Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Total Security 2009 infection help please.

Started by TMGTEch , Sep 20 2009 12:04 AM

  • This topic is locked This topic is locked
19 replies to this topic

#1 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 September 2009 - 12:04 AM

hi Guys, First of all, thanks for your help. It's appreciated. I have just been infected by the Total Security 2009 Malware. I'm not 100% sure of where it's come from but all I know is I want to remove it :D The screen changed to the "Your infected" screen and the system won't let me run Task Manager, Mozilla/IE, so I ebooted, looked in Explorer and renamed C:\program Data\12713174\12713174.exe to 12713174.old and rebooted again. That allowed me to at least log onto the internet and do some more research. I've run a scan of the Machine with ESET Nod32 which didn't show anything. I've done some searching on it and downloaded Win32KDiag and have attached the log file. I've also download gmer and have attached the log file with it. I tried to download and RootRepeal but it crashed on me several times with several different downloads but i'm not sure if that's a Vista thing or an infection consequence. Thanks for your help. Thanks & Regards Pher.

Attached Files


    Advertisements

Register to Remove

#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 20 September 2009 - 02:28 AM

Hi,

Please do the following:



Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


NEXT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two text files will open - log.txt (<<will be maximized) and info.txt (<<will be minimized)
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt andinfo.txt in your reply, you won't need to produce a new HijackThis log as RSIT produces one for you.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 September 2009 - 04:54 AM

Hi,

Thanks for your help.

ESET NOD32 came up with The following message but was unable to clean the infected file.

20/09/2009 8:41:57 PM Startup scanner file \\?\globalroot\systemroot\system32\gasfkytsbaelxt.dll Win32/Olmarik.MF trojan error while deleting/cleaning

As requested, here are the log files.

exeHelper by Raktor - 09
Build 20090916
Run at 20:43:57 on 09/20/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Resetting filetype association for .exe
Resetting filetype association for .com
--Finished--


info.txt
info.txt logfile of random's system information tool 1.06 2009-09-20 20:45:47

======Uninstall list======

-->"C:\Program Files\HP Games\3D Ultra Minigolf Adventures\Uninstall.exe"
-->"C:\Program Files\HP Games\7 Wonders of the Ancient World\Uninstall.exe"
-->"C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Blasterball 2 Revolution\Uninstall.exe"
-->"C:\Program Files\HP Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Crystal Maze\Uninstall.exe"
-->"C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
-->"C:\Program Files\HP Games\FATE\Uninstall.exe"
-->"C:\Program Files\HP Games\Final Drive Nitro\Uninstall.exe"
-->"C:\Program Files\HP Games\Fish Tycoon\Uninstall.exe"
-->"C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Jewel Quest Solitaire\Uninstall.exe"
-->"C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\Magic Academy\Uninstall.exe"
-->"C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
-->"C:\Program Files\HP Games\Otto's Magic Blocks\Uninstall.exe"
-->"C:\Program Files\HP Games\Peggle\Uninstall.exe"
-->"C:\Program Files\HP Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer Pineapple Cup\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\HP Games\Ricochet Lost Worlds\Uninstall.exe"
-->"C:\Program Files\HP Games\Shooting Stars Pool\Uninstall.exe"
-->"C:\Program Files\HP Games\Slingo Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Super Granny\Uninstall.exe"
-->"C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
-->"C:\Program Files\HP Games\Virtual Villagers - A New Home\Uninstall.exe"
-->"C:\Program Files\HP Games\Virtual Villagers - Chapter 2 - The Lost Children\Uninstall.exe"
-->"C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
2007 Microsoft Office system-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Photoshop v3.0-->C:\Windows\uninst.exe -fC:\Win32App\Photoshp\DeIsL1.isu
Adobe Reader 8.1.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe Shockwave Player-->MsiExec.exe /X{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Bullzip PDF Printer 6.0.0.766-->"C:\Program Files\Bullzip\PDF Printer\unins000.exe"
Business Contact Manager for Outlook 2007 SP2-->"C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
Business Contact Manager for Outlook 2007 SP2-->MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
Cisco Network Assistant-->C:\Program Files\Cisco Systems\Cisco Network Assistant\utilities\uninstall\uninstall.exe
CoffeeCup HTML Editor 2008-->C:\PROGRA~1\COFFEE~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\INSTALL.LOG
CyberLink YouCam-->"C:\Program Files\InstallShield Installation Information\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\setup.exe" /z-uninstall
DHTML Editing Component-->MsiExec.exe /I{2EA870FA-585F-4187-903D-CB9FFD21E2E0}
DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
ESET NOD32 Antivirus-->MsiExec.exe /I{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}
ESU for Microsoft Vista-->MsiExec.exe /I{865DB1C9-D5E4-408B-B37D-9927E605BD2D}
e-tax 2009-->MsiExec.exe /X{0A8C7880-F199-4807-ABD4-6E695B71A3D7}
FileZilla Client 3.2.6.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe
gBurner-->"C:\Program Files\gBurner\uninstall.exe"
GOM Player-->"C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
GPL Ghostscript Lite 8.63-->"C:\Program Files\GSLITE\unins000.exe"
Hauppauge MCE XP/Vista Software Encoder (2.0.25149)-->C:\PROGRA~1\WinTV\UNSftMCE.EXE C:\PROGRA~1\WinTV\softMCE.LOG
Hewlett-Packard Active Check for Health Check-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent for Health Check-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{5DAA9C36-8F8B-462F-8CCA-E205BC3751F5}\setup.exe -runfromtemp -l0x0409
