Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious File? SVCHOST.exe?


  • This topic is locked This topic is locked
13 replies to this topic

#1 Jagoros

Jagoros

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 05 November 2008 - 08:51 PM

I was recently infected with Antiviruspro2009. I used Malwarebytes' Anti-Malware 1.30 to remove the majority of the infection, then finished up with Avast 4.8 home edition. Both programs list a suspicious file of SVCHOST.exe

Now, I know that under normal conditions, svchost is a necessary component, but I do have around 6 versions of it currently running in my tasks right now. This one does seem to be in a suspicious place, but does that mean it's bad? I dont want to erase it and suddenly not be able to use my wifi on my laptop or other devices I use.

I'd really appreciate if someone could take a look at these files and let me know if this is something I should be concerned about, or something I should put on the ignore list. It doesn't help that every time my computer starts up, AVAST tells me that it's a suspicious file and I should restart and perform a boot scan. -_-

Here's the goods. I'll post the excerpts from the malwarebytes log as the whole log was taken from when I first scanned and has a lot of other junk on it that's not still there.

Adaware runs clean with the most recent definitions list. I dont see any other suspcious tasks running. Please, I'd really appreciate any advice.

Avast:

C:\WINNT\System32\DRIVERS\SVCHOST.EXE

Rootkit: hidden process

------------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1367
Windows 5.1.2600 Service Pack 2

Memory Processes Infected:
C:\WINNT\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.


Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> No action taken.

Files Infected:
C:\WINNT\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> No action taken.
-----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:16 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ad-Aware2k8\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\drivers\svchost.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\lxcecoms.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {4E660F19-E91E-41e1-88EF-D1DFAB118F67} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll
O9 - Extra 'Tools' menuitem: Mouse Gestures... - {4E660F19-E91E-41e1-88EF-D1DFAB118F67} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware2k8\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINNT\System32\lxcecoms.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Owner\Desktop\New Text Document.html

--
End of file - 10551 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 06 November 2008 - 04:28 PM

Hi.

I'm Extremeboy (or EB for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, to track your topic. The topics you are tracking can be found here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both
    log.txt (<<will be maximized)
    info.txt (<<will be minimized)
The RSIT logs can also be found in the folder, C:\RSIT

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Jagoros

Jagoros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 06 November 2008 - 07:04 PM

Thank you for your help. I downloaded the program. Here is the first log that showed up.

"log.txt"

I didn't find the second one, but I will post that shortly. If you happen to be around now, you can look this one over while I find the other log. =)

--------------------------------
Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-11-06 18:52:05
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 23 GB (30%) free of 76 GB
Total RAM: 1023 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:07 PM, on 11/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ad-Aware2k8\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\drivers\svchost.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\lxcecoms.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Hijack This\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\iespell.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {4E660F19-E91E-41e1-88EF-D1DFAB118F67} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll
O9 - Extra 'Tools' menuitem: Mouse Gestures... - {4E660F19-E91E-41e1-88EF-D1DFAB118F67} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware2k8\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINNT\System32\lxcecoms.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Owner\Desktop\New Text Document.html

--
End of file - 10560 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\Microsoft Works Calendar.job
C:\WINNT\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar - C:\PROGRA~1\FlashGet\fgiebar.dll [2002-05-27 86016]
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AIM Toolbar - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll [2007-10-10 1090912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=NvQTwk []
"MOD"=C:\Program Files\Microangelo\muamgr.exe [2001-08-11 73728]
"Keyboard Preload Check"=C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:Keyboard Preload Check []
"Hot Key Kbd 9910 Daemon"=C:\WINNT\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMpi"=C:\WINNT\GWMDMpi.exe [2001-11-27 40960]
"GWMDMMSG"=C:\WINNT\GWMDMMSG.exe [2001-11-27 101615]
"lxcemon.exe"=C:\Program Files\Lexmark 4300 Series\lxcemon.exe [2005-08-02 192512]
"EzPrint"=C:\Program Files\Lexmark 4300 Series\ezprint.exe [2005-07-26 94208]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2005-07-12 299008]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-01-15 267048]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-10 385024]
"avast!"=C:\PROGRA~1\Avast4\ashDisp.exe [2008-07-19 78008]
"LXCECATS"=rundll32 C:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe []
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2004-08-03 15360]
"Aim6"= []
"SVCHOST.EXE"=C:\WINNT\system32\drivers\svchost.exe [2008-11-05 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2006-10-23 71216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1145242536\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1145242536\ee\AOLSoftware.exe [2006-09-25 50736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-01-15 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe [2007-03-07 5181440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe [2006-07-13 651264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsLime]
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe [2005-09-08 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe [2004-05-07 99480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-01-10 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe [2006-10-12 49263]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2005-07-22 151552]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
C:\PROGRA~1\WINDOW~4\fastload.dll [2001-12-20 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINNT\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
"ForceClassicControlPanel"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0 SE2\waol.exe"="C:\Program Files\America Online 9.0 SE2\waol.exe:*:Enabled:America Online 9.0 SE2"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\AIM95\aim.exe"="C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe"="C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1145242536\EE\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1145242536\EE\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Games\MapleStory\Patcher.exe"="C:\Games\MapleStory\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\Games\MapleStory\NewPatcher.exe"="C:\Games\MapleStory\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\Games\MapleStory\MapleStory.exe"="C:\Games\MapleStory\MapleStory.exe:*:Enabled:MapleStory"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\WiFiConnector\NintendoWFCReg.exe"="C:\Program Files\WiFiConnector\NintendoWFCReg.exe:*:Enabled:Nintendo Wi-Fi USB Connector"
"C:\WINNT\system32\drivers\svchost.exe"="C:\WINNT\system32\drivers\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM95\aim.exe"="C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger"

