Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Chinese trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 Q.T.Quazar

Q.T.Quazar

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 22 December 2008 - 10:20 AM

Hit by a new? Chinese trojan this week. Was getting popups--thought it was just spyware/adware junk. But Avast didn't pick it up and on reboot after an attempted clean my boot sequence now takes 7+minutes. It's bad enough that i thought it was faulty memory or somesuch and swapped out my RAM.

problems showing up in the windows/system32 and user/app/remote.... folders

ran avast, then antimalware, some others (vundofix, ATFcleaner, trojan remover, etc.).

here to beg help from the experts. can't run Kaspersky at the moment because of internet connectivity problems where i am in China. anyway, here's the log:



info.txt logfile of random's system information tool 1.05 2008-12-22 23:10:33

======Uninstall list======

-->MsiExec /X{AFD5ED58-271A-4907-96C2-2745C83BB035}
Acubix PicoZip 4.02-->"C:\Program Files\PicoZip\unins000.exe"
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Assassin's Creed-->C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0009 -removeonly
Audiosurf-->MsiExec.exe /I{6D316D67-DA52-4659-9C98-F479963534D6}
Azureus Vuze-->C:\Program Files\Azureus\uninstall.exe
Baldur's Gate™ II - Throne of Bhaal ™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
Beyond Divinity V1.0-->D:\PROGRA~1\LARIAN~1\BEYOND~1\UNWISE.EXE D:\PROGRA~1\LARIAN~1\BEYOND~1\INSTALL.LOG
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Combined Community Codec Pack 2008-01-24-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
ConvertHelper 2.1-->"C:\Program Files\ConvertHelper\unins000.exe"
Cottage Of Doom 1.0-->"C:\Program Files\Cottage Of Doom\unins000.exe"
dBpoweramp FLAC Codec-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
dBpoweramp m4a Codec-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
dBpoweramp Music Converter-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
Democracy 2-->"d:\Program Files\Democracy2\unins000.exe"
Depths Of Peril-->"C:\Program Files\Depths Of Peril\ReflexiveArcade\unins000.exe"
D-Fend Reloaded 0.5.0 (deinstall)-->"C:\Program Files\D-Fend Reloaded\Uninstall.exe"
EAX4 Unified Redist-->MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
Eschalon Book 1 v1.0-->"d:\Program Files\Eschalon Book I\unins000.exe"
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
FastCrawl Version 1.03-->"C:\Program Files\FastCrawl\unins000.exe"
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gigabyte Raid Configurer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Gothic_Patch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{302AC480-43D2-11D5-A818-00500435FC18}\Setup.exe" -uninst
Gothic-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBF10B37-4ED3-11D5-A818-00500435FC18}\Setup.exe"
GrabIt 1.7.2 Beta 3 (build 996)-->"C:\Program Files\GrabIt\unins000.exe"
GTK+ Runtime 2.12.1 rev b (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
Harvest Massive Encounter-->"d:\Program Files\Harvest Massive Encounter\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2-->"C:\Users\QT4265~1.QUA\Desktop\VIRALF~1\HijackThis.exe" /uninstall
ILLUSION ????3-->MsiExec.exe /X{E4D02EF2-6F12-4BE9-9928-2F27DA01A915}
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
King's Bounty. The Legend (Remove Only)-->"D:\Program Files\Atari\King's Bounty. The Legend\unins000.exe"
Kudos 2-in-1-->"C:\Windows\Kudos 2-in-1\uninstall.exe" "/U:d:\Program Files\Kudos 2-in-1\Uninstall\uninstall.xml"
LeapFTP-->C:\Windows\unleap.exe C:\Program Files\LeapFTP\install.log
Magic Stones-->"d:\Program Files\Magic Stones\ReflexiveArcade\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 Language Pack - chs-->MsiExec.exe /I{43A3B6EF-14BE-372E-A29B-D3A8ADE2FE55}
Microsoft .NET Framework 3.5 Language Pack - jpn-->MsiExec.exe /I{8027B590-CD2B-3C7E-9F00-CDC0916CC915}
Microsoft .NET Framework 3.5 Language Pack - ???-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - jpn\setup.exe
Microsoft .NET Framework 3.5 ??? - ????-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - chs\setup.exe
Microsoft .NET Framework 3.5-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{6DA9102E-199F-43A0-A36B-6EF48081A658}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.18)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multiwinia v1.0.5-->"d:\Program Files\Multiwinia\unins000.exe"
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
NVIDIA PhysX v8.08.18-->MsiExec.exe /X{AFD5ED58-271A-4907-96C2-2745C83BB035}
֧ȫؼ 1,1,0,3-->"C:\Windows\system32\aliedit\unins000.exe"
Oblivion - Horse Armor Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
Oblivion mod manager 1.1.9-->"C:\Program Files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe"
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
OpenOffice.org 2.3-->MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
Oxin's Style! 3D Sexvilla 2-->"d:\Program Files\Oxin's Style!\3D Sexvilla 2\Binaries\unins000.exe"
Pidgin-->C:\Program Files\Pidgin\pidgin-uninst.exe
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RapeLay (remove only)-->"d:\Program Files\Illusion\RapeLay\uninstall.exe"
RAR Key Demo-->C:\PROGRA~1\Passware\demos\UNWISE.EXE /U C:\PROGRA~1\Passware\demos\rarkey.log
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
RivaTuner v2.10-->"C:\Program Files\RivaTuner v2.10\uninstall.exe"
Runesword 2.5.0-->d:\Program Files\Runesword\uninst.exe
Sacred Underworld-->"D:\Program Files\Ascaron Entertainment\Sacred Underworld\unins000.exe"
Sexy Beach 3 - Complete English Edition (remove only)-->"d:\Program Files\Illusion\SexyBeach3-CEE\uninstall.exe"
Sins of a Solar Empire-->"C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe" REMOVE=TRUE MODIFY=FALSE
Sins of a Solar Empire-->C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe
Songbird 0.6.1 (20080623)-->"C:\Program Files\Songbird\Songbird-Uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Three thrixx Games v32-->e:\thriXXX\Uninstall.exe
Tom Clancy's Splinter Cell Chaos Theory-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BABAEBE4-9FFB-4B5D-9453-64FF11517CA2}\setup.exe" -l0x9 -removeonly
Tradewinds Legends-->"C:\Program Files\Tradewinds Legends\ReflexiveArcade\unins000.exe"
Trojan Remover 6.7.5-->"C:\Program Files\Trojan Remover\unins000.exe"
Tropico-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{818FB39B-1A57-4F1B-A54D-391C33D6C596}\setup.exe" -l0x9
UFO:AI 2.2.1-->d:\Program Files\UFOAI-2.2.1\uninst.exe
Ultimate Extras sounds from Microsoft Tinker-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound2.inf,Uninstall
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Unofficial Oblivion Patch v2.2.0-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Oblivion Patch\unins000.exe"
Unofficial Official Mods Patch v11-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Official Mods Patch\unins000.exe"
Unofficial Shivering Isles Patch v1.2.0-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Shivering Isles Patch\unins000.exe"
VideoLAN VLC media player 0.8.5-->C:\Program Files\VideoLAN\VLC\uninstall.exe
vLite-->"C:\Program Files\vLite\unins000.exe"
Westward-->"C:\Program Files\Westward\ReflexiveArcade\unins000.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Sound Schemes-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wiz1Edit-->C:\Windows\uninst.exe -f"C:\Program Files\Software Specialties\Wiz1Edit\DeIsL1.isu" -c"C:\Program Files\Software Specialties\Wiz1Edit\_ISREG32.DLL"
Zip Motion Block Video codec (Remove Only)-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\Windows\INF\ZMBV.INF
??????? 2,1,1,1-->"C:\Windows\system32\aliedit\unins000.exe"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\Windows\system32\msupdte.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O13 - Gopher Prefix:
O8 - Extra context menu item: ӵQQ - C:\Program Files\Tencent\QQ\AddEmotion.htm
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\Windows\system32\msupdte.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AS: Spybot - Search and Destroy (disabled)
AS: Windows Defender