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD0E2B92-3814-46F0-893B-4612EA010C7E}\setup.exe" -l0x9 -removeonly
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9885A11E-60E4-417C-B58B-8B31B21C0B8A}\setup.exe" -l0x9 -removeonly
HP Help and Support-->MsiExec.exe /X{31216452-5540-4C96-B754-94890A63D5AB}
HP Integrated Module with Bluetooth wireless technology 6.0.1.5500-->MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
HP Photosmart Essential 2.5-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Quick Launch Buttons 6.30 E1-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 uninst
HP QuickPlay 3.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP QuickTouch 1.00 C4-->MsiExec.exe /I{7DC4A410-9986-4329-9E5D-687B2C42CA39}
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HP User Guides 0087-->MsiExec.exe /I{4D49757C-367A-4333-BDB3-68966162B14E}
HP Wireless Assistant-->MsiExec.exe /I{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}
HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
Intel® Matrix Storage Manager-->C:\Windows\system32\imsmudlg.exe -uninstall
iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}
Java DB 10.4.1.3-->MsiExec.exe /X{998D6972-F58E-479D-9248-8F179E55AE38}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Development Kit 6 Update 13-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160130}
Joyland Casino-->"C:\Casino\Joyland Casino\_SetupCasino.exe" /uninstall
LabelPrint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\setup.exe" -uninstall
LaCie Network Assistant 1.2.0.15-->"C:\Program Files\LaCie\Network Assistant\unins000.exe"
MediaRing Talk-->"C:\Program Files\MediaRing\MediaRing Talk\Uninstall.exe" "C:\Program Files\MediaRing\MediaRing Talk\install.log"
MegaPipe Win32 DLL-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90630642-2AC2-41C8-B354-DB3E072B0BB2}\Setup.exe"
Microsoft .NET Framework 1.1 Hotfix (KB929729)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies-->MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007-->MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components-->MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Ultimate 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ULTIMATER /dll OSETUP.DLL
Microsoft Office Ultimate 2007-->MsiExec.exe /X{91120000-002E-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs-->MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005-->"C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Motorola SM56 Data Fax Modem-->rundll32.exe sm56co6a.dll,SM56UnInstaller
Mozilla Firefox (3.5.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSCU for Microsoft Vista-->MsiExec.exe /I{F7F3B252-E772-48AA-93EB-7964BC326067}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
muvee autoProducer 6.1-->C:\Program Files\InstallShield Installation Information\{250E9609-E830-43EB-B379-DAB7546A2422}\muveesetup.exe -removeonly -runfromtemp
My HP Games-->"C:\Program Files\HP Games\Uninstall.exe"
MySQL Server 5.1-->MsiExec.exe /I{3BEE670A-C209-4350-A47F-3B8CCB3419ED}
MySQL Workbench 5.0 OSS-->MsiExec.exe /I{78897DE2-640B-45D0-AA03-AC2DB9D95A7A}
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
OGA Notifier 1.7.0105.35.0-->MsiExec.exe /I{B148AB4B-C8FA-474B-B981-F2943C5B5BCD}
PopCap Browser Plugin-->C:\Program Files\PopCap Games\PopCap Browser Plugin\Uninstall.exe
Power2Go-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDirector-->"C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" /z-uninstall
PremiumSoft Navicat 8.1 for MySQL-->"C:\Program Files\PremiumSoft\Navicat 8.1 MySQL\unins000.exe"
QuickPlay SlingPlayer 0.4.4-->"C:\Program Files\HP\QuickPlay\unins000.exe"
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
R-Studio 4.2-->G:\Undelete\Uninstall.exe
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB969679)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {C66E4A6C-6E07-4C63-8CCD-2493B5087C73}
Security Update for 2007 Microsoft Office System (KB969679)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {C66E4A6C-6E07-4C63-8CCD-2493B5087C73}
Security Update for Microsoft Office Excel 2007 (KB969682)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {C03803BD-745A-46F8-8557-817DED578780}
Security Update for Microsoft Office Excel 2007 (KB969682)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {C03803BD-745A-46F8-8557-817DED578780}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Simpli-File Find, Replace and Insert-->MsiExec.exe /I{F6CE7795-71FD-42BB-A7C3-6018CE678790}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
SystemSecurity2009-->C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Security\Total Security 2009.lnk
TeraCopy 2.01-->"C:\Program Files\TeraCopy\unins000.exe"
The Ur-Quan Masters 0.6.2-->C:\Program Files\The Ur-Quan Masters\uninst.exe
Thingamablog 1.1b6-->C:\Program Files\Thingamablog\uninst.exe
Turbo Lister 2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office Outlook 2007 (KB969907)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {74F98B24-AFBD-4800-9BD6-87D349B5C462}
Update for Microsoft Office Outlook 2007 (KB969907)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {74F98B24-AFBD-4800-9BD6-87D349B5C462}
Update for Outlook 2007 Junk Email Filter (kb973514)-->msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {03B11C77-336F-43B4-9B43-79890BA84504}
Update for Outlook 2007 Junk Email Filter (kb973514)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {03B11C77-336F-43B4-9B43-79890BA84504}
Vegas Pro 9.0-->MsiExec.exe /X{DC785DB7-D389-48C3-B146-96FE99BF4E2B}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VLC media player 1.0.0-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Vuze-->C:\Program Files\Vuze\uninstall.exe
WampServer 2.0-->"c:\Program Files\wamp\unins000.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xvid 1.2.1 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Security center information======