======File associations======

.js - open - "C:\Program Files\Dreamweaver 4\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-11-06 18:51:35 ----D---- C:\rsit
2008-11-05 04:09:59 ----A---- C:\WINNT\system32\aswBoot.exe
2008-11-05 04:09:56 ----D---- C:\Program Files\Avast4
2008-11-05 02:41:27 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-11-05 02:41:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-05 02:41:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-05 02:16:20 ----A---- C:\Program Files\Common Files\zojibyta.com
2008-11-05 02:16:20 ----A---- C:\Documents and Settings\Owner\Application Data\avifi.bat
2008-11-03 12:12:06 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-11-03 12:10:54 ----D---- C:\Program Files\AIM6
2008-10-13 23:17:36 ----DC---- C:\WINNT\$NtUninstallKB952954$
2008-10-13 23:17:29 ----DC---- C:\WINNT\$NtUninstallKB946648$
2008-10-13 23:17:22 ----DC---- C:\WINNT\$NtUninstallKB950974$
2008-10-13 23:17:13 ----DC---- C:\WINNT\$NtUninstallKB951748$
2008-10-13 23:17:06 ----DC---- C:\WINNT\$NtUninstallKB938464$
2008-10-13 22:02:51 ----D---- C:\WINNT\Prefetch
2008-10-13 21:59:43 ----DC---- C:\WINNT\$NtUninstallKB952287$(2)
2008-10-13 21:58:55 ----DC---- C:\WINNT\$NtUninstallKB951698$(2)
2008-10-13 21:58:06 ----DC---- C:\WINNT\$NtUninstallKB951376-v2$(2)
2008-10-13 21:57:16 ----DC---- C:\WINNT\$NtUninstallKB951376$(2)
2008-10-13 21:56:26 ----DC---- C:\WINNT\$NtUninstallKB951066$(2)
2008-10-13 21:55:26 ----DC---- C:\WINNT\$NtUninstallKB950762$(2)
2008-10-13 21:49:01 ----D---- C:\WINNT\system32\scripting
2008-10-13 21:49:00 ----D---- C:\WINNT\l2schemas
2008-10-13 21:44:44 ----D---- C:\WINNT\network diagnostic
2008-10-13 21:28:00 ----DC---- C:\WINNT\$NtUninstallKB953839$
2008-10-13 21:27:52 ----DC---- C:\WINNT\$NtUninstallKB951072-v2$
2008-10-13 21:27:41 ----DC---- C:\WINNT\$NtUninstallKB952287$
2008-10-13 21:27:00 ----DC---- C:\WINNT\$NtUninstallKB951066$
2008-10-13 11:48:29 ----A---- C:\WINNT\005551_.tmp

======List of files/folders modified in the last 1 months======

2008-11-06 18:52:06 ----D---- C:\Program Files\Hijack This
2008-11-06 18:35:13 ----D---- C:\WINNT\Temp
2008-11-06 18:32:58 ----A---- C:\WINNT\ModemLog_GTW V.92 Voice Modem.txt
2008-11-06 18:32:51 ----D---- C:\Program Files\Lx_cats
2008-11-05 23:56:42 ----A---- C:\WINNT\SchedLgU.Txt
2008-11-05 10:05:25 ----D---- C:\WINNT\system32\config
2008-11-05 04:10:23 ----D---- C:\WINNT\system32\drivers
2008-11-05 04:10:19 ----AD---- C:\WINNT\system32
2008-11-05 04:09:56 ----AD---- C:\Program Files
2008-11-05 03:12:19 ----D---- C:\WINNT\system32\CatRoot2
2008-11-05 03:12:18 ----RSHD---- C:\WINNT\system32\dllcache
2008-11-05 03:12:18 ----AD---- C:\WINNT
2008-11-05 02:16:20 ----D---- C:\Program Files\Common Files
2008-11-03 12:23:50 ----SD---- C:\WINNT\Downloaded Program Files
2008-11-03 12:18:41 ----D---- C:\Program Files\Ad-Aware2k8
2008-11-03 12:12:07 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-11-03 12:04:50 ----D---- C:\Documents and Settings\Owner\Application Data\Aim
2008-11-03 11:58:52 ----D---- C:\WINNT\system32\oobe
2008-11-03 11:58:51 ----RD---- C:\WINNT\Web
2008-11-03 11:58:50 ----D---- C:\WINNT\Installed System Icons
2008-11-03 11:58:48 ----D---- C:\WINNT\Help
2008-11-03 11:58:47 ----D---- C:\WINNT\cache277
2008-11-03 11:57:49 ----D---- C:\WINNT\Themes
2008-11-03 11:57:41 ----HDC---- C:\WINNT\$NtServicePackUninstall$
2008-11-02 08:18:52 ----A---- C:\WINNT\system32\PerfStringBackup.INI
2008-10-31 20:42:24 ----D---- C:\Program Files\Paint Shop Pro 6
2008-10-31 11:38:18 ----D---- C:\WINNT\system32\CatRoot
2008-10-27 13:10:07 ----A---- C:\WINNT\winamp.ini
2008-10-27 12:59:10 ----D---- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-10-14 01:12:20 ----RSD---- C:\WINNT\Fonts
2008-10-14 01:12:20 ----D---- C:\WINNT\system32\wbem
2008-10-14 01:12:20 ----D---- C:\WINNT\AppPatch
2008-10-14 01:10:48 ----D---- C:\WINNT\Registration
2008-10-14 01:10:20 ----HD---- C:\WINNT\inf
2008-10-14 01:10:15 ----D---- C:\Program Files\Internet Explorer
2008-10-14 01:09:52 ----D---- C:\WINNT\EHome
2008-10-14 01:08:34 ----D---- C:\WINNT\system32\usmt
2008-10-14 01:08:34 ----D---- C:\WINNT\system
2008-10-14 01:08:33 ----D---- C:\WINNT\system32\Setup
2008-10-14 01:08:29 ----D---- C:\Program Files\Common Files\System
2008-10-14 01:08:28 ----D---- C:\Program Files\Outlook Express
2008-10-14 01:08:27 ----D---- C:\WINNT\system32\Com
2008-10-14 01:08:27 ----D---- C:\Program Files\Windows NT
2008-10-14 01:08:27 ----D---- C:\Program Files\Windows Media Player
2008-10-14 01:08:26 ----D---- C:\Program Files\NetMeeting
2008-10-14 01:08:25 ----D---- C:\WINNT\srchasst
2008-10-14 01:08:25 ----D---- C:\WINNT\msagent
2008-10-14 01:08:25 ----D---- C:\WINNT\ime
2008-10-14 01:08:23 ----D---- C:\WINNT\system32\npp
2008-10-14 01:08:22 ----D---- C:\WINNT\system32\Restore
2008-10-14 01:08:21 ----D---- C:\Program Files\Movie Maker
2008-10-14 01:06:40 ----D---- C:\WINNT\system32\bits
2008-10-14 01:06:40 ----D---- C:\WINNT\peernet
2008-10-14 01:06:30 ----D---- C:\Program Files\Messenger
2008-10-14 00:59:29 ----D---- C:\WINNT\security
2008-10-14 00:57:34 ----D---- C:\Documents and Settings\Owner\Application Data\MSN6
2008-10-14 00:23:37 ----D---- C:\WINNT\WinSxS
2008-10-13 23:17:33 ----A---- C:\WINNT\imsins.BAK
2008-10-13 23:17:29 ----HD---- C:\WINNT\$hf_mig$
2008-10-13 22:03:59 ----A---- C:\WINNT\OEWABLog.txt
2008-10-13 22:03:51 ----A---- C:\WINNT\win.ini
2008-10-13 22:03:17 ----A---- C:\WINNT\setuplog.txt
2008-10-13 21:49:02 ----D---- C:\WINNT\system32\en-US
2008-10-13 21:49:00 ----SHD---- C:\WINNT\Installer
2008-10-13 21:42:46 ----D---- C:\WINNT\system32\ReinstallBackups
2008-10-13 11:26:25 ----D---- C:\WINNT\Debug