System event log

Computer Name: Q13
Event Code: 7036
Message: The Secure Socket Tunneling Protocol Service service entered the running state.
Record Number: 61979
Source Name: Service Control Manager
Time Written: 20081222144258.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The Telephony service entered the running state.
Record Number: 61980
Source Name: Service Control Manager
Time Written: 20081222144258.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.
Record Number: 61981
Source Name: Service Control Manager
Time Written: 20081222144259.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The Windows Modules Installer service entered the stopped state.
Record Number: 61982
Source Name: Service Control Manager
Time Written: 20081222145257.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 61983
Source Name: Service Control Manager
Time Written: 20081222145433.000000-000
Event Type: Information
User:

Application event log

Computer Name: Q13
Event Code: 1
Message: The Windows Security Center Service has started.
Record Number: 10380
Source Name: SecurityCenter
Time Written: 20081222143739.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 1003
Message: The Windows Search Service started.

Record Number: 10381
Source Name: Microsoft-Windows-Search
Time Written: 20081222143745.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 1
Message: Certificate Services Client has been started successfully.
Record Number: 10382
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20081222143824.326921-000
Event Type: Information
User: Q13\Q.T.Quazar

Computer Name: Q13
Event Code: 0
Message:
Record Number: 10383
Source Name: iPod Service
Time Written: 20081222143829.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 1
Message: Certificate Services Client has been started successfully.
Record Number: 10384
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20081222143831.315721-000
Event Type: Information
User: NT AUTHORITY\SYSTEM

Security event log

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24491
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081222151031.991121-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24492
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081222151032.024121-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24493
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081222151032.057121-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24494
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081222151032.092121-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24495
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081222151032.124121-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------


Logfile of random's system information tool 1.05 (written by random/random)
Run by Q.T.Quazar at 2008-12-22 23:10:28
Microsoft Windows Vista Ultimate Service Pack 1
System drive C: has 31 GB (10%) free of 305 GB
Total RAM: 2046 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:32 PM, on 12/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\RivaTuner v2.10\RivaTuner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Q.T.Quazar\Desktop\RSIT.exe
C:\Users\QT4265~1.QUA\Desktop\VIRALF~1\Q.T.Quazar.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/newperbank/...afeControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5072 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-07 652784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"JMB36X IDE Setup"=C:\Windows\RaidTool\xInsIDE.exe [2007-03-20 36864]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-07-16 6253088]
"RivaTuner"=C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe [2008-09-01 24576]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-08-23 13535776]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-08-23 92704]
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe [2008-12-10 1230728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PicoZip"=C:\Program Files\PicoZip\PicoZipTray.exe [2006-06-09 581632]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-07-24 490952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EB2B32]
C:\Windows\system32\FC8CCE\EB2B32.EXE [2008-12-15 1514544]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Q.T.Quazar^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^.lnk]
C:\Windows\System32\FC8CCE\EB2B32.EXE [2008-12-15 1514544]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051a41af-d3cc-11dc-9cdf-806e6f6e6963}]
shell\AutoRun\command - wscript.exe u.vbe
shell\explore\command - wscript.exe u.vbe
shell\find\command - wscript.exe u.vbe
shell\open\command - wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cab5981-0fc5-11dd-a69e-001a4d5c79b5}]
shell\1\command - I:\Notepad.exe
shell\2\command - I:\Notepad.exe
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\Notepad.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a968e6-1b7a-11dd-b570-001a4d5c79b5}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
shell\Open\command - Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3682c7bf-d3c3-11dc-82bc-806e6f6e6963}]
shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60fe608c-d3bc-11dc-8016-001a4d5c79b5}]
shell\explore\command - .\RECYCLER\auto.exe
shell\open\command - .\RECYCLER\auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c61aa747-d3bb-11dc-ab88-806e6f6e6963}]
shell\AutoRun\command - D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce6a2416-783c-11dd-a26d-806e6f6e6963}]
shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc4ee72e-a50f-11dd-8a78-001a4d5c79b5}]
shell\AutoRun\command - H:\FalloutLauncher.exe


======File associations======

.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-12-22 23:10:28 ----D---- C:\rsit
2008-12-22 18:54:32 ----D---- C:\VundoFix Backups
2008-12-22 18:45:15 ----D---- C:\Deckard
2008-12-22 15:27:44 ----A---- C:\Windows\system32\ztvunrar36.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\ztvunace26.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\UNRAR3.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\unacev2.dll
2008-12-22 15:27:42 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Simply Super Software
2008-12-22 15:27:42 ----D---- C:\ProgramData\Simply Super Software
2008-12-22 15:27:42 ----D---- C:\Program Files\Trojan Remover
2008-12-22 13:48:45 ----D---- C:\Windows\pss
2008-12-22 01:55:09 ----D---- C:\Program Files\Bonjour(101)
2008-12-22 01:54:30 ----D---- C:\Program Files\iPod(138)
2008-12-22 01:54:29 ----D---- C:\Program Files\iTunes(139)
2008-12-22 01:53:26 ----D---- C:\Program Files\QuickTime(155)
2008-12-17 08:10:06 ----D---- C:\Program Files\ConvertHelper
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\FC8CCE
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\E67F8F
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\4B3FFA
2008-11-29 11:05:09 ----D---- C:\Windows\Minidump
2008-11-27 22:23:10 ----A---- C:\Windows\system32\XAudio2_1.dll
2008-11-27 22:23:10 ----A---- C:\Windows\system32\XAPOFX1_0.dll
2008-11-27 22:23:10 ----A---- C:\Windows\system32\xactengine3_1.dll
2008-11-27 22:23:10 ----A---- C:\Windows\system32\X3DAudio1_4.dll
2008-11-27 22:23:10 ----A---- C:\Windows\system32\D3DX9_38.dll
2008-11-27 22:23:10 ----A---- C:\Windows\system32\d3dx10_38.dll
2008-11-27 22:23:10 ----A---- C:\Windows\system32\D3DCompiler_38.dll
2008-11-27 22:21:15 ----D---- C:\Windows\system32\xlive