AV: ESET NOD32 Antivirus 3.0
AS: ESET NOD32 Antivirus 3.0
AS: Windows Defender

======System event log======

Computer Name: Chris-PC
Event Code: 1002
Message: The IP address lease 10.1.1.4 for the Network Card with network address 001F3B757509 has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
Record Number: 55614
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090920095437.000000-000
Event Type: Error
User:

Computer Name: Chris-PC
Event Code: 1003
Message:
Record Number: 55616
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090920102440.000000-000
Event Type: Warning
User:

Computer Name: Chris-PC
Event Code: 1002
Message: The IP address lease 10.1.1.4 for the Network Card with network address 001F3B757509 has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).
Record Number: 55617
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090920102440.000000-000
Event Type: Error
User:

Computer Name: Chris-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {F17FB44A-627B-44A5-ADEC-C82F86218FC6}
User: Chris-PC\Chris
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: shellopencmd:HKLM\Software\Classes\exefile\shell\open\command\\
Alert Type: Unclassified software
Detection Type:
Record Number: 55619
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20090920104405.000000-000
Event Type: Warning
User:

Computer Name: Chris-PC
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {6333A261-E64B-4ECF-BE04-F0242F087147}
User: Chris-PC\Chris
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: shellopencmd:HKLM\Software\Classes\comfile\shell\open\command\\
Alert Type: Unclassified software
Detection Type:
Record Number: 55620
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20090920104407.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Chris-PC
Event Code: 1010
Message: The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
Record Number: 6906
Source Name: Microsoft-Windows-Perflib
Time Written: 20090919224907.000000-000
Event Type: Error
User:

Computer Name: Chris-PC
Event Code: 1000
Message: Faulting application RootRepeal.exe, version 1.3.5.0, time stamp 0x4a842d4f, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc0000005, fault offset 0x00062086, process id 0x16f8, application start time 0x01ca397c6a33dff0.
Record Number: 6907
Source Name: Application Error
Time Written: 20090919225703.000000-000
Event Type: Error
User:

Computer Name: Chris-PC
Event Code: 12290
Message: Volume Shadow Copy Service warning: ASR writer Error 0x80070565. hr = 0x00000000.

Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: ASR Writer
Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
Writer Name: ASR Writer
Writer Instance ID: {47fba268-fed1-4a4c-ba6f-383c9e6284b8}
Record Number: 6911
Source Name: VSS
Time Written: 20090920015927.000000-000
Event Type: Warning
User:

Computer Name: Chris-PC
Event Code: 8193
Message: Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x81000109).
Record Number: 6912
Source Name: System Restore
Time Written: 20090920015939.000000-000
Event Type: Error
User:

Computer Name: Chris-PC
Event Code: 8210
Message: The scheduled restore point could not be created. Additional information: (0x81000109).
Record Number: 6913
Source Name: System Restore
Time Written: 20090920015939.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Chris-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: CHRIS-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x26c
Process Name: C:\WINDOWS\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 13262
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090920045802.376294-000
Event Type: Audit Success
User:

Computer Name: Chris-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 13263
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090920045802.376294-000
Event Type: Audit Success
User:

Computer Name: Chris-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: CHRIS-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x26c
Process Name: C:\WINDOWS\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 13264
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090920083702.262994-000
Event Type: Audit Success
User:

Computer Name: Chris-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: CHRIS-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x26c
Process Name: C:\WINDOWS\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 13265
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090920083702.262994-000
Event Type: Audit Success
User:

Computer Name: Chris-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 13266
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090920083702.262994-000
Event Type: Audit Success
User:

