Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple trojan infected can't be removed


  • This topic is locked This topic is locked
12 replies to this topic

#1 zake

zake

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 19 March 2009 - 10:35 AM

Hi guys, this is my first post so excuse the mistakes please. Here are my problems,

1. My antivirus(quickheal 10.0 registered and legal not cracked) Keeps detecting a Cutwail trojan as a dll file. Namely winctrl32.dll which is based in system32 folder. Everytime it instructs me to do a boot time scan and as I do it, it detects and deletes the file. But upon reboot it's back.
Important : I tried to scan in safe mood and the dll file was detected but action was skipped just like in the normal mode. I was again instructed to do a boot time scan.

2. When ever I connect to internet I am given this warning from Quick heal email protection that SVCHOST.EXE is trying to send emails and if I do not recognise it I should click on no to stop it from doing so. THis happens every other second. As I am writing this I have recivied more 7 warnings.

This is my HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:59 PM, on 3/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Twain_32\4100\HotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\DAEMON Tools Lite\daemon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {044706DD-F4C0-41EE-B11E-805947B11893} - C:\WINDOWS\system32\avicap3.dll (file missing)
O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing)
O2 - BHO: 512686 helper - {51B15F5A-E98B-4658-B9CB-9307B74773A7} - C:\WINDOWS\system32\512686\512686.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [STM] C:\WINDOWS\system32\STMReg.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\4100\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\cateye.exe
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [ResumeQuickupDownload] C:\PROGRA~1\QUICKH~1\QUICKH~1\acappaa.exe
O4 - HKLM\..\Run: [Quick Heal Monitor] C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe /tray /noservice
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\algg.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.onlyiesettings.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\progra~1\quickh~1\quickh~2\wl_hook.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Quick Heal Client Security Service (acssrv) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Online Protection System - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Quick Heal Antivirus Plus Mail Protection - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
O23 - Service: Quick Update Service - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9293 bytes




My system information :

Windows XP
Professional
Version 2002
Service Pack 2

Intel®
Pentium ® 4 CPU 1.80GHZ
1.00 GB of RAM

I am in dire need of your help. Please help me out.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:44 PM

Posted 19 March 2009 - 11:01 AM

Hello zake,

Welcome to Bleeping Computer. :thumbup2:

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 zake

zake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 19 March 2009 - 11:04 AM

Okay. Thanks For you help. I am waiting for the instructions.

Edit ::

Anyone online ??

Edited by zake, 19 March 2009 - 11:43 AM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:44 PM

Posted 19 March 2009 - 01:14 PM

Hello zake,

I have looked at your log.
I'm currently waiting approval from a teacher to post your fix.
Be patient we will get you fixed up shortly. :thumbup2:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:44 PM

Posted 19 March 2009 - 04:11 PM

Hello zake,

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

2.
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

3.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

4.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
Things to include in your next reply:
MBAM report
SDfix report - Report txt.
RSIT logs: log.txt and info.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 zake

zake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 19 March 2009 - 08:30 PM

I do not do anytype of Financial work from this computer. But this computer has a lot of data in it about 80gb. So formatting and reinstalling right now will be very tough. I am going through the steps you told me to from number 2 and so forth. Please let me know if there is anything else I can do. Meanwhile I will post everything that happens in this time.

Edit ::

My Quickheal 10.0 Anitvirus is detecting backdoor.Rbot.aamv in the RSIT.exe file.

My MBAM Report :

Malwarebytes' Anti-Malware 1.34
Database version: 1874
Windows 5.1.2600 Service Pack 2

3/20/2009 7:18:01 AM
mbam-log-2009-03-20 (07-18-01).txt

Scan type: Quick Scan
Objects scanned: 83459
Time elapsed: 13 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 9
Registry Data Items Infected: 11
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\z444.z444mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\z444.z444mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{51b15f5a-e98b-4658-b9cb-9307b74773a7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3b7aaeb1-9f3d-4491-9c06-c7165ca8d058} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{51b15f5a-e98b-4658-b9cb-9307b74773a7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b7aaeb1-9f3d-4491-9c06-c7165ca8d058} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51b15f5a-e98b-4658-b9cb-9307b74773a7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3b7aaeb1-9f3d-4491-9c06-c7165ca8d058} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winip28 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winip28 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winip28 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winvd74 (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winvd74 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winvd74 (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\512686 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\245kIy3N.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\g13aU4hY.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winip28.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winvd74.sys (Rootkit.Agent) -> Delete on reboot.

My SDFix Report :


SDFix: Version 1.240
Run by Administrator on Fri 03/20/2009 at 07:35 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\WINVD74.sys - Rootkit Pandex/Cutwail - Runtime.sys

Name :
WINVD74

Path :
System32\Drivers\Winvd74.sys

WINVD74 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Service WINVD74 - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\drivers\WINVD74.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 07:39:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 14 Mar 2009 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 19 Mar 2009 24,576 A..H. --- "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil__.exe"
Thu 19 Mar 2009 661,776 A..H. --- "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil_.exe"
Thu 19 Mar 2009 0 A..H. --- "C:\System Volume Information\_restore{0D5EDA75-AE52-49A4-9F7E-62FAB77A0A67}\RP12\A0003605.exe"
Thu 19 Mar 2009 0 A..H. --- "C:\System Volume Information\_restore{0D5EDA75-AE52-49A4-9F7E-62FAB77A0A67}\RP12\A0003606.exe"

Finished!

Edited by zake, 19 March 2009 - 09:12 PM.