======List of files/folders modified in the last 1 months======

2008-12-22 23:10:32 ----D---- C:\Windows\Prefetch
2008-12-22 22:42:53 ----D---- C:\Program Files\Mozilla Firefox
2008-12-22 22:32:26 ----D---- C:\Windows
2008-12-22 22:26:48 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-12-22 22:26:44 ----D---- C:\Windows\Debug
2008-12-22 21:54:04 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\OpenOffice.org2
2008-12-22 21:48:44 ----D---- C:\Windows\System32
2008-12-22 21:48:44 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Desktopicon
2008-12-22 19:33:48 ----A---- C:\VundoFix.txt
2008-12-22 18:44:47 ----D---- C:\Windows\Temp
2008-12-22 18:15:41 ----D---- C:\Windows\system32\drivers
2008-12-22 18:11:30 ----AD---- C:\ProgramData\TEMP
2008-12-22 15:27:42 ----RD---- C:\Program Files
2008-12-22 15:27:42 ----HD---- C:\ProgramData
2008-12-22 14:55:43 ----SHD---- C:\System Volume Information
2008-12-22 13:16:59 ----D---- C:\ProgramData\Google Updater
2008-12-22 12:57:27 ----D---- C:\Windows\system32\wbem
2008-12-22 12:56:15 ----D---- C:\Windows\system32\config
2008-12-22 12:56:04 ----SHD---- C:\Windows\Installer
2008-12-22 12:56:04 ----D---- C:\Windows\Tasks
2008-12-22 12:56:04 ----D---- C:\Windows\system32\spool
2008-12-22 12:56:04 ----D---- C:\Windows\system32\restore
2008-12-22 12:56:04 ----D---- C:\Windows\system32\Msdtc
2008-12-22 12:56:04 ----D---- C:\Windows\system32\catroot2
2008-12-22 12:56:03 ----D---- C:\Windows\inf
2008-12-22 12:56:03 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Azureus
2008-12-22 12:56:03 ----D---- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 12:56:03 ----D---- C:\Program Files\QuickTime
2008-12-22 12:55:59 ----D---- C:\Program Files\iTunes
2008-12-22 12:55:56 ----D---- C:\Program Files\iPod
2008-12-22 12:55:56 ----D---- C:\Program Files\Common Files\Apple
2008-12-22 12:55:56 ----D---- C:\Program Files\Bonjour
2008-12-22 12:55:54 ----D---- C:\Windows\registration
2008-12-19 00:53:01 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\.purple
2008-12-17 15:31:59 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-17 15:04:35 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\gtk-2.0
2008-12-16 11:10:38 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-27 22:23:30 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-27 22:23:11 ----D---- C:\Program Files\Bethesda Softworks
2008-11-27 22:22:58 ----RSD---- C:\Windows\assembly
2008-11-27 22:22:30 ----D---- C:\Windows\Logs
2008-11-26 23:39:05 ----D---- C:\Program Files\Mozilla Thunderbird

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-19 350720]
R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2008-07-07 56108]
R3 Alidevice;Alidevice; C:\Windows\system32\drivers\Alidevice.sys [2008-07-14 6656]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-07-16 2156312]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-08-23 7475488]
R3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.10\RivaTuner32.sys [2008-09-01 9088]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-08-06 124928]
S3 azxk840h;azxk840h; C:\Windows\system32\drivers\azxk840h.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2008-02-05 16376]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-07-10 32000]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-07 168432]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-08-23 118784]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-19 523776]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-19 917504]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

-----------------EOF-----------------



thanks,
QTQuazar

BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:20 AM

Posted 27 December 2008 - 03:36 AM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal,QTQuazar. :thumbsup:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, then please do the following.
The log you presented had been a few days away. It may not show what it is. In the meantime, please refrain from making any changes to your computer. and please do in the following:


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

In your next reply, please post back:


11.RSIT log.txt and info.txt. (Before running RSIT, please delete the folder C:\rsit) Thanks.

#3 Q.T.Quazar

Q.T.Quazar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 27 December 2008 - 10:20 AM

No need for apology, you're doing me the favor.

Here are the fresh logs:



Logfile of random's system information tool 1.05 (written by random/random)
Run by Q.T.Quazar at 2008-12-27 23:14:54
Microsoft Windows Vista Ultimate Service Pack 1
System drive C: has 32 GB (10%) free of 305 GB
Total RAM: 2046 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:02 PM, on 12/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\RivaTuner v2.10\RivaTuner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\explorer.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Q.T.Quazar\Desktop\RSIT.exe
C:\Users\QT4265~1.QUA\Desktop\VIRALF~1\Q.T.Quazar.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/newperbank/...afeControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5225 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-07 652784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"JMB36X IDE Setup"=C:\Windows\RaidTool\xInsIDE.exe [2007-03-20 36864]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-07-16 6253088]
"RivaTuner"=C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe [2008-09-01 24576]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-08-23 13535776]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-08-23 92704]
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe [2008-12-10 1230728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PicoZip"=C:\Program Files\PicoZip\PicoZipTray.exe [2006-06-09 581632]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-07-24 490952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EB2B32]
C:\Windows\system32\FC8CCE\EB2B32.EXE [2008-12-15 1514544]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Q.T.Quazar^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^.lnk]
C:\Windows\System32\FC8CCE\EB2B32.EXE [2008-12-15 1514544]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051a41af-d3cc-11dc-9cdf-806e6f6e6963}]
shell\AutoRun\command - wscript.exe u.vbe
shell\explore\command - wscript.exe u.vbe
shell\find\command - wscript.exe u.vbe
shell\open\command - wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a968e6-1b7a-11dd-b570-001a4d5c79b5}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
shell\Open\command - Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3682c7bf-d3c3-11dc-82bc-806e6f6e6963}]
shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60fe608c-d3bc-11dc-8016-001a4d5c79b5}]
shell\explore\command - .\RECYCLER\auto.exe
shell\open\command - .\RECYCLER\auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c61aa747-d3bb-11dc-ab88-806e6f6e6963}]
shell\AutoRun\command - D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce6a2416-783c-11dd-a26d-806e6f6e6963}]
shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc4ee72e-a50f-11dd-8a78-001a4d5c79b5}]
shell\AutoRun\command - H:\FalloutLauncher.exe


======File associations======

.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-12-27 23:14:54 ----D---- C:\rsit
2008-12-22 18:54:32 ----D---- C:\VundoFix Backups
2008-12-22 18:45:15 ----D---- C:\Deckard
2008-12-22 15:27:44 ----A---- C:\Windows\system32\ztvunrar36.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\ztvunace26.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\UNRAR3.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\unacev2.dll
2008-12-22 15:27:42 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Simply Super Software
2008-12-22 15:27:42 ----D---- C:\ProgramData\Simply Super Software
2008-12-22 15:27:42 ----D---- C:\Program Files\Trojan Remover
2008-12-22 13:48:45 ----D---- C:\Windows\pss
2008-12-22 01:55:09 ----D---- C:\Program Files\Bonjour(101)
2008-12-22 01:54:30 ----D---- C:\Program Files\iPod(138)
2008-12-22 01:54:29 ----D---- C:\Program Files\iTunes(139)
2008-12-22 01:53:26 ----D---- C:\Program Files\QuickTime(155)
2008-12-17 08:10:06 ----D---- C:\Program Files\ConvertHelper
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\FC8CCE
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\E67F8F
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\4B3FFA
2008-11-29 11:05:09 ----D---- C:\Windows\Minidump