======Environment variables======

"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"JAVA_HOME"=C:\Program Files\Java\jdk1.6.0_13
"NUMBER_OF_PROCESSORS"=2
"OnlineServices"=Online Services
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\CyberLink\Power2Go\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PCBRAND"=Pavilion
"PLATFORM"=MCD
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=1706
"QTJAVA"=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"USERPART"=E:
"windir"=%SystemRoot%

-----------------EOF-----------------


log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Chris at 2009-09-20 20:45:37
Microsoft® Windows Vista™ Home Premium
System drive C: has 55 GB (37%) free of 149 GB
Total RAM: 3070 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:46 PM, on 20/09/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Chris\Desktop\RSIT.exe
C:\Program Files\trend micro\Chris.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [12713174] C:\ProgramData\12713174\12713174.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-27-0.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: wampapache - Apache Software Foundation - c:\Program Files\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\Program Files\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe

--
End of file - 10291 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-06-22 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-09-20 86016]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-09-20 8497696]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-09-20 81920]
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-09-15 102400]
"SMSERIAL"=C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2007-01-17 634880]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-03-09 4390912]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2008-04-15 178712]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2007-10-01 181544]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-09-20 202032]
"OnScreenDisplay"=C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [2007-09-05 554320]
"UCam_Menu"=C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [2007-08-17 218408]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2007-11-27 1006264]
"hpqSRMon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2008-06-02 80896]
"HP Health Check Scheduler"=c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2008-06-16 75008]
"hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-09-14 480560]
"WAWifiMessage"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [2007-01-09 311296]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-06-22 148888]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2007-12-21 1443072]
"12713174"=C:\ProgramData\12713174\12713174 [2009-09-19 56]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-08-23 455968]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-09-20 20:45:38 ----D---- C:\Program Files\trend micro
2009-09-20 20:45:37 ----D---- C:\rsit
2009-09-19 19:18:42 ----D---- C:\Users\Chris\AppData\Roaming\Publish Providers
2009-09-19 19:16:23 ----D---- C:\Users\Chris\AppData\Roaming\Sony
2009-09-19 19:13:09 ----D---- C:\ProgramData\12713174
2009-09-19 19:04:08 ----D---- C:\ProgramData\Sony
2009-09-19 19:03:59 ----D---- C:\Program Files\Sony
2009-09-10 03:05:46 ----A---- C:\Windows\system32\jscript.dll
2009-09-10 03:04:35 ----A---- C:\Windows\system32\MRINFO.EXE
2009-09-10 03:04:32 ----A---- C:\Windows\system32\netevent.dll
2009-09-10 03:04:31 ----A---- C:\Windows\system32\netiougc.exe
2009-09-10 03:04:30 ----A---- C:\Windows\system32\NETSTAT.EXE
2009-09-10 03:04:30 ----A---- C:\Windows\system32\finger.exe
2009-09-10 03:04:29 ----A---- C:\Windows\system32\ROUTE.EXE
2009-09-10 03:04:29 ----A---- C:\Windows\system32\HOSTNAME.EXE
2009-09-10 03:04:29 ----A---- C:\Windows\system32\ARP.EXE
2009-09-10 03:04:18 ----A---- C:\Windows\system32\netiohlp.dll
2009-09-10 03:04:17 ----A---- C:\Windows\system32\tcpipcfg.dll
2009-09-10 03:04:16 ----A---- C:\Windows\system32\TCPSVCS.EXE
2009-09-10 03:03:52 ----A---- C:\Windows\system32\L2SecHC.dll
2009-09-10 03:03:51 ----A---- C:\Windows\system32\wlanhlp.dll
2009-09-10 03:03:51 ----A---- C:\Windows\system32\wlanapi.dll
2009-09-10 03:03:50 ----A---- C:\Windows\system32\wlansvc.dll
2009-09-10 03:03:50 ----A---- C:\Windows\system32\wlansec.dll
2009-09-10 03:03:50 ----A---- C:\Windows\system32\wlanmsm.dll
2009-09-10 03:03:37 ----A---- C:\Windows\system32\mfps.dll
2009-09-10 03:03:37 ----A---- C:\Windows\system32\mfpmp.exe
2009-09-10 03:03:37 ----A---- C:\Windows\system32\mferror.dll
2009-09-10 03:03:37 ----A---- C:\Windows\system32\mf.dll
2009-09-10 03:03:36 ----A---- C:\Windows\system32\WMVCORE.DLL
2009-09-10 03:03:36 ----A---- C:\Windows\system32\rrinstaller.exe
2009-09-08 06:04:32 ----A---- C:\Users\Chris\AppData\Roaming\onload.exe
2009-08-27 03:01:53 ----A---- C:\Windows\system32\tzres.dll

======List of files/folders modified in the last 1 months======

2009-09-20 20:45:46 ----D---- C:\Windows\Prefetch
2009-09-20 20:45:43 ----D---- C:\Windows\Temp
2009-09-20 20:45:38 ----RD---- C:\Program Files
2009-09-20 20:29:06 ----D---- C:\Windows\System32
2009-09-20 08:56:25 ----D---- C:\Windows\system32\drivers
2009-09-20 08:49:45 ----D---- C:\Program Files\Mozilla Firefox
2009-09-20 08:29:07 ----D---- C:\Windows\inf
2009-09-20 08:29:07 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-09-19 21:29:41 ----D---- C:\Users\Chris\AppData\Roaming\vlc
2009-09-19 20:51:06 ----D---- C:\Windows\Minidump
2009-09-19 20:50:53 ----D---- C:\WINDOWS
2009-09-19 19:50:02 ----D---- C:\Users\Chris\AppData\Roaming\Azureus
2009-09-19 19:13:09 ----HD---- C:\ProgramData
2009-09-19 19:04:54 ----SHD---- C:\Windows\Installer
2009-09-19 19:04:53 ----RSD---- C:\Windows\assembly
2009-09-19 19:03:11 ----D---- C:\Windows\winsxs
2009-09-19 19:00:51 ----D---- C:\Temporary
2009-09-19 11:25:41 ----SHD---- C:\System Volume Information
2009-09-19 09:19:24 ----D---- C:\Users\Chris\AppData\Roaming\muvee Technologies
2009-09-19 09:00:55 ----AD---- C:\ProgramData\TEMP
2009-09-10 03:28:59 ----D---- C:\Windows\rescache
2009-09-10 03:12:50 ----D---- C:\Program Files\Microsoft Silverlight
2009-09-10 03:11:29 ----D---- C:\Windows\system32\migration
2009-09-10 03:11:29 ----D---- C:\Windows\system32\en-US
2009-09-10 03:11:28 ----D---- C:\Windows\system32\wbem
2009-09-10 03:05:49 ----D---- C:\Windows\system32\catroot
2009-09-10 03:05:21 ----D---- C:\Windows\system32\catroot2
2009-09-10 03:01:50 ----D---- C:\ProgramData\Microsoft Help
2009-09-10 03:00:47 ----D---- C:\Windows\ehome
2009-08-29 07:38:20 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys [2007-12-21 30216]
R1 epfwtdir;epfwtdir; C:\Windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys [2007-12-21 39944]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-25 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-24 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-22 37376]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-01 19456]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2006-11-02 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-01 29184]
R3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2007-09-18 80424]
R3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2007-09-18 80936]
R3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2007-09-18 16168]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-19 16768]
R3 HpqRemHid;HP Remote Control HID Device; C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-12 7168]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-03-12 1747936]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-06-29 2222080]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-09-20 7626400]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2006-11-02 49664]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-09-18 98816]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2007-11-27 82432]
R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2007-01-17 983936]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-09-15 191408]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2007-11-27 132864]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2006-11-02 11264]
S3 61883;61883 Unit Device; C:\Windows\system32\DRIVERS\61883.sys [2006-11-02 45696]
S3 Avc;AVC Device; C:\Windows\system32\DRIVERS\avc.sys [2006-11-02 40448]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-01 220160]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 E100B;Intel® PRO Adapter Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2006-11-02 163328]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 kgroqpod;kgroqpod; \??\C:\Users\Chris\AppData\Local\Temp\kgroqpod.sys []
S3 MSDV;Microsoft DV Camera and VCR; C:\Windows\system32\DRIVERS\msdv.sys [2006-11-02 52608]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 1781760]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-05-29 39424]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2006-11-02 71552]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2006-11-02 35328]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-05-29 144712]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2006-11-02 22016]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-06-16 94208]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-03 135168]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2008-04-15 354840]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-08-23 79136]
R2 MySQL;MySQL; C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld --defaults-file=C:\Program Files\MySQL\MySQL Server 5.1\my.ini MySQL []
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2006-11-02 22016]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2006-11-02 22016]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [2007-10-01 271760]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-01-09 272024]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
S2 QPSched;QuickPlay Task Scheduler (QTS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [2007-10-01 112016]
S3 Com4Qlb;Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [2007-03-06 110592]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2007-12-21 19200]
S3 GameConsoleService;GameConsoleService; C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2009-07-10 250616]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-27 145184]
S3 wampapache;wampapache; c:\Program Files\wamp\bin\apache\apache2.2.11\bin\httpd.exe [2008-12-10 24636]
S3 wampmysqld;wampmysqld; c:\Program Files\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe [2009-03-16 6562432]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]