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:44 PM

Posted 19 March 2009 - 09:37 PM

Hello zake,


PLease rerun MBAM make sure to reboot if it says it needs to reboot or it may fail to remove malware
Dont worry about the backdoor in RSIT.exe
This is a scan program we use to see deeper in your computer.
please post a RSIT log as requested in my previous post

Edited by fireman4it, 19 March 2009 - 09:39 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 zake

zake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 20 March 2009 - 01:37 AM

Reran MBAM as instructed. No malwares were found. Here is the log :

Malwarebytes' Anti-Malware 1.34
Database version: 1874
Windows 5.1.2600 Service Pack 2

3/20/2009 12:06:36 PM
mbam-log-2009-03-20 (12-06-36).txt

Scan type: Quick Scan
Objects scanned: 83262
Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

RSIT logs are as followed.

log.txt ::

Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2009-03-20 12:09:08
Microsoft Windows XP Professional Service Pack 2
System drive C: has 1 GB (7%) free of 19 GB
Total RAM: 1022 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:13 PM, on 3/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Twain_32\4100\HotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\DAEMON Tools Lite\daemon.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Documents and Settings\Administrator\Desktop\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {044706DD-F4C0-41EE-B11E-805947B11893} - C:\WINDOWS\system32\avicap3.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [STM] C:\WINDOWS\system32\STMReg.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\4100\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\cateye.exe
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [ResumeQuickupDownload] C:\PROGRA~1\QUICKH~1\QUICKH~1\acappaa.exe
O4 - HKLM\..\Run: [Quick Heal Monitor] C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe /tray /noservice
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\progra~1\quickh~1\quickh~2\wl_hook.dll
O23 - Service: Quick Heal Client Security Service (acssrv) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Online Protection System - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Quick Heal Antivirus Plus Mail Protection - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
O23 - Service: Quick Update Service - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8186 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At49.job
C:\WINDOWS\tasks\At50.job
C:\WINDOWS\tasks\At51.job
C:\WINDOWS\tasks\At52.job
C:\WINDOWS\tasks\At53.job
C:\WINDOWS\tasks\At54.job
C:\WINDOWS\tasks\At55.job
C:\WINDOWS\tasks\At56.job
C:\WINDOWS\tasks\At57.job
C:\WINDOWS\tasks\At58.job
C:\WINDOWS\tasks\At59.job
C:\WINDOWS\tasks\At60.job
C:\WINDOWS\tasks\At61.job
C:\WINDOWS\tasks\At62.job
C:\WINDOWS\tasks\At63.job
C:\WINDOWS\tasks\At64.job
C:\WINDOWS\tasks\At65.job
C:\WINDOWS\tasks\At66.job
C:\WINDOWS\tasks\At67.job
C:\WINDOWS\tasks\At68.job
C:\WINDOWS\tasks\At69.job
C:\WINDOWS\tasks\At70.job
C:\WINDOWS\tasks\At71.job
C:\WINDOWS\tasks\At72.job
C:\WINDOWS\tasks\At73.job
C:\WINDOWS\tasks\At74.job
C:\WINDOWS\tasks\At75.job
C:\WINDOWS\tasks\At76.job
C:\WINDOWS\tasks\At77.job
C:\WINDOWS\tasks\At78.job
C:\WINDOWS\tasks\At79.job
C:\WINDOWS\tasks\At80.job
C:\WINDOWS\tasks\At81.job
C:\WINDOWS\tasks\At82.job
C:\WINDOWS\tasks\At83.job
C:\WINDOWS\tasks\At84.job
C:\WINDOWS\tasks\At85.job
C:\WINDOWS\tasks\At86.job
C:\WINDOWS\tasks\At87.job
C:\WINDOWS\tasks\At88.job
C:\WINDOWS\tasks\At89.job
C:\WINDOWS\tasks\At90.job
C:\WINDOWS\tasks\At91.job
C:\WINDOWS\tasks\At92.job
C:\WINDOWS\tasks\At93.job
C:\WINDOWS\tasks\At94.job
C:\WINDOWS\tasks\At95.job
C:\WINDOWS\tasks\At96.job
C:\WINDOWS\tasks\At97.job
C:\WINDOWS\tasks\At98.job
C:\WINDOWS\tasks\At99.job
C:\WINDOWS\tasks\At100.job
C:\WINDOWS\tasks\At101.job
C:\WINDOWS\tasks\At102.job
C:\WINDOWS\tasks\At103.job
C:\WINDOWS\tasks\At104.job
C:\WINDOWS\tasks\At105.job
C:\WINDOWS\tasks\At106.job
C:\WINDOWS\tasks\At107.job
C:\WINDOWS\tasks\At108.job
C:\WINDOWS\tasks\At109.job
C:\WINDOWS\tasks\At110.job
C:\WINDOWS\tasks\At111.job
C:\WINDOWS\tasks\At112.job
C:\WINDOWS\tasks\At113.job
C:\WINDOWS\tasks\At114.job
C:\WINDOWS\tasks\At115.job
C:\WINDOWS\tasks\At116.job
C:\WINDOWS\tasks\At117.job
C:\WINDOWS\tasks\At118.job
C:\WINDOWS\tasks\At119.job
C:\WINDOWS\tasks\At120.job
C:\WINDOWS\tasks\At121.job
C:\WINDOWS\tasks\At122.job
C:\WINDOWS\tasks\At123.job
C:\WINDOWS\tasks\At124.job
C:\WINDOWS\tasks\At125.job
C:\WINDOWS\tasks\At126.job
C:\WINDOWS\tasks\At127.job
C:\WINDOWS\tasks\At128.job
C:\WINDOWS\tasks\At129.job
C:\WINDOWS\tasks\At130.job
C:\WINDOWS\tasks\At131.job
C:\WINDOWS\tasks\At132.job
C:\WINDOWS\tasks\At133.job
C:\WINDOWS\tasks\At134.job
C:\WINDOWS\tasks\At135.job
C:\WINDOWS\tasks\At136.job
C:\WINDOWS\tasks\At137.job
C:\WINDOWS\tasks\At138.job
C:\WINDOWS\tasks\At139.job
C:\WINDOWS\tasks\At140.job
C:\WINDOWS\tasks\At141.job