======List of files/folders modified in the last 1 months======

2008-12-27 22:39:54 ----D---- C:\Windows\Prefetch
2008-12-27 18:17:15 ----D---- C:\ProgramData\Google Updater
2008-12-27 14:12:52 ----D---- C:\Program Files\Mozilla Firefox
2008-12-27 02:08:15 ----SHD---- C:\System Volume Information
2008-12-27 01:35:23 ----D---- C:\Windows\Temp
2008-12-24 11:46:20 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\OpenOffice.org2
2008-12-24 11:45:33 ----D---- C:\Windows\System32
2008-12-24 11:45:33 ----D---- C:\Windows\inf
2008-12-24 11:45:33 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-22 22:32:26 ----D---- C:\Windows
2008-12-22 22:26:48 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-12-22 22:26:44 ----D---- C:\Windows\Debug
2008-12-22 21:48:44 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Desktopicon
2008-12-22 19:33:48 ----A---- C:\VundoFix.txt
2008-12-22 18:15:41 ----D---- C:\Windows\system32\drivers
2008-12-22 18:11:30 ----AD---- C:\ProgramData\TEMP
2008-12-22 15:27:42 ----RD---- C:\Program Files
2008-12-22 15:27:42 ----HD---- C:\ProgramData
2008-12-22 12:57:27 ----D---- C:\Windows\system32\wbem
2008-12-22 12:56:15 ----D---- C:\Windows\system32\config
2008-12-22 12:56:04 ----SHD---- C:\Windows\Installer
2008-12-22 12:56:04 ----D---- C:\Windows\Tasks
2008-12-22 12:56:04 ----D---- C:\Windows\system32\spool
2008-12-22 12:56:04 ----D---- C:\Windows\system32\restore
2008-12-22 12:56:04 ----D---- C:\Windows\system32\Msdtc
2008-12-22 12:56:04 ----D---- C:\Windows\system32\catroot2
2008-12-22 12:56:03 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Azureus
2008-12-22 12:56:03 ----D---- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 12:56:03 ----D---- C:\Program Files\QuickTime
2008-12-22 12:55:59 ----D---- C:\Program Files\iTunes
2008-12-22 12:55:56 ----D---- C:\Program Files\iPod
2008-12-22 12:55:56 ----D---- C:\Program Files\Common Files\Apple
2008-12-22 12:55:56 ----D---- C:\Program Files\Bonjour
2008-12-22 12:55:54 ----D---- C:\Windows\registration
2008-12-19 00:53:01 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\.purple
2008-12-17 15:04:35 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\gtk-2.0
2008-12-16 11:10:38 ----D---- C:\Program Files\Spybot - Search & Destroy

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-19 350720]
R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2008-07-07 56108]
R3 Alidevice;Alidevice; C:\Windows\system32\drivers\Alidevice.sys [2008-07-14 6656]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-07-16 2156312]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-08-23 7475488]
R3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.10\RivaTuner32.sys [2008-09-01 9088]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-08-06 124928]
S3 azxk840h;azxk840h; C:\Windows\system32\drivers\azxk840h.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2008-02-05 16376]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-07-10 32000]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-07 168432]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-08-23 118784]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-19 523776]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-19 917504]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.05 2008-12-27 23:15:05

======Uninstall list======

-->MsiExec /X{AFD5ED58-271A-4907-96C2-2745C83BB035}
Acubix PicoZip 4.02-->"C:\Program Files\PicoZip\unins000.exe"
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Assassin's Creed-->C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0009 -removeonly
Audiosurf-->MsiExec.exe /I{6D316D67-DA52-4659-9C98-F479963534D6}
Azureus Vuze-->C:\Program Files\Azureus\uninstall.exe
Baldur's Gate™ II - Throne of Bhaal ™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
Beyond Divinity V1.0-->D:\PROGRA~1\LARIAN~1\BEYOND~1\UNWISE.EXE D:\PROGRA~1\LARIAN~1\BEYOND~1\INSTALL.LOG
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Combined Community Codec Pack 2008-01-24-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
ConvertHelper 2.1-->"C:\Program Files\ConvertHelper\unins000.exe"
Cottage Of Doom 1.0-->"C:\Program Files\Cottage Of Doom\unins000.exe"
dBpoweramp FLAC Codec-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
dBpoweramp m4a Codec-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
dBpoweramp Music Converter-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
Democracy 2-->"d:\Program Files\Democracy2\unins000.exe"
Depths Of Peril-->"C:\Program Files\Depths Of Peril\ReflexiveArcade\unins000.exe"
D-Fend Reloaded 0.5.0 (deinstall)-->"C:\Program Files\D-Fend Reloaded\Uninstall.exe"
EAX4 Unified Redist-->MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
Eschalon Book 1 v1.0-->"d:\Program Files\Eschalon Book I\unins000.exe"
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
FastCrawl Version 1.03-->"C:\Program Files\FastCrawl\unins000.exe"
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gigabyte Raid Configurer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Gothic_Patch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{302AC480-43D2-11D5-A818-00500435FC18}\Setup.exe" -uninst
Gothic-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBF10B37-4ED3-11D5-A818-00500435FC18}\Setup.exe"
GrabIt 1.7.2 Beta 3 (build 996)-->"C:\Program Files\GrabIt\unins000.exe"
GTK+ Runtime 2.12.1 rev b (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
Harvest Massive Encounter-->"d:\Program Files\Harvest Massive Encounter\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2-->"C:\Users\QT4265~1.QUA\Desktop\VIRALF~1\HijackThis.exe" /uninstall
ILLUSION ????3-->MsiExec.exe /X{E4D02EF2-6F12-4BE9-9928-2F27DA01A915}
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
King's Bounty. The Legend (Remove Only)-->"D:\Program Files\Atari\King's Bounty. The Legend\unins000.exe"
Kudos 2-in-1-->"C:\Windows\Kudos 2-in-1\uninstall.exe" "/U:d:\Program Files\Kudos 2-in-1\Uninstall\uninstall.xml"
LeapFTP-->C:\Windows\unleap.exe C:\Program Files\LeapFTP\install.log
Magic Stones-->"d:\Program Files\Magic Stones\ReflexiveArcade\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 Language Pack - chs-->MsiExec.exe /I{43A3B6EF-14BE-372E-A29B-D3A8ADE2FE55}
Microsoft .NET Framework 3.5 Language Pack - jpn-->MsiExec.exe /I{8027B590-CD2B-3C7E-9F00-CDC0916CC915}
Microsoft .NET Framework 3.5 Language Pack - ???-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - jpn\setup.exe
Microsoft .NET Framework 3.5 ??? - ????-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - chs\setup.exe
Microsoft .NET Framework 3.5-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{6DA9102E-199F-43A0-A36B-6EF48081A658}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.18)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multiwinia v1.0.5-->"d:\Program Files\Multiwinia\unins000.exe"
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
NVIDIA PhysX v8.08.18-->MsiExec.exe /X{AFD5ED58-271A-4907-96C2-2745C83BB035}
֧ȫؼ 1,1,0,3-->"C:\Windows\system32\aliedit\unins000.exe"
Oblivion - Horse Armor Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
Oblivion mod manager 1.1.9-->"C:\Program Files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe"
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
OpenOffice.org 2.3-->MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
Oxin's Style! 3D Sexvilla 2-->"d:\Program Files\Oxin's Style!\3D Sexvilla 2\Binaries\unins000.exe"
Pidgin-->C:\Program Files\Pidgin\pidgin-uninst.exe
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RapeLay (remove only)-->"d:\Program Files\Illusion\RapeLay\uninstall.exe"
RAR Key Demo-->C:\PROGRA~1\Passware\demos\UNWISE.EXE /U C:\PROGRA~1\Passware\demos\rarkey.log
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
RivaTuner v2.10-->"C:\Program Files\RivaTuner v2.10\uninstall.exe"
Runesword 2.5.0-->d:\Program Files\Runesword\uninst.exe
Sacred Underworld-->"D:\Program Files\Ascaron Entertainment\Sacred Underworld\unins000.exe"
Sexy Beach 3 - Complete English Edition (remove only)-->"d:\Program Files\Illusion\SexyBeach3-CEE\uninstall.exe"
Sins of a Solar Empire-->"C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe" REMOVE=TRUE MODIFY=FALSE
Sins of a Solar Empire-->C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe
Songbird 0.6.1 (20080623)-->"C:\Program Files\Songbird\Songbird-Uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Three thrixx Games v32-->e:\thriXXX\Uninstall.exe
Tom Clancy's Splinter Cell Chaos Theory-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BABAEBE4-9FFB-4B5D-9453-64FF11517CA2}\setup.exe" -l0x9 -removeonly
Tradewinds Legends-->"C:\Program Files\Tradewinds Legends\ReflexiveArcade\unins000.exe"
Trojan Remover 6.7.5-->"C:\Program Files\Trojan Remover\unins000.exe"
Tropico-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{818FB39B-1A57-4F1B-A54D-391C33D6C596}\setup.exe" -l0x9
UFO:AI 2.2.1-->d:\Program Files\UFOAI-2.2.1\uninst.exe
Ultimate Extras sounds from Microsoft Tinker-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound2.inf,Uninstall
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Unofficial Oblivion Patch v2.2.0-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Oblivion Patch\unins000.exe"
Unofficial Official Mods Patch v11-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Official Mods Patch\unins000.exe"
Unofficial Shivering Isles Patch v1.2.0-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Shivering Isles Patch\unins000.exe"
VideoLAN VLC media player 0.8.5-->C:\Program Files\VideoLAN\VLC\uninstall.exe
vLite-->"C:\Program Files\vLite\unins000.exe"
Westward-->"C:\Program Files\Westward\ReflexiveArcade\unins000.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Sound Schemes-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wiz1Edit-->C:\Windows\uninst.exe -f"C:\Program Files\Software Specialties\Wiz1Edit\DeIsL1.isu" -c"C:\Program Files\Software Specialties\Wiz1Edit\_ISREG32.DLL"
Zip Motion Block Video codec (Remove Only)-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\Windows\INF\ZMBV.INF
??????? 2,1,1,1-->"C:\Windows\system32\aliedit\unins000.exe"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\Windows\system32\msupdte.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O13 - Gopher Prefix:
O8 - Extra context menu item: ӵQQ - C:\Program Files\Tencent\QQ\AddEmotion.htm
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\Windows\system32\msupdte.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AS: Spybot - Search and Destroy (disabled)
AS: Windows Defender