-----------------EOF-----------------

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 20 September 2009 - 06:57 AM

Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2


During the download, rename Combofix to Combo-Fix as follows:

Posted Image


Posted Image
--------------------------------------------------------------------
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" for further review.
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


    -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 September 2009 - 07:44 AM

Hi,

I've done that for you.
I really thank you for the prompt help you've given me.

ComboFix 09-09-18.02 - Chris 20/09/2009 23:20.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.61.1033.18.3070.2289 [GMT 10:00]
Running from: c:\users\Chris\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2166811788-1144272141-2508712779-500
c:\$recycle.bin\S-1-5-21-2718988515-5919250-3610890547-500
c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Security
c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\users\Chris\Desktop\Total Security 2009.lnk
c:\windows\Installer\3672c.msi
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 13:27 . 2009-09-20 13:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-20 11:05 . 2009-09-20 11:05 10628032 ----a-w- c:\users\Chris\AppData\Roaming\Azureus\tmp\AZU2973060587981415285.tmp\Vuze_4.2.0.8b_win32.exe
2009-09-20 10:45 . 2009-09-20 10:45 -------- d-----w- c:\program files\trend micro
2009-09-20 10:45 . 2009-09-20 10:45 -------- d-----w- C:\rsit
2009-09-19 09:18 . 2009-09-19 09:18 -------- d-----w- c:\users\Chris\AppData\Roaming\Publish Providers
2009-09-19 09:16 . 2009-09-19 09:18 -------- d-----w- c:\users\Chris\AppData\Roaming\Sony
2009-09-19 09:16 . 2009-09-19 09:16 -------- d-----w- c:\users\Chris\AppData\Local\Sony
2009-09-19 09:13 . 2009-09-19 13:42 -------- d-----w- c:\programdata\12713174
2009-09-19 09:04 . 2009-09-19 09:04 -------- d-----w- c:\programdata\Sony
2009-09-19 09:03 . 2009-09-19 09:04 -------- d-----w- c:\program files\Sony
2009-09-09 17:03 . 2009-07-11 19:26 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 17:03 . 2009-07-11 19:24 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-09-09 17:03 . 2009-07-11 19:24 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-09 17:03 . 2009-07-11 19:24 502784 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 17:03 . 2009-07-11 19:24 299520 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 17:03 . 2009-07-11 19:24 289280 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 17:03 . 2009-06-10 12:07 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-09 17:03 . 2009-06-10 12:07 2855424 ----a-w- c:\windows\system32\mf.dll
2009-09-09 17:03 . 2009-06-10 10:15 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-09 17:03 . 2009-06-10 08:50 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-09 17:03 . 2009-06-10 10:14 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-07 20:04 . 2009-09-07 20:04 16384 ----a-w- c:\users\Chris\AppData\Roaming\onload.exe
2009-08-26 17:01 . 2009-06-22 08:44 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 11:08 . 2009-04-05 11:12 -------- d-----w- c:\users\Chris\AppData\Roaming\Azureus
2009-09-19 11:29 . 2009-07-24 11:20 -------- d-----w- c:\users\Chris\AppData\Roaming\vlc
2009-09-19 10:13 . 2008-05-04 21:55 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-18 23:19 . 2009-08-09 13:10 -------- d-----w- c:\users\Chris\AppData\Roaming\muvee Technologies
2009-09-09 17:12 . 2009-04-09 23:33 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 17:01 . 2007-11-27 06:25 -------- d-----w- c:\programdata\Microsoft Help
2009-08-14 17:16 . 2009-09-09 17:04 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-09-09 17:04 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-09-09 17:04 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-09 17:04 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-09 17:04 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-09 17:04 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-09 17:04 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-09 17:04 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-09 17:04 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:25 . 2009-09-09 17:04 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-09 17:04 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:24 . 2009-09-09 17:04 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-09-09 17:04 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-14 05:47 . 2009-04-01 09:50 106840 ----a-w- c:\users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-13 23:33 . 2007-11-27 06:28 -------- d-----w- c:\program files\Microsoft Works
2009-08-09 08:55 . 2009-08-09 08:55 -------- d-----w- c:\program files\Thingamablog
2009-08-06 10:21 . 2009-08-06 06:33 -------- d-----w- c:\users\Chris\AppData\Roaming\FileZilla
2009-08-06 06:32 . 2009-08-06 06:32 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-03 23:46 . 2009-08-03 23:46 -------- d-----w- c:\program files\Simpli-File
2009-08-03 23:22 . 2009-08-03 23:06 -------- d-----w- c:\users\Chris\AppData\Roaming\Notepad++
2009-08-03 23:06 . 2009-08-03 23:06 -------- d-----w- c:\program files\Notepad++
2009-07-30 10:54 . 2009-07-30 10:54 -------- d-----w- c:\programdata\PopCap
2009-07-30 10:54 . 2009-07-30 10:54 -------- d-----w- c:\program files\PopCap Games
2009-07-29 06:19 . 2009-04-05 11:10 -------- d-----w- c:\program files\Vuze
2009-07-22 11:55 . 2009-04-01 12:56 27335 ----a-w- c:\users\Chris\AppData\Roaming\nvModes.dat
2009-07-21 21:52 . 2009-08-13 23:28 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-13 23:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-13 23:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-13 23:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-18 03:44 . 2009-07-18 03:44 1915520 ----a-w- c:\users\Chris\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-17 14:52 . 2009-08-13 03:45 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:02 . 2009-08-13 03:44 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 13:01 . 2009-08-13 03:44 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 13:00 . 2009-08-13 03:44 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 11:11 . 2009-08-13 03:44 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 02:47 . 2009-07-11 02:47 680 ----a-w- c:\users\Chris\AppData\Local\d3d9caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-27 1006264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-15 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-20 1443072]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-09 4390912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-12 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-6 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2C5DD49D-C376-4D47-A6D8-6B2E13A7B512}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E45194C7-E8A2-4083-8AB4-1A2580E63B73}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A68B2990-03D2-4461-A936-549261147E15}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BB6326D2-1D66-494F-846C-792601C9A091}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{88409201-C582-4389-BABA-D8AC69507A29}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{0EA7E0C7-6FA5-4EBA-9AEF-3C43BABF0C9C}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{6E906CD7-CD72-4E5A-9DE9-1A88C9B792FF}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{62D0DD4A-1D17-4859-B2C2-11CE60DFF266}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{1B87281C-0640-40E1-9E1B-D8B41838E793}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{ACBF12E3-251C-438F-830C-E32493DE4999}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E0F77B85-379C-4A88-808B-F589A6B56E2C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F4B7394F-B345-45A3-A6CE-CB872F831F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1BFC7D87-BB09-4B60-A116-6D78A836BC06}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{57478527-DFA4-4BED-AF5E-4F9BD876E47E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{9E3A3A1F-26F5-4B55-9D31-B966BA967DBF}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{2D1E5545-596A-4EF4-9BEB-D03134FE7734}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{25DAF9DD-0EE5-428E-952D-3CED320D7648}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{14675DEB-8126-4874-9D5D-C70C16E25495}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{CAC78766-EB59-4C41-8D53-B8AF01E8DB70}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= UDP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"UDP Query User{F67CAE7E-FBD6-45E2-B125-28BF0CDFB9E0}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= TCP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"{34294864-B748-4189-A425-5D3275F200A8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour Service
"{B2AE7F35-867E-4BDF-B7B5-C992C83DBF7F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour Service
"TCP Query User{0EE7F644-CC4A-4F44-81F7-7EB2BEC75414}c:\\program files\\lacie\\network assistant\\lacie network assistant.exe"= UDP:c:\program files\lacie\network assistant\lacie network assistant.exe:LaCie Network Assistant Application
"UDP Query User{E9D89A5B-7902-4F31-9351-429BA5BB2306}c:\\program files\\lacie\\network assistant\\lacie network assistant.exe"= TCP:c:\program files\lacie\network assistant\lacie network assistant.exe:LaCie Network Assistant Application
"TCP Query User{46EE52EE-D1AC-488F-8A89-93B1896D8196}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= UDP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"UDP Query User{1183FD62-FFF7-43A9-8A87-357454D77C7D}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= TCP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"TCP Query User{25EF6788-1298-4B45-8A62-9EBBC6190E9B}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A5DE5642-5888-4F39-85A5-71E6CB930B43}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"TCP Query User{E4B20451-5E76-4251-88A5-101BBF035463}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A8D7D398-25F0-4EB3-B96D-85E9838D93EC}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"TCP Query User{82B9C054-E1FD-48F4-A3DF-55B426C99BC7}c:\\program files\\wamp\\bin\\apache\\apache2.2.11\\bin\\httpd.exe"= UDP:c:\program files\wamp\bin\apache\apache2.2.11\bin\httpd.exe:Apache HTTP Server
"UDP Query User{712DA212-827E-424F-9195-3440333B3FE2}c:\\program files\\wamp\\bin\\apache\\apache2.2.11\\bin\\httpd.exe"= TCP:c:\program files\wamp\bin\apache\apache2.2.11\bin\httpd.exe:Apache HTTP Server
"{E9DA8FB4-D42F-4EEF-87B4-DB1B31034FD9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{93A7FDB5-1CE7-43D3-B9FD-0B82185954D8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [21/12/2007 8:21 AM 33800]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 5:50 PM 30312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21/12/2007 8:21 AM 468224]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 10:31 PM 29263712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\5ahopree.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-12713174 - c:\programdata\12713174\12713174.exe
AddRemove-Joyland Casino - c:\casino\Joyland Casino\_SetupCasino.exe
AddRemove-R-Studio 4.2NSIS - g:\undelete\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 23:28
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-09-20 23:30
ComboFix-quarantined-files.txt 2009-09-20 13:30