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINNT\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINNT\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINNT\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 Cdr4_xp;Cdr4_xp; C:\WINNT\system32\drivers\Cdr4_xp.sys [2001-10-11 55216]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2001-10-11 22713]
R1 cdudf_xp;cdudf_xp; C:\WINNT\system32\drivers\cdudf_xp.sys [2001-09-24 233344]
R1 DcCam;Kodak Camera Proxy; C:\WINNT\System32\DRIVERS\DcCam.sys [2005-06-16 37150]
R1 intelppm;Intel Processor Driver; C:\WINNT\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 pwd_2K;pwd_2K; C:\WINNT\system32\drivers\pwd_2K.sys [2001-09-24 78486]
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0; C:\WINNT\System32\DRIVERS\Sk9920nt.sys [2000-09-12 6208]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINNT\system32\drivers\UdfReadr_xp.sys [2001-09-24 205824]
R2 ASCTRM;ASCTRM; C:\WINNT\system32\drivers\ASCTRM.sys [2002-11-07 8552]
R2 aswFsBlk;aswFsBlk; C:\WINNT\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINNT\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 DCFS2K;Kodak DCFS2K Driver; C:\WINNT\system32\drivers\dcfs2k.sys [2005-03-31 38673]
R2 MxlW2k;MxlW2k; C:\WINNT\system32\drivers\MxlW2k.sys [2002-04-12 28100]
R2 npkcrypt;npkcrypt; \??\C:\Games\MapleStory\npkcrypt.sys []
R2 PfModNT;PfModNT; \??\C:\WINNT\System32\PfModNT.sys []
R3 aswRdr;aswRdr; C:\WINNT\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 ctljystk;Creative SBLive! Gameport; C:\WINNT\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
R3 E100B;Intel® PRO Adapter Driver; C:\WINNT\System32\DRIVERS\e100b325.sys [2001-08-09 119808]
R3 emu10k;Creative SB Live! (WDM); C:\WINNT\system32\drivers\emu10k1m.sys [2001-08-17 283904]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINNT\system32\drivers\ctlfacem.sys [2001-08-17 6912]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINNT\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 GTWModem;GTW V.92 Voice Modem; C:\WINNT\System32\DRIVERS\GWMDM.sys [2001-11-27 1143360]
R3 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mmc_2K;mmc_2K; C:\WINNT\system32\drivers\mmc_2K.sys [2001-09-24 19158]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINNT\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 nv4;nv4; C:\WINNT\System32\DRIVERS\nv4_mini.sys [2001-08-31 829305]
R3 QCDonner;Logitech QuickCam Express; C:\WINNT\System32\DRIVERS\OVCD.sys [2001-08-17 28032]
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINNT\system32\drivers\sfmanm.sys [2001-08-17 36480]
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000; C:\WINNT\System32\DRIVERS\Sk99202k.sys [2000-09-11 7552]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINNT\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB Root Hub (usbport); C:\WINNT\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 wanatw;WAN Miniport (ATW); C:\WINNT\System32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S1 Exportit;Exportit; C:\WINNT\System32\DRIVERS\exportit.sys [2005-03-31 152081]
S1 kbdhid;Keyboard HID Driver; C:\WINNT\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINNT\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 Arp1394;1394 ARP Client Protocol; C:\WINNT\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
S3 BCMModem;BCM V.90 56K Modem; C:\WINNT\System32\DRIVERS\BCMDM.sys [2001-08-17 871388]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\System32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 DcFpoint;DcFpoint; C:\WINNT\System32\DRIVERS\DcFpoint.sys [2005-03-31 61564]
S3 DcLps;Legacy Polling Service; C:\WINNT\System32\DRIVERS\DcLps.sys [2005-03-31 8022]
S3 DcPTP;dcptp; C:\WINNT\System32\DRIVERS\DcPTP.sys [2005-03-31 70262]
S3 dvd_2K;dvd_2K; C:\WINNT\system32\drivers\dvd_2K.sys [2001-09-24 17958]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINNT\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 iscFlash;iscFlash; \??\C:\WINNT\SYSTEM32\DRIVERS\iscflash.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\System32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NIC1394;1394 Net Driver; C:\WINNT\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
S3 npkcusb;npkcusb; \??\C:\Games\MapleStory\npkcusb.sys []
S3 PCDRDRV;Pcdr Helper Driver; \??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 PcdrNt;PcdrNt; C:\WINNT\System32\drivers\PcdrNt.sys [2001-12-04 44192]
S3 RT25USBAP;Nintendo Wi-Fi USB Connector Service; C:\WINNT\System32\DRIVERS\rt25usbap.sys [2006-04-10 162816]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\System32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SMALUSB;Digital Camera Driver; C:\WINNT\System32\DRIVERS\smalidt.sys [2002-05-31 9216]
S3 streamip;BDA IPSink; C:\WINNT\System32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINNT\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 WpdUsb;WpdUsb; C:\WINNT\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\System32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINNT\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 XIRLINK;Gateway PC Camera; C:\WINNT\System32\DRIVERS\ucdnt.sys [2001-08-01 805808]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Ad-Aware2k8\aawservice.exe [2008-07-21 611664]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Avast4\ashServ.exe [2008-07-19 147640]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINNT\System32\CTsvcCDA.exe [1999-12-13 44032]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINNT\System32\nvsvc32.exe [2001-08-31 57344]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINNT\wanmpsvc.exe [2003-08-27 65536]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINNT\system32\svchost.exe [2004-08-03 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Avast4\ashWebSv.exe [2008-07-23 348344]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-01-15 504104]
R3 lxce_device;lxce_device; C:\WINNT\System32\lxcecoms.exe [2005-07-06 471040]
S2 npkcmsvc;npkcmsvc; C:\Nexon\Mabinogi\npkcmsvc.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 KodakCCS;Kodak Camera Connection Software; C:\WINNT\system32\drivers\KodakCCS.exe [2005-03-30 411920]
S3 PictureTaker;PictureTaker; c:\fixit\pt\PCTKRNT.SYS []
S3 usprserv;User Privilege Service; C:\WINNT\System32\svchost.exe [2004-08-03 14336]