C:\WINDOWS\tasks\At142.job
C:\WINDOWS\tasks\At143.job
C:\WINDOWS\tasks\At144.job
C:\WINDOWS\tasks\At145.job
C:\WINDOWS\tasks\At146.job
C:\WINDOWS\tasks\At147.job
C:\WINDOWS\tasks\At148.job
C:\WINDOWS\tasks\At149.job
C:\WINDOWS\tasks\At150.job
C:\WINDOWS\tasks\At151.job
C:\WINDOWS\tasks\At152.job
C:\WINDOWS\tasks\At153.job
C:\WINDOWS\tasks\At154.job
C:\WINDOWS\tasks\At155.job
C:\WINDOWS\tasks\At156.job
C:\WINDOWS\tasks\At157.job
C:\WINDOWS\tasks\At158.job
C:\WINDOWS\tasks\At159.job
C:\WINDOWS\tasks\At160.job
C:\WINDOWS\tasks\At161.job
C:\WINDOWS\tasks\At162.job
C:\WINDOWS\tasks\At163.job
C:\WINDOWS\tasks\At164.job
C:\WINDOWS\tasks\At165.job
C:\WINDOWS\tasks\At166.job
C:\WINDOWS\tasks\At167.job
C:\WINDOWS\tasks\At168.job
C:\WINDOWS\tasks\At169.job
C:\WINDOWS\tasks\At170.job
C:\WINDOWS\tasks\At171.job
C:\WINDOWS\tasks\At172.job
C:\WINDOWS\tasks\At173.job
C:\WINDOWS\tasks\At174.job
C:\WINDOWS\tasks\At175.job
C:\WINDOWS\tasks\At176.job
C:\WINDOWS\tasks\At177.job
C:\WINDOWS\tasks\At178.job
C:\WINDOWS\tasks\At179.job
C:\WINDOWS\tasks\At180.job
C:\WINDOWS\tasks\At181.job
C:\WINDOWS\tasks\At182.job
C:\WINDOWS\tasks\At183.job
C:\WINDOWS\tasks\At184.job
C:\WINDOWS\tasks\At185.job
C:\WINDOWS\tasks\At186.job
C:\WINDOWS\tasks\At187.job
C:\WINDOWS\tasks\At188.job
C:\WINDOWS\tasks\At189.job
C:\WINDOWS\tasks\At190.job
C:\WINDOWS\tasks\At191.job
C:\WINDOWS\tasks\At192.job
C:\WINDOWS\tasks\At193.job
C:\WINDOWS\tasks\At194.job
C:\WINDOWS\tasks\At195.job
C:\WINDOWS\tasks\At196.job
C:\WINDOWS\tasks\At197.job
C:\WINDOWS\tasks\At198.job
C:\WINDOWS\tasks\At199.job
C:\WINDOWS\tasks\At200.job
C:\WINDOWS\tasks\At201.job
C:\WINDOWS\tasks\At202.job
C:\WINDOWS\tasks\At203.job
C:\WINDOWS\tasks\At204.job
C:\WINDOWS\tasks\At205.job
C:\WINDOWS\tasks\At206.job
C:\WINDOWS\tasks\At207.job
C:\WINDOWS\tasks\At208.job
C:\WINDOWS\tasks\At209.job
C:\WINDOWS\tasks\At210.job
C:\WINDOWS\tasks\At211.job
C:\WINDOWS\tasks\At212.job
C:\WINDOWS\tasks\At213.job
C:\WINDOWS\tasks\At214.job
C:\WINDOWS\tasks\At215.job
C:\WINDOWS\tasks\At216.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll [2008-06-10 187512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{044706DD-F4C0-41EE-B11E-805947B11893}]
C:\WINDOWS\system32\avicap3.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-23 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-03-07 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-23 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll [2008-06-10 457848]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-23 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2002-10-15 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2002-10-15 114688]
"STM"=C:\WINDOWS\system32\STMReg.exe [2005-03-10 237568]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2009-01-31 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2009-01-31 155648]
"StatusClient 2.6"=C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe [2004-02-27 61440]
"TomcatStartup 2.5"=C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe [2009-01-31 188416]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2004-01-07 49152]
"DSLAGENTEXE"=C:\Program Files\Huawei\MT882\dslagent.exe [2003-10-31 65536]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2008-04-02 36352]
"HotKey"=C:\WINDOWS\Twain_32\4100\HotKey.exe [2004-03-01 593920]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-10-12 413696]
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe [2009-01-31 406016]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2009-01-31 54784]
"Email Protection"=C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE [2009-03-18 267640]
"Update Scheduler"=C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE [2009-03-18 95608]
"On-Line Protection"=C:\PROGRA~1\QUICKH~1\QUICKH~1\cateye.exe [2009-03-18 206200]
"Messenger"=C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE [2009-03-18 111992]
"Startup Scan"=C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE [2009-03-18 144760]
"ResumeQuickupDownload"=C:\PROGRA~1\QUICKH~1\QUICKH~1\acappaa.exe [2009-03-18 95608]
"Quick Heal Monitor"=C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe [2008-07-31 1941504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Startup Scan"=C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE [2009-03-18 144760]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-09-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-02-02 68856]
"DLD.EXE"=C:\Program Files\Download Direct\DLD.exe []
"Aim6"= []
"DAEMON Tools Lite"=D:\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\progra~1\quickh~1\quickh~2\wl_hook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-10-15 315392]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winip28.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winip28.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcc7f85a-f4d9-11dd-b3dd-d7d51d8fcdc4}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn


======List of files/folders created in the last 1 months======

2009-03-20 12:09:08 ----D---- C:\rsit
2009-03-20 07:33:03 ----D---- C:\WINDOWS\ERUNT
2009-03-20 07:31:57 ----D---- C:\SDFix
2009-03-20 07:02:36 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-03-20 07:02:27 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-20 07:02:26 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-19 22:40:16 ----D---- C:\Documents and Settings\All Users\Application Data\Bluetooth
2009-03-19 19:34:57 ----D---- C:\Program Files\IVT Corporation
2009-03-18 16:56:57 ----D---- C:\Documents and Settings\All Users\Application Data\Quick Heal
2009-03-18 16:55:38 ----D---- C:\Program Files\Quick Heal
2009-03-18 16:28:58 ----D---- C:\Program Files\ESET
2009-03-18 16:05:36 ----A---- C:\WINDOWS\QH32.INI
2009-03-18 15:56:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-11 20:16:22 ----D---- C:\Program Files\ComputerJagat
2009-03-06 15:55:06 ----D---- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools Pro
2009-03-06 15:55:06 ----D---- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2009-03-06 15:54:19 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2009-03-06 15:03:57 ----D---- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools Lite
2009-03-02 22:02:03 ----D---- C:\hide
2009-02-23 21:47:59 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-02-23 19:49:08 ----SHD---- C:\FOUND.007

======List of files/folders modified in the last 1 months======

2009-03-20 10:57:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-20 07:42:46 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-20 07:24:38 ----A---- C:\AUTOEXEC.BAT
2009-03-18 23:18:34 ----A---- C:\WINDOWS\NeroDigital.ini
2009-03-15 08:47:34 ----A---- C:\WINDOWS\ulead32.ini
2009-03-14 17:48:34 ----A---- C:\WINDOWS\ODBCINST.INI
2009-03-14 17:48:34 ----A---- C:\WINDOWS\ODBC.INI
2009-02-24 10:20:46 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-10-25 91774]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-09-13 36096]
R1 PCLEPCI;PCLEPCI; \??\C:\WINDOWS\system32\drivers\pclepci.sys []
R1 SandBox;SandBox; C:\WINDOWS\system32\DRIVERS\SandBox.sys [2008-07-11 673920]
R2 catflt;catflt; C:\WINDOWS\system32\DRIVERS\catflt.sys [2009-03-18 65016]
R2 EMLSS;EMLSS; C:\WINDOWS\system32\drivers\emltdi.sys [2009-03-18 28656]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-10-25 71514]
R3 afw;Agnitum firewall driver; C:\WINDOWS\system32\DRIVERS\afw.sys [2008-06-30 30864]
R3 afwcore;afwcore; C:\WINDOWS\system32\drivers\afwcore.sys [2008-06-30 234640]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-25 730092]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-09-13 60800]
R3 ASAPIW2k;ASAPIW2K; C:\WINDOWS\system32\drivers\ASAPIW2k.sys [2004-03-10 11264]
R3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [2007-05-11 34704]
R3 BlueletSCOAudio;Bluetooth SCO Audio Service; C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys [2007-03-05 27792]
R3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [2007-03-05 18320]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2002-10-25 80283]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-01-28 171008]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-09-13 61824]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-09-13 5888]
R3 SMBios;Intel ® System Management BIOS Service; C:\WINDOWS\system32\DRIVERS\SMBios.sys [2003-10-15 36484]
R3 USB_RNDIS;TI Remote NDIS USB Network Device; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-09-13 12672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-09-13 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-09-13 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-09-13 20480]
R3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys [2007-03-05 34448]
R3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys [2007-03-05 44304]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2004-08-03 48128]
S3 amxmyeqi;amxmyeqi; C:\WINDOWS\system32\drivers\amxmyeqi.sys []
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2004-08-03 38912]
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys [2007-05-09 36496]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2004-08-03 51328]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 Sentinel;Sentinel; Sentinel.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-09-13 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acssrv;Quick Heal Client Security Service; C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe [2008-07-31 1224704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Online Protection System;Online Protection System; C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe [2009-03-18 17272]
R2 Quick Heal Antivirus Plus Mail Protection;Quick Heal Antivirus Plus Mail Protection; C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE [2009-03-18 50552]
R2 Quick Update Service;Quick Update Service; C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe [2009-03-18 58744]
R2 ScanWscS;Quick Heal Helper Service WSC; C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe [2009-03-18 134488]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-05 24652]
S2 jgpdpytjw;Monitor Time; C:\WINDOWS\system32\svchost.exe [2004-09-13 14336]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-07 137200]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2009-01-31 68096]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2009-01-31 89600]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2009-01-31 65536]