Pre-Run: 58,636,197,888 bytes free
Post-Run: 60,627,603,456 bytes free

218 --- E O F --- 2009-09-19 22:30

Attached Files

  • Attached File  log.txt   18.68KB   379 downloads

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 20 September 2009 - 07:57 AM

Hi,

Please do the following:


Please download Sysprot Antirootkit from >>>HERE<<<

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select ALL ITEMS
  • Look near the bottom left, and Check Hidden Objects Only
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  • Open the text file and copy/paste the log here.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 September 2009 - 03:33 PM

Sorry about not getting it done last night, but here it is. SysProt AntiRootkit v1.0.1.0 by swatkat ******************************************************************************** ********** ******************************************************************************** ********** No Hidden Processes found ******************************************************************************** ********** ******************************************************************************** ********** Kernel Modules: Module Name: \systemroot\system32\drivers\gasfkysasuppyg.sys Service Name: gasfkytnafmiwp Module Base: --- Module End: --- Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys Service Name: --- Module Base: 8F600000 Module End: 8F6CE000 Hidden: Yes ******************************************************************************** ********** ******************************************************************************** ********** No SSDT Hooks found ******************************************************************************** ********** ******************************************************************************** ********** Kernel Hooks: Hooked Function: ZwSaveKeyEx At Address: 82539DCA Jump To: 88B23A9A Module Name: _unknown_ Hooked Function: ZwSaveKey At Address: 82539CC3 Jump To: 88B1E942 Module Name: _unknown_ Hooked Function: ZwFlushWriteBuffer At Address: 825E849F Jump To: 8985F894 Module Name: _unknown_ Hooked Function: ZwFlushInstructionCache At Address: 825E849F Jump To: 8985F894 Module Name: _unknown_ Hooked Function: ZwEnumerateKey At Address: 82537F06 Jump To: 88AEB70C Module Name: _unknown_ Hooked Function: IofCompleteRequest At Address: 82427FA4 Jump To: 88B22CCB Module Name: _unknown_ Hooked Function: IofCallDriver At Address: 82427F37 Jump To: 88B1B8A2 Module Name: _unknown_ ******************************************************************************** ********** ******************************************************************************** ********** No IRP Hooks found ******************************************************************************** ********** ******************************************************************************** ********** Ports: Local Address: CHRIS-PC:49376 Remote Address: LOCALHOST:30606 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:49374 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49372 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49370 Remote Address: LOCALHOST:30606 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:49368 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49366 Remote Address: LOCALHOST:30606 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:49363 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49362 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49360 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49358 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49356 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49354 Remote Address: LOCALHOST:30606 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:49352 Remote Address: LOCALHOST:30606 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:49348 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49347 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49346 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49344 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49342 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: ESTABLISHED Local Address: CHRIS-PC:49340 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: ESTABLISHED Local Address: CHRIS-PC:49338 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: ESTABLISHED Local Address: CHRIS-PC:49336 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: ESTABLISHED Local Address: CHRIS-PC:49330 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49323 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49310 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49308 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49290 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49233 Remote Address: LOCALHOST:27015 Type: TCP Process: C:\Program Files\iTunes\iTunesHelper.exe State: ESTABLISHED Local Address: CHRIS-PC:49223 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49221 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49191 Remote Address: LOCALHOST:30606 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49167 Remote Address: LOCALHOST:49166 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49166 Remote Address: LOCALHOST:49167 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49163 Remote Address: LOCALHOST:49162 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:49162 Remote Address: LOCALHOST:49163 Type: TCP Process: C:\Program Files\Mozilla Firefox\firefox.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49374 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49372 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49368 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49363 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49362 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49360 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49358 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49356 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49348 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49347 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49346 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49344 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49342 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49340 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49338 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49336 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49334 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49330 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49328 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49323 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49310 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49308 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49290 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49276 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49269 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49266 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49264 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49260 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49257 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49256 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49254 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49252 Type: TCP Process: [System Idle Process] State: TIME_WAIT Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49223 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49221 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: LOCALHOST:49191 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:30606 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: LISTENING Local Address: CHRIS-PC:27015 Remote Address: LOCALHOST:49233 Type: TCP Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe State: ESTABLISHED Local Address: CHRIS-PC:27015 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe State: LISTENING Local Address: CHRIS-PC:5354 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\Bonjour\mDNSResponder.exe State: LISTENING Local Address: CHRIS-PC:49375 Remote Address: IMG.TRADEPUB.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49373 Remote Address: IMG.TRADEPUB.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49369 Remote Address: CRL.MICROSOFT.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49365 Remote Address: MAJORGEEKS.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49364 Remote Address: MAJORGEEKS.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49361 Remote Address: AH.PRICEGRABBER.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49359 Remote Address: MAJORGEEKS.US.INTELLITXT.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49357 Remote Address: CTS.TRADEPUB.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49351 Remote Address: MAJORGEEKS.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49350 Remote Address: MAJORGEEKS.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49349 Remote Address: MAJORGEEKS.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49345 Remote Address: MAJORGEEKS.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49343 Remote Address: UPDATE.MICROSOFT.COM:HTTPS Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49341 Remote Address: UPDATE.MICROSOFT.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49339 Remote Address: MAPS.GOOGLE.COM.AU:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49337 Remote Address: CRL.MICROSOFT.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49331 Remote Address: MAJORGEEKS.MIRROR.INTERNODE.ON.NET:FTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49325 Remote Address: MAPS.GOOGLE.COM.AU:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49311 Remote Address: BIN.CLEARSPRING.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49309 Remote Address: S7.ADDTHIS.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49291 Remote Address: M1.AU.2MDN.NET:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49224 Remote Address: GROUPS.GOOGLE.COM.AU:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49222 Remote Address: WWW.MICROSOFTTRANSLATOR.COM:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:49192 Remote Address: GOOGLEADS.G.DOUBLECLICK.NET:HTTP Type: TCP Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe State: ESTABLISHED Local Address: CHRIS-PC:NETBIOS-SSN Remote Address: 0.0.0.0:0 Type: TCP Process: System State: LISTENING Local Address: CHRIS-PC:49157 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\System32\services.exe State: LISTENING Local Address: CHRIS-PC:49156 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\System32\lsass.exe State: LISTENING Local Address: CHRIS-PC:49155 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: LISTENING Local Address: CHRIS-PC:49154 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: LISTENING Local Address: CHRIS-PC:49153 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: LISTENING Local Address: CHRIS-PC:49152 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\System32\wininit.exe State: LISTENING Local Address: CHRIS-PC:3306 Remote Address: 0.0.0.0:0 Type: TCP Process: C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe State: LISTENING Local Address: CHRIS-PC:EPMAP Remote Address: 0.0.0.0:0 Type: TCP Process: C:\WINDOWS\System32\svchost.exe State: LISTENING Local Address: CHRIS-PC:56928 Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:53840 Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:SSDP Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:56927 Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:5353 Remote Address: NA Type: UDP Process: C:\Program Files\Bonjour\mDNSResponder.exe State: NA Local Address: CHRIS-PC:SSDP Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:138 Remote Address: NA Type: UDP Process: System State: NA Local Address: CHRIS-PC:NETBIOS-NS Remote Address: NA Type: UDP Process: System State: NA Local Address: CHRIS-PC:59798 Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:59796 Remote Address: NA Type: UDP Process: C:\Program Files\Bonjour\mDNSResponder.exe State: NA Local Address: CHRIS-PC:55297 Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\spoolsv.exe State: NA Local Address: CHRIS-PC:52168 Remote Address: NA Type: UDP Process: C:\Program Files\Bonjour\mDNSResponder.exe State: NA Local Address: CHRIS-PC:LLMNR Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:IPSEC-MSFT Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:UPNP-DISCOVERY Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:UPNP-DISCOVERY Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:MS-SQL-M Remote Address: NA Type: UDP Process: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe State: NA Local Address: CHRIS-PC:500 Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA Local Address: CHRIS-PC:123 Remote Address: NA Type: UDP Process: C:\WINDOWS\System32\svchost.exe State: NA ******************************************************************************** ********** ******************************************************************************** ********** Hidden files/folders: Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Access denied Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Access denied Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Access denied Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Access denied Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Status: Access denied

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 20 September 2009 - 03:55 PM

Hi,

Please do the following:

Note...you must disable ESET Nod 32


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Total_Security_2009_infection_help_please_t107083.html&view=findpost&p=597665#entry597665

Collect::
C:\windows\system32\drivers\gasfkysasuppyg.sys

Folder::
c:\programdata\12713174

Driver::
gasfkytnafmiwp

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#9 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 September 2009 - 06:02 PM

ComboFix 09-09-18.02 - Chris 21/09/2009 9:17.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.61.1033.18.3070.2287 [GMT 10:00]
Running from: c:\users\Chris\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\12713174
c:\programdata\12713174\12713174
c:\programdata\12713174\pc12713174ins