-----------------EOF-----------------

There is one line that has me concerned. I dont know if I understand this correctly, but the dates that follow the line in the registry dump, is that the date the file was installed? If it is, then that SVC host thing might indeed be a problem, because of this line:

"SVCHOST.EXE"=C:\WINNT\system32\drivers\svchost.exe [2008-11-05 35328]

I was infected with that antivirus thing on the 5th at like 2 in the morning. So, if this was installed on the 5th, there is a good chance that it's not what it says it is. Well. I'll leave that up to you. Just figured I'd mention it.



Second log to file once found.

#4 Jagoros

Jagoros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 06 November 2008 - 07:13 PM

Here is the second log.

Info.txt

------------------------


info.txt logfile of random's system information tool 1.04 2008-11-06 18:51:49

======Uninstall list======

-->"C:\Program Files\mcafee.com\antivirus\uninst.exe" /PopUpMsgBox="N" /CheckMutx="N" /S
-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Midi.isu"
-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Restore.isu"
-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SBLiveXP.isu"
-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SoundFont.isu"
-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Wstudio.isu"
-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Gateway PC Camera\Uninst.isu"
-->C:\WINNT\IsUninst.exe -fC:\WINNT\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Ad-aware 5.83-->C:\PROGRA~1\LAVASO~1\UNWISE.EXE C:\PROGRA~1\LAVASO~1\INSTALL.LOG
Ad-aware 6 Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0-->C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}
AIM 6-->C:\Program Files\AIM6\uninst.exe
AIM Toolbar 5.0-->"C:\Program Files\AOL\AIM Toolbar 5.0\uninstall.exe"
American McGee's Alice™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77B5AD60-8F14-11D4-9BC9-0050041A1090}\Setup.exe"
Antivirus Pro 2009-->C:\Program Files\AntivirusPro2009\Uninstall.exe
AOL Coach Version 1.0(Build:20040229.1 en)-->C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Coach Version 2.0(Build:20041026.5 en)-->C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Communicator (remove only)-->"C:\Program Files\AOL Communicator\uninstall.exe"
AOL Deskbar-->"C:\Program Files\AOL Deskbar\UNWISE.EXE" /u "C:\Program Files\AOL Deskbar\INSTALL.LOG"
AOL Uninstaller (Choose which Products to Remove)-->C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver-->C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apple Mobile Device Support-->MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Art-Monet Screensaver-->C:\PROGRA~1\ALWAYS~1\ART-MO~1\UNINSTAL.EXE /U C:\PROGRA~1\ALWAYS~1\ART-MO~1\INSTALL.LOG
Atoll-->"c:\Games\Atoll\Uninstall-Atoll.EXE"
avast! Antivirus-->C:\Program Files\Avast4\aswRunDll.exe "C:\Program Files\Avast4\Setup\setiface.dll",RunSetup
Baldur's Gate™ II - Throne of Bhaal ™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
BannedStory 3.0-->msiexec /qb /x {62C81505-65E8-BBFF-5A9B-23958770F694}
BannedStory-->MsiExec.exe /I{62C81505-65E8-BBFF-5A9B-23958770F694}
Bejeweled 1.5-->C:\Games\Bejeweled\UnGins.exe "C:\Games\Bejeweled\install.log"
BitTornado 0.3.7-->C:\Program Files\BitTornado\uninst.exe
Blomman's NHL2002 Editor-->C:\Games\NHL 2002\Editor\uninstal.exe
CardRd81-->MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Cool Edit 2000-->C:\Program Files\Cool2000\ce2Kunin.exe
CR2-->MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Creative PlayCenter-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\PlayCenter\Player.isu"
Creative Recorder-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\Recorder\Recorder.isu"
Diablo II-->C:\WINNT\DIIUnin.exe C:\WINNT\DIIUnin.dat
DivX Codec-->C:\WINNT\unvise32.exe C:\Program Files\DivX\DivX Bundle.log
DivX Player 2.1-->C:\Program Files\DivX\DivX Player 2.1\uninstall.bat
DVD Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
EA.COM -->C:\PROGRA~1\EACOM\Update\UNWISE.EXE C:\PROGRA~1\EACOM\Update\INSTALL.LOG
EA.com Matchup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F173C40-563E-11D4-89C5-0010ADDAAC33}\setup.exe" -l0x0 Uninstall
EA.com Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB97F52-512B-43EF-AAEC-4825C17B32ED}\setup.exe" -l0x0 Uninstall
Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
ESPN BottomLine-->"C:\Program Files\ESPN BottomLine\setup.exe" -u
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT-->MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL-->MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp-->MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC-->MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS-->MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSTUTOR-->MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht-->MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot-->MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
FlashGet(JetCar)-->C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG
Garden Composer-->C:\WINNT\uninst.exe -f"C:\Program Files\Garden Composer\DeIsL1.isu"
GTW V.92 Voice Modem-->C:\WINNT\GWMDMU.exe verbose
Happyland Adventures - Xmas Edition v1.3-->c:\games\happy\unins000.exe
Happyland Adventures - Xmas Edition-->c:\games\Happyland Adventures\Uninstal.exe
HelpSpot-->MsiExec.exe /I{8DE73C0C-34EA-4888-86DB-EEDB9B69DB94}
HijackThis 2.0.2-->"C:\Program Files\Hijack This\HijackThis.exe" /uninstall
HLPIndex-->MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK-->MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPSFO-->MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINNT\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINNT\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINNT\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINNT\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINNT\$NtUninstallKB926239$\spuninst\spuninst.exe"
ieSpell-->"C:\Documents and Settings\Owner\Start Menu\Programs\Internet Explorer Plug-Ins\ieSpell\uninst.exe"
Intel® PRO Ethernet Adapter and Software-->Prounstl.exe
iPod for Windows 2006-03-23-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Kali II-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Kali\Uninst.isu" -c"C:\Program Files\Kali\UnInst.DLL
Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140011_16cc8c\Setup.exe /APR-REMOVE
KSU-->MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Kyodai-->F:\Kyodai\unins000.exe
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lemmis-->C:\Games\Lemmis\uninstal.exe
Lexmark 4300 Series-->C:\WINNT\System32\spool\DRIVERS\W32X86\3\lxceUNST.EXE -NOLICENSE
Lexmark Fax Solutions-->C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe
LimeWire 4.16.6-->"C:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Dreamweaver 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\Setup.exe" mmUninstall
Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall
Macromedia Flash 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C93C363-414E-11D4-9756-00C04F8EEB39}\Setup.exe" UNINSTALL
Macromedia Generator 2-->C:\WINNT\IsUninst.exe -f"c:\program files\flash 5\Generator\Generator 2\Uninst.isu" -c"c:\program files\flash 5\Generator\Generator 2\bin\uninstall.dll"
