutoRun\command - RECYCLER\autorun.exe
shell\open\command - RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90386207-8d89-11de-b6f5-00242b198f09}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b8eb14-689e-11de-b63f-00242b198f09}]
shell\AutoRun\command - RECYCLER\autorun.exe
shell\open\command - RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8b8eb15-689e-11de-b63f-00242b198f09}]
shell\AutoRun\command - RECYCLER\autorun.exe
shell\open\command - RECYCLER\autorun.exe


======List of files/folders created in the last 1 months======

2009-09-02 22:22:59 ----D---- C:\Program Files\Microsoft Games
2009-09-02 22:05:46 ----D---- C:\SIMS
2009-08-30 20:52:15 ----D---- C:\Avenger
2009-08-30 09:43:07 ----SHD---- C:\RECYCLER
2009-08-30 07:21:54 ----A---- C:\ComboFix.txt
2009-08-30 07:17:11 ----D---- C:\WINDOWS\temp
2009-08-30 07:03:07 ----A---- C:\Boot.bak
2009-08-30 07:03:01 ----RASHD---- C:\cmdcons
2009-08-30 06:59:16 ----A---- C:\WINDOWS\zip.exe
2009-08-30 06:59:16 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-30 06:59:16 ----A---- C:\WINDOWS\SWSC.exe
2009-08-30 06:59:16 ----A---- C:\WINDOWS\SWREG.exe
2009-08-30 06:59:16 ----A---- C:\WINDOWS\sed.exe
2009-08-30 06:59:16 ----A---- C:\WINDOWS\PEV.exe
2009-08-30 06:59:16 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-30 06:59:16 ----A---- C:\WINDOWS\grep.exe
2009-08-30 06:58:57 ----D---- C:\WINDOWS\ERDNT
2009-08-30 06:58:46 ----D---- C:\Qoobox
2009-08-29 07:55:02 ----HD---- C:\WINDOWS\PIF
2009-08-29 07:46:57 ----D---- C:\Documents and Settings\Acer's Client\Application Data\oqtllvwk
2009-08-21 14:15:12 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-21 14:15:12 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-21 14:15:12 ----A---- C:\WINDOWS\system32\java.exe
2009-08-21 14:14:37 ----D---- C:\Program Files\Java
2009-08-21 07:22:45 ----D---- C:\Program Files\Common Files\PC Tools
2009-08-21 07:22:25 ----D---- C:\Program Files\Spyware Doctor
2009-08-21 07:22:25 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-08-21 07:22:25 ----D---- C:\Documents and Settings\Acer's Client\Application Data\PC Tools
2009-08-21 07:05:27 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-08-21 06:39:30 ----D---- C:\rsit
2009-08-21 06:38:13 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-08-16 23:57:35 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #4.txt
2009-08-15 14:44:28 ----D---- C:\Program Files\Sun Broadband Wireless
2009-08-15 14:38:33 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
2009-08-12 07:26:43 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-11 11:56:39 ----D---- C:\Program Files\Avira
2009-08-11 11:56:39 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-08-11 06:27:07 ----D---- C:\Program Files\Trend Micro
2009-08-11 06:12:10 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-08-11 05:21:06 ----D---- C:\Documents and Settings\Acer's Client\Application Data\Mozilla
2009-08-08 11:31:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-08 01:50:54 ----D---- C:\Documents and Settings\Acer's Client\Application Data\Malwarebytes
2009-08-08 01:50:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