System event log

Computer Name: Q13
Event Code: 7036
Message: The Windows Modules Installer service entered the stopped state.
Record Number: 62090
Source Name: Service Control Manager
Time Written: 20081227044237.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 62091
Source Name: Service Control Manager
Time Written: 20081227044857.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Record Number: 62092
Source Name: Service Control Manager
Time Written: 20081227092343.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 62093
Source Name: Service Control Manager
Time Written: 20081227094013.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The Protected Storage service entered the running state.
Record Number: 62094
Source Name: Service Control Manager
Time Written: 20081227143954.000000-000
Event Type: Information
User:

Application event log

Computer Name: Q13
Event Code: 1000
Message: Faulting application Fallout3.exe, version 1.0.0.12, time stamp 0x48d194b3, faulting module Fallout3.exe, version 1.0.0.12, time stamp 0x48d194b3, exception code 0xc0000005, fault offset 0x002d2ee6, process id 0xdf4, application start time 0x01c9677480853f2b.
Record Number: 10435
Source Name: Application Error
Time Written: 20081226191546.000000-000
Event Type: Error
User:

Computer Name: Q13
Event Code: 9010
Message: A request to disable the Desktop Window Manager was made by process (Fallout3)
Record Number: 10436
Source Name: Desktop Window Manager
Time Written: 20081227041121.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 9013
Message: The Desktop Window Manager was unable to start because composition was disabled by a running application
Record Number: 10437
Source Name: Desktop Window Manager
Time Written: 20081227041121.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 9010
Message: A request to disable the Desktop Window Manager was made by process (Fallout3)
Record Number: 10438
Source Name: Desktop Window Manager
Time Written: 20081227043400.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 9013
Message: The Desktop Window Manager was unable to start because composition was disabled by a running application
Record Number: 10439
Source Name: Desktop Window Manager
Time Written: 20081227043400.000000-000
Event Type: Information
User:

Security event log

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24560
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151501.884932-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24561
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151501.914935-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24562
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151501.964940-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24563
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151502.010944-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24564
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151502.040947-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:20 AM

Posted 28 December 2008 - 11:27 PM

Hi QTQuazar,



I notice there are sign of one P2P (Person to Person) File Sharing Programs on your computer. Even if you are using a "safe" P2P program, it is only the program that is safe.
You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
You are well advised to remove it via Control Panel > Add/Remove Programs.

Azureus


I also notice you have not any antivirus program installed in your system. it's somewhat suicidal in this digital world nowadays.
Please get ONE antivirus and install it. Restart the computer for changes to take effect.

avast! 4 Home Edition
AntiVir Free Edition

Remember to get one antivirus installed in your system,update your virus definitions, start scanning your computer. After that, please do the following:

Step1

  • Please download Flash_Disinfector and save it to your desktop.
  • Right click on Flash_Disinfector.exe and select Run As Administrator to run it. If you receive a prompt, please allow it.
  • You will be prompted to plug in your flash drive. Plug it in.---Don't skip this step
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Step2
  • Download Deckard's Association File Tool daft.exe and save it to your desktop.
  • Right click on it and click Run As Administrator.
  • Click on the Scan button.
  • If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
  • Click the Fix button.
  • Reboot and Scan again to check if the associations are OK.
Step3


Please Right click on HijackThis and click Run as Administrator ! and click "Do a system scan only."
If you did not personally place these entries above as Trusted ZonePlace , then checks next to the following entries(If present):

O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Then, Reboot.

Use Windows Explorer to find and delete this file(if found):

C:\Windows\system32\drivers\azxk840h.sys

After that, please go to those folders below and check if you recognize the contents of those folders.

C:\Windows\system32\FC8CCE
C:\Windows\system32\E67F8F
C:\Windows\system32\4B3FFA

Please specify that info in your next reply.


Step4


I notice you have installed Malwarebytes' Anti-Malware in your system. Please follow the instructons and rerun it.

  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




In your next reply, please post back:


1.RSIT log.txt and info.txt.
2.MBAM log.