Macromedia Shockwave Player-->C:\WINNT\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~2\Install.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory-->MsiExec.exe /I{48C8B29D-BCDE-4D5B-BDA5-A3EC87623C68}
Microangelo 5.5-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Microangelo\m5uninst.isu"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINNT\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2002-->MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINNT\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2002 System Pack-->MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Money 2002-->MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft National Language Support Downlevel APIs-->"C:\WINNT\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Picture It! Photo 2002-->MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Streets and Trips 2002-->MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINNT\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe d:\
Microsoft Works 6.0-->MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Microsoft XML Parser and SDK-->MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Monet's Water Lilies Demo Screen Saver-->sstunst2.exe Monet's Water Lilies Demo
Monopoly-->C:\WINNT\IsUninst.exe -fc:\Games\Monopoly\Uninst.isu
Morrowind-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Games\Morrowind\MWUninstall\Setup.exe" -l0x9
Mouse Gestures for Internet Explorer-->C:\Program Files\Internet Explorer\Plugins\Drowse\Uninstall.exe
Mozilla Firefox (2.0.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MS Access 97 SP2-->C:\Program Files\Microsoft Office\setup\setup.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MUSICMATCH Jukebox-->C:\WINNT\IsUninst.exe -f"C:\Program Files\MusicMatch\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\unmatch.dll
MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe
MySpaceIM-->MsiExec.exe /I{FE242C4A-4AF0-4E9F-ABFF-92CA3CEE8761}
Myst Masterpiece Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7D1CE80E-3EAE-441E-BE97-625F9ABD07D9}\setup.exe"
Network Play System (Patching)-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
NHL 2002-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FDF3A1E0-186A-11D5-0089-C400C04FAE70}\setup.exe" -l0x9 Uninstall
Nimo Codecs Pack v5.0 (Remove Only)-->"C:\Program Files\NimoCodec Pack\uninstall.exe"
Nintendo Wi-Fi USB Connector Registration Tool-->C:\Program Files\WiFiConnector\SoftAPUninst.exe
Notifier-->MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINNT\System32\nvinstnt.dll,NvUninstallNT4 nvgw.inf
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP-->MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK-->MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Paint Shop Pro 6.0 (ESD)-->C:\PROGRA~1\PAINTS~1\Unwise.exe C:\PROGRA~1\PAINTS~1\INSTALL.LOG
PC-Doctor for Windows-->C:\WINNT\UNWISE32.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Personal Color Viewer 2.0-->MsiExec.exe /I{B3E3EAEC-A20E-48EE-B161-A43B552D5465}
Philips Device Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{36A9D3F8-3FCF-4FBA-A8AD-3C1CE56C8AF4}\setup.exe" -l0x9 -removeonly
Philips Device Plug-in-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57F06897-6735-4B97-9DF3-DE8BC27879D4}\setup.exe" -l0x9 -removeonly
PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
Poppit To Go-->C:\Games\POPPIT~1\UNWISE.EXE C:\Games\POPPIT~1\INSTALL.LOG
Porrasturvat - Stair Dismount (remove only)-->"C:\Games\Stair Dismount\uninst.exe"
Powertoys For Windows XP-->MsiExec.exe /I{6C31E111-96BB-4ADC-9C81-E6D3EEDDD8D3}
PS/2 Millennium Keyboard-->skuninst.exe SK_PS2MillenniumKeyboard
Pure Networks Port Magic-->C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
QuickCam-->MsiExec.exe /I{43A9F944-0398-425E-9E22-201F65FE0CCA}
QuickTime-->MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Rainlendar (remove only)-->"C:\Program Files\Rainlendar\uninst.exe"
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
RollerCoaster Tycoon 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
RollerCoaster Tycoon-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EE9EB18-62AD-4F68-AD11-2DF358CBDCA2}\Setup.exe" -l0x9
RTP 1.32 Add-On for RM2k-->C:\WINNT\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log"
RTP for RM2K (Png, Wav, Midi, Fonts)-->C:\WINNT\UnGins.exe "C:\Program Files\ASCII\RPG2000\RTP\install.log"
Safrosoft RoX 1.12-->C:\Games\RoX\unins000.exe
SCRABBLE-->C:\Games\YAHOOS~1\UNWISE.EXE /U C:\Games\YAHOOS~1\INSTALL.LOG
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINNT\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINNT\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINNT\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINNT\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINNT\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINNT\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINNT\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINNT\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINNT\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINNT\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINNT\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINNT\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINNT\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINNT\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINNT\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINNT\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINNT\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINNT\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINNT\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINNT\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINNT\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINNT\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINNT\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINNT\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINNT\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINNT\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINNT\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINNT\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINNT\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINNT\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINNT\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINNT\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINNT\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINNT\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINNT\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINNT\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINNT\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINNT\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINNT\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINNT\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINNT\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINNT\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINNT\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINNT\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINNT\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINNT\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINNT\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINNT\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINNT\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINNT\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINNT\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINNT\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINNT\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINNT\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINNT\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINNT\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINNT\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINNT\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINNT\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINNT\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINNT\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINNT\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINNT\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINNT\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINNT\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINNT\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINNT\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINNT\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINNT\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINNT\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINNT\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINNT\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINNT\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINNT\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINNT\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINNT\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINNT\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINNT\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINNT\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINNT\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINNT\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINNT\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINNT\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINNT\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINNT\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINNT\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINNT\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINNT\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINNT\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINNT\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINNT\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINNT\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINNT\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINNT\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINNT\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINNT\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINNT\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINNT\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINNT\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINNT\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINNT\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINNT\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINNT\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINNT\$NtUninstallKB951698$\spuninst\spuninst.exe"
Sega Smash Pack II-->C:\WINNT\IsUninst.exe -f"c:\games\sega smash pack\smash pack 2\Uninst.isu"
Sega Smash Pack-->C:\WINNT\IsUninst.exe -f"C:\Games\Sega Smash Pack\Smash Pack 1\Uninst.isu"
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA-->MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave-->C:\WINNT\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\System32\Macromed\SHOCKW~1\Install.log
SimCity 3000 Unlimited-->C:\WINNT\IsUninst.exe -f"c:\games\sim city 3000\DeIsL1.isu" -c"c:\games\sim city 3000\_UnInstall.dll"
Simutronics Game Entry (32bit)-->C:\PROGRA~1\SIMU\SGE\UNWISE.EXE C:\PROGRA~1\SIMU\SGE\INSTALL.LOG
SKIN0001-->MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SkinStudio Free-->C:\PROGRA~1\SKINST~1\UNWISE.EXE C:\PROGRA~1\SKINST~1\INSTALL.LOG
SKINXSDK-->MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SmartDraw_Catalog-->C:\Program Files\SmartDraw5\UNINSTAL.EXE C:\PROGRA~1\SMARTD~1\UNINSTALL\SmartDraw_Catalog.log
Sothink SWF Catcher for Internet Explorer-->"C:\WINNT\unins000.exe"
Sound Blaster Live! Value-->C:\Program Files\Creative\SBLive\PROGRAM\CTUNINST.EXE
Starcraft-->C:\WINNT\scunin.exe C:\WINNT\scunin.dat
StormFront-->C:\Games\Simu\STORMF~1\UNWISE.EXE C:\Games\Simu\STORMF~1\INSTALL.LOG
TES Construction Set-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Games\Morrowind\CSUninstall\Setup.exe" -l0x9
The Sims Livin' Large-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2727FBEF-3155-11D4-8F73-0050DA0F6297}\setup.exe"
Truck Dismount (remove only)-->"C:\Games\Truck Dismount\uninst.exe"
Update for Windows XP (KB894391)-->"C:\WINNT\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINNT\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINNT\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINNT\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINNT\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINNT\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINNT\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINNT\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINNT\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINNT\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINNT\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINNT\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINNT\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINNT\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINNT\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINNT\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINNT\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINNT\$NtUninstallKB942763$\spuninst\spuninst.exe"
USB Dual Vibration Joystick-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59354E6C-B36F-49EF-9419-D904B86C9C57}\setup.exe" -l0x9
Viewpoint Manager (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Warcraft II BNE-->C:\WINNT\W2BNEUnin.exe C:\WINNT\W2BNEUnin.dat
Web Camera Control-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84834762-4259-4213-8EE3-91481F05BC19}\Setup.exe"
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
WindowBlinds-->C:\PROGRA~1\WINDOW~4\UNWISE.EXE C:\PROGRA~1\WINDOW~4\INSTALL.LOG
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINNT\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINNT\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB873339-->C:\WINNT\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINNT\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINNT\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\WINNT\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINNT\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINNT\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINNT\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINNT\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINNT\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINNT\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Service Pack 2-->C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
WinMX-->C:\Program Files\WinMX\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WIRELESS-->MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