======List of files/folders modified in the last 1 months======

2009-09-03 08:27:53 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt
2009-09-03 08:23:31 ----D---- C:\WINDOWS\Prefetch
2009-09-03 07:37:51 ----AD---- C:\WINDOWS\system32
2009-09-03 07:37:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-09-03 07:33:57 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-03 07:33:53 ----D---- C:\WINDOWS
2009-09-03 07:33:46 ----SD---- C:\WINDOWS\Tasks
2009-09-02 22:29:57 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-02 22:28:01 ----SHD---- C:\WINDOWS\Installer
2009-09-02 22:28:01 ----D---- C:\WINDOWS\WinSxS
2009-09-02 22:27:54 ----HD---- C:\WINDOWS\inf
2009-09-02 22:22:59 ----RD---- C:\Program Files
2009-08-31 04:15:04 ----D---- C:\WINDOWS\system32\drivers
2009-08-30 07:20:23 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-30 07:19:43 ----A---- C:\WINDOWS\system.ini
2009-08-30 07:17:54 ----D---- C:\WINDOWS\system32\config
2009-08-30 07:16:40 ----RSD---- C:\WINDOWS\Fonts
2009-08-30 07:14:14 ----D---- C:\WINDOWS\AppPatch
2009-08-30 07:14:07 ----D---- C:\Program Files\Common Files
2009-08-30 07:10:02 ----SHD---- C:\System Volume Information
2009-08-30 07:10:02 ----D---- C:\WINDOWS\system32\Restore
2009-08-30 07:03:07 ----RASH---- C:\boot.ini
2009-08-27 07:32:05 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-08-21 20:38:40 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-21 07:05:29 ----D---- C:\Program Files\Google
2009-08-20 01:41:37 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2009-08-17 16:41:21 ----D---- C:\Program Files\Mobile Partner
2009-08-16 09:21:38 ----D---- C:\Documents and Settings\Acer's Client\Application Data\U3
2009-08-12 07:52:03 ----D---- C:\WINDOWS\Help
2009-08-11 17:12:27 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-11 15:58:24 ----A---- C:\WINDOWS\win.ini
2009-08-11 15:51:41 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite
2009-08-11 11:52:49 ----SD---- C:\Documents and Settings\Acer's Client\Application Data\Microsoft
2009-08-11 06:09:03 ----D---- C:\WINDOWS\SoftwareDistribution
2009-08-06 16:59:13 ----D---- C:\WINDOWS\system

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-08-20 96104]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-08-20 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-08-20 55656]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-08-20 1318464]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2006-01-20 17408]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2007-08-24 101120]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-09-09 4813824]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-08-07 111360]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2007-10-01 1769984]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-07-31 230464]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S1 1ed7c0;1ed7c0; C:\WINDOWS\System32\drivers\1ed7c0.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 int15.sys;int15.sys; \??\c:\acernb\int15.sys []
S3 JMCR;JMCR; C:\WINDOWS\system32\DRIVERS\jmcr.sys [2008-09-03 94608]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys []
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 antivirschedulerservice;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-08-20 108289]
R2 antivirservice;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-20 185089]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-21 153376]
R2 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2001-02-13 1245064]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 AntiVirUpgradeService;Avira Upgrade Service; C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\avupgsvc.exe /TEMPSTART:C:\DOCUME~1\ACER'S~1\LOCALS~1\Temp\AVSETUP_4a5da8af\basic\setup.exe /NOTEMPCLEANUP /CROSSUPGRADE []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-21 194032]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-27 145184]
S3 sdauxservice;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S3 sdcoreservice;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "1b03efc" deleted successfully.

Error: could not open file "c:windows\system32\drivers\1b03efc.sys"
Deletion of file "c:windows\system32\drivers\1b03efc.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

Can you go to VirusTotal and click on Browse, then direct it to this file:

C:\WINDOWS\System32\drivers\1ed7c0.sys

Post the results of the file scan.

Otherwise, all looks well. You could try reinstalling Spyware Doctor and uninstalling it from Add/Remove Programs.

Hi! the file you requested to scan isn't in that folder. It's not there. I even clicked show all hidden files, but still i can't find it. Have any ideas?
One more thing... My windows update fails and I always get this Error "Error number: 0x8024D007", you think this is caused by a virus or something?

I wasn't sure that file would be there. Don't worry about it.

The 0x8024D007 problem is well documented. Just follow the steps in this MSKB article.

so does that mean my computer's already clean?

As far as I can ascertain, yes.

Run an online scan at Kaspersky and post the results.

Hi HKed! I'm so sorry for my super late reply... I don't have a broadband connection at home so it was a hard time for me to scan my computer.. well, I just want to thank you for helping me out.... I scanned with kaspersky online scanner and no threats are found. =) thank you so much!