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 23:25 . 2009-09-20 23:25 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-20 23:25 . 2009-09-20 23:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-20 13:13 . 2009-09-20 13:43 -------- d-----w- C:\Combo-Fix
2009-09-20 11:05 . 2009-09-20 11:05 10628032 ----a-w- c:\users\Chris\AppData\Roaming\Azureus\tmp\AZU2973060587981415285.tmp\Vuze_4.2.0.8b_win32.exe
2009-09-20 10:45 . 2009-09-20 10:45 -------- d-----w- c:\program files\trend micro
2009-09-20 10:45 . 2009-09-20 10:45 -------- d-----w- C:\rsit
2009-09-19 09:18 . 2009-09-19 09:18 -------- d-----w- c:\users\Chris\AppData\Roaming\Publish Providers
2009-09-19 09:16 . 2009-09-19 09:18 -------- d-----w- c:\users\Chris\AppData\Roaming\Sony
2009-09-19 09:16 . 2009-09-19 09:16 -------- d-----w- c:\users\Chris\AppData\Local\Sony
2009-09-19 09:04 . 2009-09-19 09:04 -------- d-----w- c:\programdata\Sony
2009-09-19 09:03 . 2009-09-19 09:04 -------- d-----w- c:\program files\Sony
2009-09-09 17:03 . 2009-07-11 19:26 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 17:03 . 2009-07-11 19:24 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-09-09 17:03 . 2009-07-11 19:24 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-09 17:03 . 2009-07-11 19:24 502784 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 17:03 . 2009-07-11 19:24 299520 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 17:03 . 2009-07-11 19:24 289280 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 17:03 . 2009-06-10 12:07 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-09 17:03 . 2009-06-10 12:07 2855424 ----a-w- c:\windows\system32\mf.dll
2009-09-09 17:03 . 2009-06-10 10:15 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-09 17:03 . 2009-06-10 08:50 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-09 17:03 . 2009-06-10 10:14 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-07 20:04 . 2009-09-07 20:04 16384 ----a-w- c:\users\Chris\AppData\Roaming\onload.exe
2009-08-26 17:01 . 2009-06-22 08:44 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 22:54 . 2009-07-24 11:20 -------- d-----w- c:\users\Chris\AppData\Roaming\vlc
2009-09-20 11:08 . 2009-04-05 11:12 -------- d-----w- c:\users\Chris\AppData\Roaming\Azureus
2009-09-19 10:13 . 2008-05-04 21:55 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-18 23:19 . 2009-08-09 13:10 -------- d-----w- c:\users\Chris\AppData\Roaming\muvee Technologies
2009-09-09 17:12 . 2009-04-09 23:33 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 17:01 . 2007-11-27 06:25 -------- d-----w- c:\programdata\Microsoft Help
2009-08-14 17:16 . 2009-09-09 17:04 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-09-09 17:04 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-09-09 17:04 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-09 17:04 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-09 17:04 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-09 17:04 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-09 17:04 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-09 17:04 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-09 17:04 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:25 . 2009-09-09 17:04 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-09 17:04 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:24 . 2009-09-09 17:04 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-09-09 17:04 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-14 05:47 . 2009-04-01 09:50 106840 ----a-w- c:\users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-13 23:33 . 2007-11-27 06:28 -------- d-----w- c:\program files\Microsoft Works
2009-08-09 08:55 . 2009-08-09 08:55 -------- d-----w- c:\program files\Thingamablog
2009-08-06 10:21 . 2009-08-06 06:33 -------- d-----w- c:\users\Chris\AppData\Roaming\FileZilla
2009-08-06 06:32 . 2009-08-06 06:32 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-03 23:46 . 2009-08-03 23:46 -------- d-----w- c:\program files\Simpli-File
2009-08-03 23:22 . 2009-08-03 23:06 -------- d-----w- c:\users\Chris\AppData\Roaming\Notepad++
2009-08-03 23:06 . 2009-08-03 23:06 -------- d-----w- c:\program files\Notepad++
2009-07-30 10:54 . 2009-07-30 10:54 -------- d-----w- c:\programdata\PopCap
2009-07-30 10:54 . 2009-07-30 10:54 -------- d-----w- c:\program files\PopCap Games
2009-07-29 06:19 . 2009-04-05 11:10 -------- d-----w- c:\program files\Vuze
2009-07-22 11:55 . 2009-04-01 12:56 27335 ----a-w- c:\users\Chris\AppData\Roaming\nvModes.dat
2009-07-21 21:52 . 2009-08-13 23:28 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-13 23:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-13 23:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-13 23:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-18 03:44 . 2009-07-18 03:44 1915520 ----a-w- c:\users\Chris\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-17 14:52 . 2009-08-13 03:45 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:02 . 2009-08-13 03:44 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 13:01 . 2009-08-13 03:44 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 13:00 . 2009-08-13 03:44 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 11:11 . 2009-08-13 03:44 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 02:47 . 2009-07-11 02:47 680 ----a-w- c:\users\Chris\AppData\Local\d3d9caps.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-09-20_13.28.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-27 04:47 . 2009-09-20 21:26 41844 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-20 23:17 64402 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-04-01 09:39 . 2009-09-20 23:14 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-01 09:39 . 2009-09-20 13:16 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-01 09:39 . 2009-09-20 13:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-01 09:39 . 2009-09-20 23:14 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-01 09:39 . 2009-09-20 13:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-01 09:39 . 2009-09-20 23:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-09-20 23:05 86016 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2009-09-19 09:54 86016 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2009-09-19 09:54 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-09-20 23:05 51200 c:\windows\inf\infpub.dat
+ 2009-04-01 09:46 . 2009-09-20 23:17 5280 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2718988515-5919250-3610890547-1003_UserData.bin
- 2009-09-20 13:16 . 2009-09-20 13:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-20 23:10 . 2009-09-20 23:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-20 13:16 . 2009-09-20 13:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-20 23:10 . 2009-09-20 23:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-20 21:27 . 2009-09-20 21:27 159032 c:\windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe7680
6\ATL90.dll
- 2006-11-02 10:33 . 2009-09-20 13:25 681282 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-20 23:22 681282 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-20 13:25 130582 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-20 23:22 130582 c:\windows\System32\perfc009.dat
+ 2009-08-14 13:18 . 2009-09-20 23:14 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-08-14 13:18 . 2009-09-20 13:16 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-09-20 21:27 . 2009-09-20 21:27 195584 c:\windows\Installer\70e38.msi
- 2006-11-02 10:22 . 2009-09-19 09:03 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2009-09-20 23:09 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-05-02 17:01 . 2009-09-20 21:27 67606437 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-27 1006264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-15 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-20 1443072]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-09 4390912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2006-11-02 216064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-12 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-6 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2C5DD49D-C376-4D47-A6D8-6B2E13A7B512}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E45194C7-E8A2-4083-8AB4-1A2580E63B73}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A68B2990-03D2-4461-A936-549261147E15}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BB6326D2-1D66-494F-846C-792601C9A091}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{88409201-C582-4389-BABA-D8AC69507A29}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{0EA7E0C7-6FA5-4EBA-9AEF-3C43BABF0C9C}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{6E906CD7-CD72-4E5A-9DE9-1A88C9B792FF}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{62D0DD4A-1D17-4859-B2C2-11CE60DFF266}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{1B87281C-0640-40E1-9E1B-D8B41838E793}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{ACBF12E3-251C-438F-830C-E32493DE4999}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E0F77B85-379C-4A88-808B-F589A6B56E2C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F4B7394F-B345-45A3-A6CE-CB872F831F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1BFC7D87-BB09-4B60-A116-6D78A836BC06}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{57478527-DFA4-4BED-AF5E-4F9BD876E47E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{9E3A3A1F-26F5-4B55-9D31-B966BA967DBF}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{2D1E5545-596A-4EF4-9BEB-D03134FE7734}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{25DAF9DD-0EE5-428E-952D-3CED320D7648}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{14675DEB-8126-4874-9D5D-C70C16E25495}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{CAC78766-EB59-4C41-8D53-B8AF01E8DB70}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= UDP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"UDP Query User{F67CAE7E-FBD6-45E2-B125-28BF0CDFB9E0}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= TCP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"{34294864-B748-4189-A425-5D3275F200A8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour Service
"{B2AE7F35-867E-4BDF-B7B5-C992C83DBF7F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour Service
"TCP Query User{0EE7F644-CC4A-4F44-81F7-7EB2BEC75414}c:\\program files\\lacie\\network assistant\\lacie network assistant.exe"= UDP:c:\program files\lacie\network assistant\lacie network assistant.exe:LaCie Network Assistant Application
"UDP Query User{E9D89A5B-7902-4F31-9351-429BA5BB2306}c:\\program files\\lacie\\network assistant\\lacie network assistant.exe"= TCP:c:\program files\lacie\network assistant\lacie network assistant.exe:LaCie Network Assistant Application
"TCP Query User{46EE52EE-D1AC-488F-8A89-93B1896D8196}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= UDP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"UDP Query User{1183FD62-FFF7-43A9-8A87-357454D77C7D}c:\\program files\\hipserv desktop applications\\hipservagent\\hipservagent.exe"= TCP:c:\program files\hipserv desktop applications\hipservagent\hipservagent.exe:HipServAgent Application
"TCP Query User{25EF6788-1298-4B45-8A62-9EBBC6190E9B}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A5DE5642-5888-4F39-85A5-71E6CB930B43}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"TCP Query User{E4B20451-5E76-4251-88A5-101BBF035463}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A8D7D398-25F0-4EB3-B96D-85E9838D93EC}c:\\program files\\java\\jdk1.6.0_13\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_13\bin\java.exe:Java™ Platform SE binary
"TCP Query User{82B9C054-E1FD-48F4-A3DF-55B426C99BC7}c:\\program files\\wamp\\bin\\apache\\apache2.2.11\\bin\\httpd.exe"= UDP:c:\program files\wamp\bin\apache\apache2.2.11\bin\httpd.exe:Apache HTTP Server
"UDP Query User{712DA212-827E-424F-9195-3440333B3FE2}c:\\program files\\wamp\\bin\\apache\\apache2.2.11\\bin\\httpd.exe"= TCP:c:\program files\wamp\bin\apache\apache2.2.11\bin\httpd.exe:Apache HTTP Server
"{E9DA8FB4-D42F-4EEF-87B4-DB1B31034FD9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{93A7FDB5-1CE7-43D3-B9FD-0B82185954D8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [21/12/2007 8:21 AM 33800]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 5:50 PM 30312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21/12/2007 8:21 AM 468224]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 10:31 PM 29263712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\5ahopree.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 09:25
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-09-20 9:27
ComboFix-quarantined-files.txt 2009-09-20 23:27
ComboFix2.txt 2009-09-20 13:30