=====HijackThis Backups=====

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2007.4.4.cab
O20 - AppInit_DLLs: karna.dat

Hosts File Missing

#5 Jagoros

Jagoros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 06 November 2008 - 07:18 PM

Okay so I ran through these logs and I noticed another file

zojibyta.com

I went into the folder and checked the creation date, and sure enough, it was the 5th at 2 in the morning. So I'm pretty sure that file is also bad. I didn't do anything to it, didn't click it or run it or try to delete it (as per your request), just bringing it to your attention.

Thank you again for your help.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 06 November 2008 - 07:41 PM

Hi again.

Okay so I ran through these logs and I noticed another file

zojibyta.com

I went into the folder and checked the creation date, and sure enough, it was the 5th at 2 in the morning. So I'm pretty sure that file is also bad. I didn't do anything to it, didn't click it or run it or try to delete it (as per your request), just bringing it to your attention.

Okay. Thanks for informing me. I'll take a look at the log and get back to you. Probably not today because my coaches need to check my work as I am still in training. Check back tomorrow, and try to refrain from changing anything from your machine.

Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 08 November 2008 - 09:28 AM

Hi again. Sorry for the delay. Sometimes we overlook things.

Posted ImageBackdoor Threat
Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Peer-to-Peer and View Point Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case BitTornado 0.3.7 and LimeWire 4.16.6). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Viewpoint Manager and Viewpoint Media Player is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Additional instructions on remocing program can be found here.


Please follow the instructions below to continue to disinfect.

Download and Run SDFix

You can find complete instructions on running SDFix in the link below:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

SDfix is for Windows 2000 and Windows XP only,
  • Download SDfix setup onto your desktop.
  • Run the installer. Leave the install location at your system root.
  • After the install, boot into Safe Mode(refer below)
  • Click your Start Menu. Click Run. Type in c:\sdfix\runthis.bat. Hit OK.
  • The prompt window will open. Type Y and hit Enter.
  • Wait for the scan to finish.
  • You will be prompted to restart. Press anykey to do so. Allow Sdfix to boot the computer into normal boot.
  • At reboot, the prompt window will pop-up, along with a log (C:\rapport.txt) shortly after. Copy the contents of the log back in your next reply.
Boot into Safe Mode

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-SDfix log (rapport.txt)
-GMER log
-Fresh RSIT Log


Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Jagoros

Jagoros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 08 November 2008 - 07:29 PM

... But, I don't understand. Can you please tell me which files you think are that backdoor trojan? I've reformatted my computer once before due to some bad advice from a computer rep, I dont want to make the same mistake twice. (no offense intended) It's just I've had this computer for close to 10 years, and with a little work, the stats on it are still on par with systems currently available. I dont just want to throw away that much work on a hunch or possible trojan, I want to know what's going on here a bit more.


I'm just gonna ask a few questions here okay? I'd appreciate it if you could answer them.

So far, the only suspect file is that svchost in the wrong place, is that the culprit? Or is it that zojibyta.com thing? Why didn't the avast pick that up as a virus then? How bad is this infection? I mean, am I that blind that I didn't notice things in the log? Is it one file, is it 15? I understand the nature of a backdoor trojan, so I know that question can be hard to answer with certainty, but I mean, as of now, how many files is it? Is it possible that there is a mistake, that some sort of file that you guys have in there might be something I did to my computer on purpose like a modification or something and you're just not aware of?

Finally, on a personal note, if I do whatever it is to clean this computer, how likely is it that this will be gone with a high certainty ( I understand the note there about it never being 100%...)? If I run all these scans you're asking me to run, do I delete anything automatically, or do I have to wait for you to respond again? If I chose to delete everything, can I save any files? How likely is an infection like this going to 'attach' itself to files like mp3s, .doc, .txt, .gif, .jpg, or video files? What about pictures I put on from things like my digital camera? Are they at risk of whatever this is, attaching itself to it and transfering to a new clean system?

I know that's a lot of questions to throw at you all at once, I'm sorry. I bet you must pull your hair out sometimes with the problems you guys must deal with. I'm just trying to understand what's going on here a bit more and trying to salvage what I can. Thank you again, as always, for your help.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 08 November 2008 - 08:15 PM

Hi Jagoros.

No Problem. I like that you ask questions, this lets me know that you are attentive and listening and reading the instructions. Good Job :thumbsup:

Can you please tell me which files you think are that backdoor trojan?

Yes. You are correct the backdoor is the file C:\WINNT\system32\drivers\svchost.exe. As you probably know the legitimate file should be in the C:\WINNT\system32\svchost.exe.

Well this infection you have is a rootkit according to AVAST!. You can read more about rootkits here. Usually rootkits can hide other malware, so it is difficult to remove.
That is why I told you to run GMER. GMER is one of the best rootkit scanners out there. SDfix deals specifically on that C:\WINNT\system32\drivers\svchost.exe file. Sometimes infection like these ones are very difficult to remove manually and most of the times it wouldn't get removed completely.

I dont just want to throw away that much work on a hunch or possible trojan, I want to know what's going on here a bit more.

That's okay, I know how it feels :).

So far, the only suspect file is that svchost in the wrong place, is that the culprit? Or is it that zojibyta.com thing?

As, I have explained above yes it is partially with the svchost.exe file, but it is also a rootkit, so that is very dangerous as it may be hiding other malware as well. The file zojibyta.com I am not exactly sure though. It is very likely it is bad. It may be vundo. However, that is not as serious as the rootkit infection, so I left that out for now and deal with it soon after finishing hunting down the rootkit(s).

Is it one file, is it 15?

This is very hard to determine especially when there is rootkit activity involved here. Just by looking at the log, I would say it is only those 2 files, however I need to check if anything else is there.

Is it possible that there is a mistake, that some sort of file that you guys have in there might be something I did to my computer on purpose like a modification or something and you're just not aware of?

I'm not quite understanding this question. What do you mean by some sort of file that you guys have in there? In where? What sort of files? Are you refereeing to the tools or something? Please clarify and be a bit more specfic on what you said, and sorry for misunderstanding if I have said something wrong.

Finally, on a personal note, if I do whatever it is to clean this computer, how likely is it that this will be gone with a high certainty ( I understand the note there about it never being 100%...)?

Good question. Well, as I said already. We can clean this machine, however after an infection like this, do you trust your computer anymore? It already has been compromised by someone, even if it is cleaned do you trust it? That is your own belief. If you trust it still then feel free to continue to use it, however most people will think that there computer isn't trustworthy enough so a format will make them feel more comfortable. The certainty of this infection is fairly high, I can almost guarantee that it can be removed, as I have dealt with this infection before as well.

If I run all these scans you're asking me to run, do I delete anything automatically, or do I have to wait for you to respond again?

If I'm helping you, then why should you do all the work/thinking? I will tell you the steps what to do and you Will follow it to clean this machine. You therefore, will just need to wait for the instructions. I would not like you to alter anything because this will change the instructions and also it may not full fill what I need to do with a specific infection.