Tell me how your pc is running now.

#5 Q.T.Quazar

Q.T.Quazar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 29 December 2008 - 11:20 AM

sorry, should have noted in first post that i'm a former tech and not a PEBKAC candidate; also should have given a more detailed case history. aware of the dangers of Azureus--in this case, it wasn't P2P that was the infection vector--it was my gf's flash disk.

on that note, do you have a recommendation for a good automatic flash disk scanner?

beyond that, i did have an AV on system--had AVAST 4.0 installed. since its resident scanner failed to detect the trojan's entry AND failed to find it afterwards, well, it fails--bye-bye. purged it before posting here so it wouldn't interfere with other things tried. was running AVG happily for many years, but the 7.5 version simply refuses to work on my system--it installs, and then won't run when i call it or somesuch? completely confused about it.

so maybe i will look towards Kaspersky or Antivir. again, personal recommendation?
[edited note: i did some more research after posting and it looks like i'm not the only one that AVG has fallen out of favor with. back when i was a tech, it was THE comprehensive free solution. i'm out of date. also noted that several techs have given extremely low virus detection ratings to Avast. apparently kaspersky does have the best engine out there. i use my gf's flash disk as a testing ground and Antivir dug up 10 hits while AVAST glided right over it. so i guess it's Antivir for now.]

after hunting around for a bit before dialing up bleepingcomputer, i loaded on Trojan Remover 6.7.5 by Simply Super Software. it caught the bugs right away and lopped off the heads, if seeming to leave the bodies sitting in my system32. FC8CCE is a definite hit, with a linked call in the msconfig startup to user/apps/roaming... to a process named !!!!!. i ran EB2B32 for fun and, sure enough, it recreated itself. (er... ran trojan remover again, disabled relevant startup items, renamed eb2b32.exe)

the other two C:\Windows\system32\E67F8F and C:\Windows\system32\4B3FFA look familiar, think they were also showing up in startup items post-infection but they may have been caught by AVAST. unsure. when first infected, i mowed this system with spybot, avast, amalware, and then fastscan/trojan remover.


the HijackTHIS calls are to a Chinese payment service, taobao is the equivalent of EBAY here and alipay/soft the equivalent of paypal. roughly.

all in all, i still don't understand what was causing the delayed startup but it seems to be ok over the last few days...

can i wipe the offending dirs from my system32 or are the roots deeper?


looking forward to your reply.


here come the logs:

MBAM log

Malwarebytes' Anti-Malware 1.24
Database version: 1043
Windows 6.0.6001 Service Pack 1

12:11:08 AM 12/30/2008
mbam-log-12-30-2008 (00-11-08).txt

Scan type: Quick Scan
Objects scanned: 37455
Time elapsed: 2 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of random's system information tool 1.05 (written by random/random)
Run by Q.T.Quazar at 2008-12-30 00:12:13
Microsoft Windows Vista„ Ultimate Service Pack 1
System drive C: has 43 GB (14%) free of 305 GB
Total RAM: 2046 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:17 AM, on 12/30/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\RivaTuner v2.10\RivaTuner.exe
C:\Windows\System32\msconfig.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Q.T.Quazar\Desktop\RSIT.exe
C:\Users\Q.T.Quazar\Desktop\viral fight\Q.T.Quazar.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/newperbank/...afeControls.cab
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5095 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-07 652784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"JMB36X IDE Setup"=C:\Windows\RaidTool\xInsIDE.exe [2007-03-20 36864]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-07-16 6253088]
"RivaTuner"=C:\Program Files\RivaTuner v2.10\RivaTunerWrapper.exe [2008-09-01 24576]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-08-23 13535776]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-08-23 92704]
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe [2008-12-10 1230728]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PicoZip"=C:\Program Files\PicoZip\PicoZipTray.exe [2006-06-09 581632]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-07-24 490952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EB2B32]
C:\Windows\system32\FC8CCE\EB2B32.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Q.T.Quazar^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^.lnk]
C:\Windows\System32\FC8CCE\EB2B32.EXE []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051a41af-d3cc-11dc-9cdf-806e6f6e6963}]
shell\AutoRun\command - wscript.exe u.vbe
shell\explore\command - wscript.exe u.vbe
shell\find\command - wscript.exe u.vbe
shell\open\command - wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a968e6-1b7a-11dd-b570-001a4d5c79b5}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
shell\Open\command - Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3682c7bf-d3c3-11dc-82bc-806e6f6e6963}]
shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60fe608c-d3bc-11dc-8016-001a4d5c79b5}]
shell\explore\command - .\RECYCLER\auto.exe
shell\open\command - .\RECYCLER\auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c61aa747-d3bb-11dc-ab88-806e6f6e6963}]
shell\AutoRun\command - D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce6a2416-783c-11dd-a26d-806e6f6e6963}]
shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc4ee72e-a50f-11dd-8a78-001a4d5c79b5}]
shell\AutoRun\command - H:\FalloutLauncher.exe


======List of files/folders created in the last 1 months======

2008-12-29 23:13:40 ----RASHD---- C:\autorun.inf
2008-12-29 12:30:24 ----D---- C:\Program Files\Kudos 2 Demo
2008-12-27 23:14:54 ----D---- C:\rsit
2008-12-22 18:54:32 ----D---- C:\VundoFix Backups
2008-12-22 18:45:15 ----D---- C:\Deckard
2008-12-22 15:27:44 ----A---- C:\Windows\system32\ztvunrar36.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\ztvunace26.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\UNRAR3.dll
2008-12-22 15:27:44 ----A---- C:\Windows\system32\unacev2.dll
2008-12-22 15:27:42 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Simply Super Software
2008-12-22 15:27:42 ----D---- C:\ProgramData\Simply Super Software
2008-12-22 15:27:42 ----D---- C:\Program Files\Trojan Remover
2008-12-22 13:48:45 ----D---- C:\Windows\pss
2008-12-22 01:55:09 ----D---- C:\Program Files\Bonjour(101)
2008-12-22 01:54:30 ----D---- C:\Program Files\iPod(138)
2008-12-22 01:54:29 ----D---- C:\Program Files\iTunes(139)
2008-12-22 01:53:26 ----D---- C:\Program Files\QuickTime(155)
2008-12-17 08:10:06 ----D---- C:\Program Files\ConvertHelper
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\FC8CCE
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\E67F8F
2008-12-15 11:29:03 ----HD---- C:\Windows\system32\4B3FFA