Pre-Run: 60,850,589,696 bytes free
Post-Run: 60,879,839,232 bytes free

246 --- E O F --- 2009-09-20 21:27

#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 20 September 2009 - 06:08 PM

Hi,

Please do the following:

Please run the three ARK scanners again, I want to see if the rootkit is gone:

I'll give you all the download links and instructions again.

Make sure all other programs are closed and your AV is disabled while they are running:

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

NEXT

  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

NEXT

Please download Sysprot Antirootkit from >>>HERE<<<

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select ALL ITEMS
  • Look near the bottom left, and Check Hidden Objects Only
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  • Open the text file and copy/paste the log here.


NEXT

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove

#11 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 21 September 2009 - 07:03 AM

Ok, Something different happened. Just to let you know, that this is a laptop device so I took it to work with me, so I could continue to work on it. I ran the Gmer.exe file, and the SysProt software. I still has unable to run the Repeal software. I ran Malwarebytes AntiMalwareand it came up with some fixes (2 if I can remember correctly.) I than setup and installed Kaspersky and after 4 and 1/2 hours of running the scan and hitting about 85% done, I had to leave work to head home. Between leaving work and hitting the train station (about 5/6 minutes) the laptop powered off and is now rebooting itself when I power it on. It's coming up with an Error msg "Verification of KnownDLL failed. System Process terminated unexpectedly with status of 0xc000012f. System will shut down (It took me about 30 minutes to get that error msg as I'd get a word/2 then the machine would reboot. I now have the drive in an external enclosure and am pulling the data oft. I tried to roll back to a system restore point but the system could not find one. I'm working on an old laptop now to post this but it's running very slowly... (It is about 5 years old and a Pentium M but that's besides the point.) I have also tried the Automatic Startup repair and it couldn't fid an issue with the system that it could repair. This system is running very slowly when the hard drive is attached to it. I can't access the Malware Antimalware log file as i can't open the machine. I'm just downloading Kaspersky onto this laptop and will make it scan the drives at the same time.

Attached Files


Edited by TMGTEch, 21 September 2009 - 07:13 AM.

#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 September 2009 - 07:14 AM

there is still a rootkit on that machine. are you able to locate the GMER log what happened with rootrepeal? are you able to tap into safe mode? Did you try "last known Good Configuration"

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#13 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 21 September 2009 - 07:17 AM

Root Repeal threw up an error as follows: ROOTREPEAL CRASH REPORT ------------------------- Windows Version: Windows Vista SP0 Exception Code: 0xc0000005 Exception Address: 0x00422bf2 Attempt to read from address: 0x00000004 I can't get to "Last Good config" nor can I get into Safe Mode. I can get into certain Windows recovery functions but they haven' proven very useful yet.

#14 TMGTEch

TMGTEch

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 21 September 2009 - 07:18 AM

Here's the Gmer.txt file.

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-20 08:51:00
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Chris\AppData\Local\Temp\kgroqpod.sys


---- System - GMER 1.0.15 ----

Code 8993E830 ZwEnumerateKey
Code 8991DC68 ZwFlushInstructionCache
Code 8993590E ZwSaveKey
Code 8980ABD6 ZwSaveKeyEx
Code 8993DAC5 IofCallDriver
Code 899A993E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys

Device \Driver\BTHUSB \Device\00000074 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000076 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gasfkytsbaelxt.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [832] 0x10000000
Library \\?\globalroot\systemroot\system32\gasfkytsbaelxt.dll (*** hidden *** ) @ c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3520] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186010739
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp@imagepath \systemroot\system32\drivers\gasfkysasuppyg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main@aid 10081
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkysasuppyg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\modules@gasfkycmd.dll \systemroot\system32\gasfkybqcxnghc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\modules@gasfkylog.dat \systemroot\system32\gasfkyuhmuijvm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\modules@gasfkywsp.dll \systemroot\system32\gasfkymgogfkfb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\modules@gasfky.dat \systemroot\system32\gasfkyeoilrewr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkytnafmiwp\modules@gasfkywsp8.dll \systemroot\system32\gasfkytsbaelxt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186010739 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp@imagepath \systemroot\system32\drivers\gasfkysasuppyg.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main@aid 10081
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkysasuppyg.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\modules@gasfkycmd.dll \systemroot\system32\gasfkybqcxnghc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\modules@gasfkylog.dat \systemroot\system32\gasfkyuhmuijvm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\modules@gasfkywsp.dll \systemroot\system32\gasfkymgogfkfb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\modules@gasfky.dat \systemroot\system32\gasfkyeoilrewr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkytnafmiwp\modules@gasfkywsp8.dll \systemroot\system32\gasfkytsbaelxt.dll

---- EOF - GMER 1.0.15 ----

#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 21 September 2009 - 08:06 AM

ComboFix will have installed the recovery console when it ran. We can use that to restore the Erunt backups that were made.

Please do the following:

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console (you will need to be very fast as you only have a couple of seconds to do this)
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs


6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·