How likely is an infection like this going to 'attach' itself to files like mp3s, .doc, .txt, .gif, .jpg, or video files? What about pictures I put on from things like my digital camera? Are they at risk of whatever this is, attaching itself to it and transfering to a new clean system?

I don't think there are any type of infection that infects your work data's, therefore you can backup all important data(.doc .txt .xml etc..) Also you can backup any songs you like such as .mp3 and pictures. I would avoid backing up any executable (.exe or .bat) because usually those may be infected. Backing up important data is fine. Take note that with a backdoor, your computer is compromised, so therefore there might be system information stolen.

What about pictures I put on from things like my digital camera? Are they at risk of whatever this is, attaching itself to it and transfering to a new clean system?

Again, same as above. You can backup your pictures that you want to keep and transfer it to the new machine at anytime.

I know that's a lot of questions to throw at you all at once, I'm sorry. I bet you must pull your hair out sometimes with the problems you guys must deal with. I'm just trying to understand what's going on here a bit more and trying to salvage what I can. Thank you again, as always, for your help.

No need to be sorry. I like when people ask questions that means there thinking and listening. I usually don't pull my hair off, unless there is some kind of infection that is almost impossible to clear up and it just keeps coming back and gets annoying. I understand you want to understand a bit of what is going on, so that is why I gave you a nice long paragraph that you can read and digist slowly (It's actually not that long). ;)

Hope that answers your questions and give you a better understanding of what's going on here :)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Jagoros

Jagoros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 08 November 2008 - 08:58 PM

Hey, thanks a lot for answering all my questions. I just purchased an external harddrive online, I'll pick it up tomorrow from the store. Tomorrow, after I back up some files, I'll install those programs you asked me to install and send you those logs ASAP. If don't post them by tomorrow I'll DEFINATELY post them on monday. Then hopefully we can get the ball rolling on cleaning this machine. Your confidence is comforting and thank you for all your help so far.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 08 November 2008 - 09:28 PM

Hi.

I just purchased an external harddrive online, I'll pick it up tomorrow from the store.

Good Idea. This will make sure you have everything safe inside your External Hard-drive, incase something goes wrong and if one of your important files got deleted it's not like the end of the world.

I'll install those programs you asked me to install and send you those logs ASAP.

Okay. No problem, I'll see you once you post back the logs and let's get this machine disinfected.

Your confidence is comforting and thank you for all your help so far.

My pleasure to help.

Also a suggestion would be to disable your internet connection when you are not using it. If you want to check back if I replied that's fine. We will probably get a response at least once a day. Limiting the amount of usage with internet will help too. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Jagoros

Jagoros
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 10 November 2008 - 12:58 AM

Well after some careful thought (and trust me, you have plenty of time to think while you're spending a few hours backing up all your files) I've decided that I NEED this computer to be 100% safe, and so I've decided to reformat. Hopefully, I'm not repeating the same mistake I made last time, but I realized I did a lot more prep than I thought, throughout these past years. I have many, if not all, or my program installation exe's saved in zipped folders, and the external hard drive I bought is literally around 3 times the size of my actual one.

I even have my Windows XP SP2 disk so I can install that right away and have a firewall before I even connect to the internet. Or at least, I think that would work. You can jump right into sp2 correct? Or do I have to install sp1 first?

I just have a few more gaming files to back up and I should be good to go. The only thing I'm worried about are any drivers I may have updated. I dont even know where to go to update those things anymore. I guess the only thing to do is just try and see what works and what doesn't work. Nothing a few more hours of slaving over a computer can't fix right?

Is there anything you think I might want to check and double check before I pull the trigger here? I'm not going to reinstall until at least tomorrow afternoon. I want to sleep on it and double check the computer for any files I might have missed. I'll check this topic sometime tomorrow before I reformat, so if you'd like to chime in here that'd be great.

I've probably said it a million times all ready, but thank you for all of your help up to now. Your staff does a very nice thing helping all these people here and I'm sure I speak for them all when I say it is greatly appreciated.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 10 November 2008 - 08:55 AM

Hi Jagoros.

That is fine. Yes, if you wish to make is 100% clean a format is always a good choice :)

You can jump right into sp2 correct? Or do I have to install sp1 first?

Yup, that's correct, if you have the Windows XP disk then it is fine you can jump and install sp2.

The only thing I'm worried about are any drivers I may have updated. I dont even know where to go to update those things anymore.

hummmm... Are you talking about those video drivers, sound drivers etc...? If so, then you can go to the website and download the correct drivers, if you do not have the CD anymore.

I'll just give you an example. For me, this is a laptop which is TOSHIBA. Therefore I would go to the toshiba website.
Which I found located here: http://support.toshiba.ca/support/download/ln_byModel.asp

Then I would select the Product: Family: Model: and Part Number:
Those can be found under your laptop, if you are using a laptop. If you are using a desktop, it can be found on the side.

I would avoid backing up the drivers though, I don't think that is what you mean though? Can you explain on that.

Is there anything you think I might want to check and double check before I pull the trigger here?

Sure. make sure all your important data are in your external hard-drive. Double,triple, quadruple check.

Make sure there are NO, any executables files.

Nothing a few more hours of slaving over a computer can't fix right?

Don't worry I went through a format before due to some hardware problems. Anyways, it took about 4 days for it to complete. Not that the format took 4 days. But, it took 3 days backing up and checking and the last day to do the final reinstall and format.

The format shouldn't take too long. Approximately 1-2 hours max.

Other than that, I don't no anything else that I can say. However, after the format, I do have some prevention speech I would like you to take a look at below:


Congratulations! You now appear clean! :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Some Other Recommendations are:
Below are some recommendations of programs to lower your chances of (re)infection. (This does not mean you have to install it.)Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbsup:

Hope that helps, and good luck on the format :)

Thanks :)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 harrythook

harrythook


  • Members
  • 4,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:01:39 AM

Posted 14 November 2008 - 05:01 AM

As this issue seems to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
For all others, if you have a similar issue please start a new topic.

Thanks for asking in BleepingComputer.com

Veni Vidi Vici
THE FIGHT AGAINST MALWARE


Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users