-----------------EOF-----------------


and info.txt ::

info.txt logfile of random's system information tool 1.05 2009-03-20 12:09:17

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4100 USB Scanner-->C:\WINDOWS\RunUnDrv.exe C:\WINDOWS\Twain_32\4100\PmxScan.INF DefaultUnInstall.USB.NTX86
ABBYY FineReader 5.0 Sprint-->MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Illustrator 10-->"C:\Program Files\InstallShield Installation Information\{412033BC-44CF-48D9-B813-4B835101F4D3}\setup.exe"
Adobe PageMaker 6.5-->C:\WINDOWS\uninst.exe -fC:\PM65\DeIsL1.isu
Adobe Photoshop 7.0.1-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AIM 6-->C:\Program Files\AIM6\uninst.exe
ALUpdate-->"C:\Program Files\ESTsoft\ALUpdate\unins000.exe"
ALZip-->"C:\Program Files\ESTsoft\ALZip\unins000.exe"
Bluesoleil2.6.0.8 Release 070517-->MsiExec.exe /X{438BB9B4-65FE-4626-91D9-A8F57B18001D}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CorelDRAW Graphics Suite X3-->MsiExec.exe /I{63218538-4A69-497F-8455-904261B0E9E4}
Dictionary-->MsiExec.exe /I{A3BF5F70-80F2-4E19-AA75-E4622F9CB979}
EN-->MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FontNav-->MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
Free PDF to Word Doc Converter v1.1-->"C:\Program Files\Free PDF to Word Doc Converter\unins000.exe"
GeoVid Flash Player-->"C:\Program Files\GeoVid\FlashPlayer\unins000.exe"
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe" /uninstall
GrabPro - Toolbar-->regsvr32 /u /s "C:\Program Files\Orbitdownloader\GrabPro.dll"
HijackThis 2.0.2-->"C:\Documents and Settings\Administrator\Desktop\Desktop\HijackThis.exe" /uninstall
hp LaserJet 1160/1320 series-->MsiExec.exe /x {7F04B272-E0DD-47E7-8B55-D97483DB0EBD}
HP Software Update-->MsiExec.exe /X{90B5E602-1867-449D-86FD-FC9DEA4434BF}
Huawei MT882 USB ADSL Modem-->C:\Program Files\Huawei\MT882\uninstall.exe
Intel® Extreme Graphics Driver Software-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterVideo WinDVD 4-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Macromedia Flash Player 8-->MsiExec.exe /X{A3703922-84E3-4318-B0A1-04EFAD449A04}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Opera 9.51-->MsiExec.exe /X{179624B1-2683-45ED-965A-B72189EB5820}
Orbit Downloader-->"C:\Program Files\Orbitdownloader\unins000.exe"
Pinnacle Hollywood FX for Studio-->C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\5.5\uninstal.log
Quick Heal AntiVirus Plus-->C:\PROGRA~1\QUICKH~1\QUICKH~1\Uninst.exe
Quick Heal Firewall Pro-->"C:\Program Files\Quick Heal\Quick Heal Firewall Pro\unins000.exe"
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
SmartSound Quicktracks Plugin-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Studio 9-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E491AB7-4589-48CA-9CBB-874CB2788391}\Setup.exe" -l0x9 UNINSTALL
Tally 9-->D:\Tally9\uninstall.exe
Total Video Converter 3.12 080330-->"C:\Program Files\Total Video Converter\unins000.exe"
Ulead Photo Express 4.0 My Custom Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21BCE515-D5A3-11D4-8E33-0010B53EC668}\setup.exe"
Update Manager-->MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VBA-->MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
VideoLAN VLC media player 0.8.6b-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: Quick Heal 10.00 (disabled)
FW: Quick Heal Firewall Pro

System event log

Computer Name: SG-DESKTOP
Event Code: 7035
Message: The IMAPI CD-Burning COM Service service was successfully sent a start control.

Record Number: 21441
Source Name: Service Control Manager
Time Written: 20090305070909.000000+330
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SG-DESKTOP
Event Code: 7036
Message: The Network Location Awareness (NLA) service entered the running state.

Record Number: 21440
Source Name: Service Control Manager
Time Written: 20090305070906.000000+330
Event Type: information
User:

Computer Name: SG-DESKTOP
Event Code: 7035
Message: The Network Location Awareness (NLA) service was successfully sent a start control.

Record Number: 21439
Source Name: Service Control Manager
Time Written: 20090305070906.000000+330
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: SG-DESKTOP
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 21438
Source Name: Service Control Manager
Time Written: 20090305070906.000000+330
Event Type: information
User:

Computer Name: SG-DESKTOP
Event Code: 7035
Message: The Remote Access Connection Manager service was successfully sent a start control.

Record Number: 21437
Source Name: Service Control Manager
Time Written: 20090305070904.000000+330
Event Type: information
User: SG-DESKTOP\Administrator

Application event log

Computer Name: SG-DESKTOP
Event Code: 102
Message: wuaueng.dll (1532) SUS20ClientDataStore: The database engine started a new instance (0).

Record Number: 3856
Source Name: ESENT
Time Written: 20081222172603.000000+330
Event Type: information
User:

Computer Name: SG-DESKTOP
Event Code: 100
Message: wuauclt (1532) The database engine 5.01.2600.2180 started.

Record Number: 3855
Source Name: ESENT
Time Written: 20081222172603.000000+330
Event Type: information
User:

Computer Name: SG-DESKTOP
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 3854
Source Name: SecurityCenter
Time Written: 20081222172518.000000+330
Event Type: information
User:

Computer Name: SG-DESKTOP
Event Code: 105
Message:
Record Number: 3853
Source Name: Startup Handler
Time Written: 20081222172516.000000+330
Event Type: information
User:

Computer Name: SG-DESKTOP
Event Code: 1517
Message: Windows saved user SG-DESKTOP\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 3852
Source Name: Userenv
Time Written: 20081222134941.000000+330
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ESTsoft\ALZip
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Edited by zake, 20 March 2009 - 01:42 AM.


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:44 PM

Posted 20 March 2009 - 01:32 PM

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hello zake,

Thanks for the logs. :thumbup2: We have a little more work to do yet. :)

1.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

2.
We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    amxmyeqi
    
    :files
    C:\WINDOWS\system32\avicap3.dll
    C:\WINDOWS\system32\drivers\amxmyeqi.sys
    C:\WINDOWS\tasks\At*.job 
    
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{044706DD-F4C0-41EE-B11E-805947B11893}]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winip28.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winip28.sys]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcc7f85a-f4d9-11dd-b3dd-d7d51d8fcdc4}]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
3.
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

Then close all windows except HijackThis and click Fix Checked.