======List of files/folders modified in the last 1 months======

2008-12-29 23:58:03 ----AD---- C:\ProgramData\TEMP
2008-12-29 23:51:44 ----D---- C:\Program Files\Mozilla Firefox
2008-12-29 23:16:12 ----D---- C:\Windows\System32
2008-12-29 23:16:12 ----D---- C:\Windows\inf
2008-12-29 23:16:12 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-29 23:13:33 ----D---- C:\Windows\Prefetch
2008-12-29 23:10:21 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Azureus
2008-12-29 22:59:16 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\.purple
2008-12-29 20:17:27 ----D---- C:\ProgramData\Google Updater
2008-12-29 16:50:50 ----SHD---- C:\System Volume Information
2008-12-29 12:30:24 ----RD---- C:\Program Files
2008-12-29 11:07:47 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\OpenOffice.org2
2008-12-29 01:33:39 ----D---- C:\Windows\Temp
2008-12-28 05:54:54 ----D---- C:\Windows\system32\catroot2
2008-12-22 22:32:26 ----D---- C:\Windows
2008-12-22 22:26:48 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-12-22 22:26:44 ----D---- C:\Windows\Minidump
2008-12-22 22:26:44 ----D---- C:\Windows\Debug
2008-12-22 21:48:44 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\Desktopicon
2008-12-22 19:33:48 ----A---- C:\VundoFix.txt
2008-12-22 18:15:41 ----D---- C:\Windows\system32\drivers
2008-12-22 15:27:42 ----HD---- C:\ProgramData
2008-12-22 12:57:27 ----D---- C:\Windows\system32\wbem
2008-12-22 12:56:15 ----D---- C:\Windows\system32\config
2008-12-22 12:56:04 ----SHD---- C:\Windows\Installer
2008-12-22 12:56:04 ----D---- C:\Windows\Tasks
2008-12-22 12:56:04 ----D---- C:\Windows\system32\spool
2008-12-22 12:56:04 ----D---- C:\Windows\system32\restore
2008-12-22 12:56:04 ----D---- C:\Windows\system32\Msdtc
2008-12-22 12:56:03 ----D---- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 12:56:03 ----D---- C:\Program Files\QuickTime
2008-12-22 12:55:59 ----D---- C:\Program Files\iTunes
2008-12-22 12:55:56 ----D---- C:\Program Files\iPod
2008-12-22 12:55:56 ----D---- C:\Program Files\Common Files\Apple
2008-12-22 12:55:56 ----D---- C:\Program Files\Bonjour
2008-12-22 12:55:54 ----D---- C:\Windows\registration
2008-12-17 15:04:35 ----D---- C:\Users\Q.T.Quazar\AppData\Roaming\gtk-2.0
2008-12-16 11:10:38 ----D---- C:\Program Files\Spybot - Search & Destroy

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-19 350720]
R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2008-07-07 56108]
R3 Alidevice;Alidevice; C:\Windows\system32\drivers\Alidevice.sys [2008-07-14 6656]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-07-16 2156312]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-08-23 7475488]
R3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.10\RivaTuner32.sys [2008-09-01 9088]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-08-06 124928]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 auk8l7pd;auk8l7pd; C:\Windows\system32\drivers\auk8l7pd.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2008-02-05 16376]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-07-10 32000]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-07 168432]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-08-23 118784]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-19 523776]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-19 917504]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2008-12-27 23:15:05

======Uninstall list======

-->MsiExec /X{AFD5ED58-271A-4907-96C2-2745C83BB035}
Acubix PicoZip 4.02-->"C:\Program Files\PicoZip\unins000.exe"
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Assassin's Creed-->C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0009 -removeonly
Audiosurf-->MsiExec.exe /I{6D316D67-DA52-4659-9C98-F479963534D6}
Azureus Vuze-->C:\Program Files\Azureus\uninstall.exe
Baldur's Gate™ II - Throne of Bhaal ™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
Beyond Divinity V1.0-->D:\PROGRA~1\LARIAN~1\BEYOND~1\UNWISE.EXE D:\PROGRA~1\LARIAN~1\BEYOND~1\INSTALL.LOG
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Combined Community Codec Pack 2008-01-24-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
ConvertHelper 2.1-->"C:\Program Files\ConvertHelper\unins000.exe"
Cottage Of Doom 1.0-->"C:\Program Files\Cottage Of Doom\unins000.exe"
dBpoweramp FLAC Codec-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
dBpoweramp m4a Codec-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
dBpoweramp Music Converter-->"C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
Democracy 2-->"d:\Program Files\Democracy2\unins000.exe"
Depths Of Peril-->"C:\Program Files\Depths Of Peril\ReflexiveArcade\unins000.exe"
D-Fend Reloaded 0.5.0 (deinstall)-->"C:\Program Files\D-Fend Reloaded\Uninstall.exe"
EAX4 Unified Redist-->MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
Eschalon Book 1 v1.0-->"d:\Program Files\Eschalon Book I\unins000.exe"
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
FastCrawl Version 1.03-->"C:\Program Files\FastCrawl\unins000.exe"
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gigabyte Raid Configurer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Gothic_Patch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{302AC480-43D2-11D5-A818-00500435FC18}\Setup.exe" -uninst
Gothic-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBF10B37-4ED3-11D5-A818-00500435FC18}\Setup.exe"
GrabIt 1.7.2 Beta 3 (build 996)-->"C:\Program Files\GrabIt\unins000.exe"
GTK+ Runtime 2.12.1 rev b (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
Harvest Massive Encounter-->"d:\Program Files\Harvest Massive Encounter\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2-->"C:\Users\QT4265~1.QUA\Desktop\VIRALF~1\HijackThis.exe" /uninstall
ILLUSION ????3-->MsiExec.exe /X{E4D02EF2-6F12-4BE9-9928-2F27DA01A915}
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
King's Bounty. The Legend (Remove Only)-->"D:\Program Files\Atari\King's Bounty. The Legend\unins000.exe"
Kudos 2-in-1-->"C:\Windows\Kudos 2-in-1\uninstall.exe" "/U:d:\Program Files\Kudos 2-in-1\Uninstall\uninstall.xml"
LeapFTP-->C:\Windows\unleap.exe C:\Program Files\LeapFTP\install.log
Magic Stones-->"d:\Program Files\Magic Stones\ReflexiveArcade\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 Language Pack - chs-->MsiExec.exe /I{43A3B6EF-14BE-372E-A29B-D3A8ADE2FE55}
Microsoft .NET Framework 3.5 Language Pack - jpn-->MsiExec.exe /I{8027B590-CD2B-3C7E-9F00-CDC0916CC915}
Microsoft .NET Framework 3.5 Language Pack - ???-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - jpn\setup.exe
Microsoft .NET Framework 3.5 ??? - ????-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - chs\setup.exe
Microsoft .NET Framework 3.5-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{6DA9102E-199F-43A0-A36B-6EF48081A658}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.18)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Multiwinia v1.0.5-->"d:\Program Files\Multiwinia\unins000.exe"
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
NVIDIA PhysX v8.08.18-->MsiExec.exe /X{AFD5ED58-271A-4907-96C2-2745C83BB035}
֧ȫؼ 1,1,0,3-->"C:\Windows\system32\aliedit\unins000.exe"
Oblivion - Horse Armor Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
Oblivion mod manager 1.1.9-->"C:\Program Files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe"
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
OpenOffice.org 2.3-->MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
Oxin's Style! 3D Sexvilla 2-->"d:\Program Files\Oxin's Style!\3D Sexvilla 2\Binaries\unins000.exe"
Pidgin-->C:\Program Files\Pidgin\pidgin-uninst.exe
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RapeLay (remove only)-->"d:\Program Files\Illusion\RapeLay\uninstall.exe"
RAR Key Demo-->C:\PROGRA~1\Passware\demos\UNWISE.EXE /U C:\PROGRA~1\Passware\demos\rarkey.log
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
RivaTuner v2.10-->"C:\Program Files\RivaTuner v2.10\uninstall.exe"
Runesword 2.5.0-->d:\Program Files\Runesword\uninst.exe
Sacred Underworld-->"D:\Program Files\Ascaron Entertainment\Sacred Underworld\unins000.exe"
Sexy Beach 3 - Complete English Edition (remove only)-->"d:\Program Files\Illusion\SexyBeach3-CEE\uninstall.exe"
Sins of a Solar Empire-->"C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe" REMOVE=TRUE MODIFY=FALSE
Sins of a Solar Empire-->C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe
Songbird 0.6.1 (20080623)-->"C:\Program Files\Songbird\Songbird-Uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Three thrixx Games v32-->e:\thriXXX\Uninstall.exe
Tom Clancy's Splinter Cell Chaos Theory-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BABAEBE4-9FFB-4B5D-9453-64FF11517CA2}\setup.exe" -l0x9 -removeonly
Tradewinds Legends-->"C:\Program Files\Tradewinds Legends\ReflexiveArcade\unins000.exe"
Trojan Remover 6.7.5-->"C:\Program Files\Trojan Remover\unins000.exe"
Tropico-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{818FB39B-1A57-4F1B-A54D-391C33D6C596}\setup.exe" -l0x9
UFO:AI 2.2.1-->d:\Program Files\UFOAI-2.2.1\uninst.exe
Ultimate Extras sounds from Microsoft Tinker„-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound2.inf,Uninstall
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Unofficial Oblivion Patch v2.2.0-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Oblivion Patch\unins000.exe"
Unofficial Official Mods Patch v11-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Official Mods Patch\unins000.exe"
Unofficial Shivering Isles Patch v1.2.0-->"C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Shivering Isles Patch\unins000.exe"
VideoLAN VLC media player 0.8.5-->C:\Program Files\VideoLAN\VLC\uninstall.exe
vLite-->"C:\Program Files\vLite\unins000.exe"
Westward-->"C:\Program Files\Westward\ReflexiveArcade\unins000.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Sound Schemes-->RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wiz1Edit-->C:\Windows\uninst.exe -f"C:\Program Files\Software Specialties\Wiz1Edit\DeIsL1.isu" -c"C:\Program Files\Software Specialties\Wiz1Edit\_ISREG32.DLL"
Zip Motion Block Video codec (Remove Only)-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\Windows\INF\ZMBV.INF
??????? 2,1,1,1-->"C:\Windows\system32\aliedit\unins000.exe"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\Windows\system32\msupdte.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O13 - Gopher Prefix:
O8 - Extra context menu item: ӵQQ - C:\Program Files\Tencent\QQ\AddEmotion.htm
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\Windows\system32\msupdte.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AS: Spybot - Search and Destroy (disabled)
AS: Windows Defender