Restart

4.
Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
Things to include in your next reply:
OtMovit3 .log
gmer.log
A new RSIT log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 zake

zake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 21 March 2009 - 02:27 AM

RSIT log ::

Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2009-03-21 12:53:35
Microsoft Windows XP Professional Service Pack 2
System drive C: has 9 GB (49%) free of 19 GB
Total RAM: 1022 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:38 PM, on 3/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Twain_32\4100\HotKey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Documents and Settings\Administrator\Desktop\Administrator.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [STM] C:\WINDOWS\system32\STMReg.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\4100\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Email Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
O4 - HKLM\..\Run: [Update Scheduler] C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [On-Line Protection] C:\PROGRA~1\QUICKH~1\QUICKH~1\cateye.exe
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
O4 - HKLM\..\Run: [Startup Scan] C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE /LOADRUN
O4 - HKLM\..\Run: [ResumeQuickupDownload] C:\PROGRA~1\QUICKH~1\QUICKH~1\acappaa.exe
O4 - HKLM\..\Run: [Quick Heal Monitor] C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe /tray /noservice
O4 - HKLM\..\RunOnce: [Startup Scan] C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\progra~1\quickh~1\quickh~2\wl_hook.dll
O23 - Service: Quick Heal Client Security Service (acssrv) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Online Protection System - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Quick Heal Antivirus Plus Mail Protection - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
O23 - Service: Quick Update Service - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7521 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Program Files\Orbitdownloader\orbitcth.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-23 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-03-07 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-23 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Program Files\Orbitdownloader\GrabPro.dll []
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-23 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2002-10-15 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2002-10-15 114688]
"STM"=C:\WINDOWS\system32\STMReg.exe [2005-03-10 237568]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2009-01-31 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2009-01-31 155648]
"StatusClient 2.6"=C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe [2004-02-27 61440]
"TomcatStartup 2.5"=C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe [2009-01-31 188416]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2004-01-07 49152]
"DSLAGENTEXE"=C:\Program Files\Huawei\MT882\dslagent.exe [2003-10-31 65536]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2008-04-02 36352]
"HotKey"=C:\WINDOWS\Twain_32\4100\HotKey.exe [2004-03-01 593920]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-10-12 413696]
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe [2009-01-31 406016]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2009-01-31 54784]
"Email Protection"=C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE [2009-03-18 267640]
"Update Scheduler"=C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE [2009-03-18 95608]
"On-Line Protection"=C:\PROGRA~1\QUICKH~1\QUICKH~1\cateye.exe [2009-03-18 206200]
"Messenger"=C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE [2009-03-18 111992]
"Startup Scan"=C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE [2009-03-18 144760]
"ResumeQuickupDownload"=C:\PROGRA~1\QUICKH~1\QUICKH~1\acappaa.exe [2009-03-18 95608]
"Quick Heal Monitor"=C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe [2008-07-31 1941504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Startup Scan"=C:\PROGRA~1\QUICKH~1\QUICKH~1\Sensor.EXE [2009-03-18 144760]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-09-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-02-02 68856]
"DLD.EXE"=C:\Program Files\Download Direct\DLD.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
D:\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE [2009-01-31 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE [2009-01-31 737280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
C:\Program Files\Orbitdownloader\orbitdm.exe /H []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\progra~1\quickh~1\quickh~2\wl_hook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-10-15 315392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Orbitdownloader\orbitdm.exe"="C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Program Files\Orbitdownloader\orbitnet.exe"="C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-03-21 12:31:35 ----D---- C:\_OTMoveIt
2009-03-21 12:28:24 ----RASHD---- C:\autorun.inf
2009-03-21 12:06:34 ----SHD---- C:\FOUND.008
2009-03-20 12:09:08 ----D---- C:\rsit
2009-03-20 07:33:03 ----D---- C:\WINDOWS\ERUNT
2009-03-20 07:31:57 ----D---- C:\SDFix
2009-03-20 07:02:36 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-03-20 07:02:27 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-20 07:02:26 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-19 22:40:16 ----D---- C:\Documents and Settings\All Users\Application Data\Bluetooth
2009-03-19 19:34:57 ----D---- C:\Program Files\IVT Corporation
2009-03-18 16:56:57 ----D---- C:\Documents and Settings\All Users\Application Data\Quick Heal
2009-03-18 16:55:38 ----D---- C:\Program Files\Quick Heal
2009-03-18 16:28:58 ----D---- C:\Program Files\ESET
2009-03-18 16:05:36 ----A---- C:\WINDOWS\QH32.INI
2009-03-18 15:56:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-11 20:16:22 ----D---- C:\Program Files\ComputerJagat
2009-03-06 15:55:06 ----D---- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools Pro
2009-03-06 15:55:06 ----D---- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2009-03-06 15:54:19 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2009-03-06 15:03:57 ----D---- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools Lite
2009-03-02 22:02:03 ----D---- C:\hide
2009-02-23 21:47:59 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-02-23 19:49:08 ----SHD---- C:\FOUND.007

======List of files/folders modified in the last 1 months======

2009-03-21 12:27:10 ----A---- C:\AUTOEXEC.BAT
2009-03-21 12:04:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-21 11:58:20 ----SH---- C:\boot.ini
2009-03-21 11:58:20 ----A---- C:\WINDOWS\win.ini
2009-03-21 11:58:20 ----A---- C:\WINDOWS\system.ini
2009-03-20 07:42:46 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-18 23:18:34 ----A---- C:\WINDOWS\NeroDigital.ini
2009-03-15 08:47:34 ----A---- C:\WINDOWS\ulead32.ini
2009-03-14 17:48:34 ----A---- C:\WINDOWS\ODBCINST.INI
2009-03-14 17:48:34 ----A---- C:\WINDOWS\ODBC.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-10-25 91774]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-09-13 36096]
R1 PCLEPCI;PCLEPCI; \??\C:\WINDOWS\system32\drivers\pclepci.sys []
R1 SandBox;SandBox; C:\WINDOWS\system32\DRIVERS\SandBox.sys [2008-07-11 673920]
R2 catflt;catflt; C:\WINDOWS\system32\DRIVERS\catflt.sys [2009-03-18 65016]
R2 EMLSS;EMLSS; C:\WINDOWS\system32\drivers\emltdi.sys [2009-03-18 28656]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-10-25 71514]
R3 afw;Agnitum firewall driver; C:\WINDOWS\system32\DRIVERS\afw.sys [2008-06-30 30864]
R3 afwcore;afwcore; C:\WINDOWS\system32\drivers\afwcore.sys [2008-06-30 234640]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-25 730092]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-09-13 60800]
R3 ASAPIW2k;ASAPIW2K; C:\WINDOWS\system32\drivers\ASAPIW2k.sys [2004-03-10 11264]
R3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [2007-05-11 34704]
R3 BlueletSCOAudio;Bluetooth SCO Audio Service; C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys [2007-03-05 27792]
R3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [2007-03-05 18320]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2002-10-25 80283]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-01-28 171008]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-09-13 61824]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-09-13 5888]
R3 SMBios;Intel ® System Management BIOS Service; C:\WINDOWS\system32\DRIVERS\SMBios.sys [2003-10-15 36484]
R3 USB_RNDIS;TI Remote NDIS USB Network Device; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-09-13 12672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-09-13 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-09-13 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-09-13 20480]
R3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys [2007-03-05 34448]
R3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys [2007-03-05 44304]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2004-08-03 48128]
S3 a7i3miyo;a7i3miyo; C:\WINDOWS\system32\drivers\a7i3miyo.sys []
S3 aujasnkj;aujasnkj; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys []
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2004-08-03 38912]
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys [2007-05-09 36496]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2004-08-03 51328]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 Sentinel;Sentinel; Sentinel.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-09-13 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acssrv;Quick Heal Client Security Service; C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe [2008-07-31 1224704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Online Protection System;Online Protection System; C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe [2009-03-18 17272]
R2 Quick Heal Antivirus Plus Mail Protection;Quick Heal Antivirus Plus Mail Protection; C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE [2009-03-18 50552]
R2 Quick Update Service;Quick Update Service; C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe [2009-03-18 58744]
R2 ScanWscS;Quick Heal Helper Service WSC; C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe [2009-03-18 134488]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-05 24652]
S2 jgpdpytjw;Monitor Time; C:\WINDOWS\system32\svchost.exe [2004-09-13 14336]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-07 137200]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2009-01-31 68096]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2009-01-31 89600]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2009-01-31 65536]

-----------------EOF-----------------



OTMoveIT log :::