System event log

Computer Name: Q13
Event Code: 7036
Message: The Windows Modules Installer service entered the stopped state.
Record Number: 62090
Source Name: Service Control Manager
Time Written: 20081227044237.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 62091
Source Name: Service Control Manager
Time Written: 20081227044857.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Record Number: 62092
Source Name: Service Control Manager
Time Written: 20081227092343.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 62093
Source Name: Service Control Manager
Time Written: 20081227094013.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 7036
Message: The Protected Storage service entered the running state.
Record Number: 62094
Source Name: Service Control Manager
Time Written: 20081227143954.000000-000
Event Type: Information
User:

Application event log

Computer Name: Q13
Event Code: 1000
Message: Faulting application Fallout3.exe, version 1.0.0.12, time stamp 0x48d194b3, faulting module Fallout3.exe, version 1.0.0.12, time stamp 0x48d194b3, exception code 0xc0000005, fault offset 0x002d2ee6, process id 0xdf4, application start time 0x01c9677480853f2b.
Record Number: 10435
Source Name: Application Error
Time Written: 20081226191546.000000-000
Event Type: Error
User:

Computer Name: Q13
Event Code: 9010
Message: A request to disable the Desktop Window Manager was made by process (Fallout3)
Record Number: 10436
Source Name: Desktop Window Manager
Time Written: 20081227041121.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 9013
Message: The Desktop Window Manager was unable to start because composition was disabled by a running application
Record Number: 10437
Source Name: Desktop Window Manager
Time Written: 20081227041121.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 9010
Message: A request to disable the Desktop Window Manager was made by process (Fallout3)
Record Number: 10438
Source Name: Desktop Window Manager
Time Written: 20081227043400.000000-000
Event Type: Information
User:

Computer Name: Q13
Event Code: 9013
Message: The Desktop Window Manager was unable to start because composition was disabled by a running application
Record Number: 10439
Source Name: Desktop Window Manager
Time Written: 20081227043400.000000-000
Event Type: Information
User:

Security event log

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24560
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151501.884932-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24561
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151501.914935-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24562
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151501.964940-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24563
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151502.010944-000
Event Type: Audit Failure
User:

Computer Name: Q13
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 24564
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081227151502.040947-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

Edited by Q.T.Quazar, 29 December 2008 - 12:03 PM.


#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:20 AM

Posted 29 December 2008 - 04:32 PM

Hi QTQuazar,


You should install one antivirus program in your system. Otherwise our fix would be to no avail. You are well advised to install a new one.

Avira AntiVir is good. For more info, please dowonload AV-Comparatives Announces Annual 2008 Awards report for your reference. Or You may try AVG Anti-Virus Free Edition 8.0 from Here .


Step1

Download the Fix.bat from the attached file to you desktop.
Right click the Fix.bat and click Run As Administrator
A window will open and close. That is normal.



Step2

Download OTMoveIt3.exe by OldTimer and save it to your desktop.
  • Right click on OTMoveIt3.exe and click Run As Administrator to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
  • Note: Do not type it out to minimize the risk of typo error
    :Processes 
    explorer.exe
    
    :Files
    C:\Windows\system32\FC8CCE
    C:\Windows\system32\E67F8F
    C:\Windows\system32\4B3FFA
    
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EB2B32]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Q.T.Quazar^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^.lnk]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051a41af-d3cc-11dc-9cdf-806e6f6e6963}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a968e6-1b7a-11dd-b570-001a4d5c79b5}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60fe608c-d3bc-11dc-8016-001a4d5c79b5}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c61aa747-d3bb-11dc-ab88-806e6f6e6963}]
    
    :Commands
    [EmptyTemp]
    [start explorer]
    [Reboot]
  • Click on MoveIt!
  • When done, click on Exit
  • Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
  • A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.
Step3


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6-11 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name and the following update.
    • Java 6 Update 3-->MsiExec.exe
      Java 6 Update 5-->MsiExec.exe
      Java 6 Update 7-->MsiExec.exe
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Step4

<Vista user, Please right click Your browser and select "Run As Administrator ">

Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
You can refer to this animation

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



In you next reply, please post back:

1.OTmoveIT log
2.Kas scan log
3.RSIT log

Tell me how your pc is running now.

Attached Files

  • Attached File  Fix.bat   582bytes   10 downloads

Edited by sundavis, 29 December 2008 - 04:34 PM.


#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:20 AM

Posted 02 January 2009 - 12:16 AM

Hi QTQuazar,

Are you still with us? :thumbsup:

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:20 AM

Posted 04 January 2009 - 02:17 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users