========== SERVICES/DRIVERS ==========
Service\Driver amxmyeqi not found.
Service\Driver amxmyeqi not found.
========== FILES ==========
File/Folder C:\WINDOWS\system32\avicap3.dll not found.
File/Folder C:\WINDOWS\system32\drivers\amxmyeqi.sys not found.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At28.job moved successfully.
C:\WINDOWS\tasks\At29.job moved successfully.
C:\WINDOWS\tasks\At30.job moved successfully.
C:\WINDOWS\tasks\At31.job moved successfully.
C:\WINDOWS\tasks\At32.job moved successfully.
C:\WINDOWS\tasks\At33.job moved successfully.
C:\WINDOWS\tasks\At34.job moved successfully.
C:\WINDOWS\tasks\At35.job moved successfully.
C:\WINDOWS\tasks\At36.job moved successfully.
C:\WINDOWS\tasks\At37.job moved successfully.
C:\WINDOWS\tasks\At38.job moved successfully.
C:\WINDOWS\tasks\At39.job moved successfully.
C:\WINDOWS\tasks\At40.job moved successfully.
C:\WINDOWS\tasks\At41.job moved successfully.
C:\WINDOWS\tasks\At42.job moved successfully.
C:\WINDOWS\tasks\At43.job moved successfully.
C:\WINDOWS\tasks\At44.job moved successfully.
C:\WINDOWS\tasks\At45.job moved successfully.
C:\WINDOWS\tasks\At46.job moved successfully.
C:\WINDOWS\tasks\At47.job moved successfully.
C:\WINDOWS\tasks\At48.job moved successfully.
C:\WINDOWS\tasks\At49.job moved successfully.
C:\WINDOWS\tasks\At50.job moved successfully.
C:\WINDOWS\tasks\At51.job moved successfully.
C:\WINDOWS\tasks\At52.job moved successfully.
C:\WINDOWS\tasks\At53.job moved successfully.
C:\WINDOWS\tasks\At54.job moved successfully.
C:\WINDOWS\tasks\At55.job moved successfully.
C:\WINDOWS\tasks\At56.job moved successfully.
C:\WINDOWS\tasks\At57.job moved successfully.
C:\WINDOWS\tasks\At58.job moved successfully.
C:\WINDOWS\tasks\At59.job moved successfully.
C:\WINDOWS\tasks\At60.job moved successfully.
C:\WINDOWS\tasks\At61.job moved successfully.
C:\WINDOWS\tasks\At62.job moved successfully.
C:\WINDOWS\tasks\At63.job moved successfully.
C:\WINDOWS\tasks\At64.job moved successfully.
C:\WINDOWS\tasks\At65.job moved successfully.
C:\WINDOWS\tasks\At66.job moved successfully.
C:\WINDOWS\tasks\At67.job moved successfully.
C:\WINDOWS\tasks\At68.job moved successfully.
C:\WINDOWS\tasks\At69.job moved successfully.
C:\WINDOWS\tasks\At70.job moved successfully.
C:\WINDOWS\tasks\At71.job moved successfully.
C:\WINDOWS\tasks\At72.job moved successfully.
C:\WINDOWS\tasks\At73.job moved successfully.
C:\WINDOWS\tasks\At74.job moved successfully.
C:\WINDOWS\tasks\At75.job moved successfully.
C:\WINDOWS\tasks\At76.job moved successfully.
C:\WINDOWS\tasks\At77.job moved successfully.
C:\WINDOWS\tasks\At78.job moved successfully.
C:\WINDOWS\tasks\At79.job moved successfully.
C:\WINDOWS\tasks\At80.job moved successfully.
C:\WINDOWS\tasks\At81.job moved successfully.
C:\WINDOWS\tasks\At82.job moved successfully.
C:\WINDOWS\tasks\At83.job moved successfully.
C:\WINDOWS\tasks\At84.job moved successfully.
C:\WINDOWS\tasks\At85.job moved successfully.
C:\WINDOWS\tasks\At86.job moved successfully.
C:\WINDOWS\tasks\At87.job moved successfully.
C:\WINDOWS\tasks\At88.job moved successfully.
C:\WINDOWS\tasks\At89.job moved successfully.
C:\WINDOWS\tasks\At90.job moved successfully.
C:\WINDOWS\tasks\At91.job moved successfully.
C:\WINDOWS\tasks\At92.job moved successfully.
C:\WINDOWS\tasks\At93.job moved successfully.
C:\WINDOWS\tasks\At94.job moved successfully.
C:\WINDOWS\tasks\At95.job moved successfully.
C:\WINDOWS\tasks\At96.job moved successfully.
C:\WINDOWS\tasks\At97.job moved successfully.
C:\WINDOWS\tasks\At98.job moved successfully.
C:\WINDOWS\tasks\At99.job moved successfully.
C:\WINDOWS\tasks\At100.job moved successfully.
C:\WINDOWS\tasks\At101.job moved successfully.
C:\WINDOWS\tasks\At102.job moved successfully.
C:\WINDOWS\tasks\At103.job moved successfully.
C:\WINDOWS\tasks\At104.job moved successfully.
C:\WINDOWS\tasks\At105.job moved successfully.
C:\WINDOWS\tasks\At106.job moved successfully.
C:\WINDOWS\tasks\At107.job moved successfully.
C:\WINDOWS\tasks\At108.job moved successfully.
C:\WINDOWS\tasks\At109.job moved successfully.
C:\WINDOWS\tasks\At110.job moved successfully.
C:\WINDOWS\tasks\At111.job moved successfully.
C:\WINDOWS\tasks\At112.job moved successfully.
C:\WINDOWS\tasks\At113.job moved successfully.
C:\WINDOWS\tasks\At114.job moved successfully.
C:\WINDOWS\tasks\At115.job moved successfully.
C:\WINDOWS\tasks\At116.job moved successfully.
C:\WINDOWS\tasks\At117.job moved successfully.
C:\WINDOWS\tasks\At118.job moved successfully.
C:\WINDOWS\tasks\At119.job moved successfully.
C:\WINDOWS\tasks\At120.job moved successfully.
C:\WINDOWS\tasks\At121.job moved successfully.
C:\WINDOWS\tasks\At122.job moved successfully.
C:\WINDOWS\tasks\At123.job moved successfully.
C:\WINDOWS\tasks\At124.job moved successfully.
C:\WINDOWS\tasks\At125.job moved successfully.
C:\WINDOWS\tasks\At126.job moved successfully.
C:\WINDOWS\tasks\At127.job moved successfully.
C:\WINDOWS\tasks\At128.job moved successfully.
C:\WINDOWS\tasks\At129.job moved successfully.
C:\WINDOWS\tasks\At130.job moved successfully.
C:\WINDOWS\tasks\At131.job moved successfully.
C:\WINDOWS\tasks\At132.job moved successfully.
C:\WINDOWS\tasks\At133.job moved successfully.
C:\WINDOWS\tasks\At134.job moved successfully.
C:\WINDOWS\tasks\At135.job moved successfully.
C:\WINDOWS\tasks\At136.job moved successfully.
C:\WINDOWS\tasks\At137.job moved successfully.
C:\WINDOWS\tasks\At138.job moved successfully.
C:\WINDOWS\tasks\At139.job moved successfully.
C:\WINDOWS\tasks\At140.job moved successfully.
C:\WINDOWS\tasks\At141.job moved successfully.
C:\WINDOWS\tasks\At142.job moved successfully.
C:\WINDOWS\tasks\At143.job moved successfully.
C:\WINDOWS\tasks\At144.job moved successfully.
C:\WINDOWS\tasks\At145.job moved successfully.
C:\WINDOWS\tasks\At146.job moved successfully.
C:\WINDOWS\tasks\At147.job moved successfully.
C:\WINDOWS\tasks\At148.job moved successfully.
C:\WINDOWS\tasks\At149.job moved successfully.
C:\WINDOWS\tasks\At150.job moved successfully.
C:\WINDOWS\tasks\At151.job moved successfully.
C:\WINDOWS\tasks\At152.job moved successfully.
C:\WINDOWS\tasks\At153.job moved successfully.
C:\WINDOWS\tasks\At154.job moved successfully.
C:\WINDOWS\tasks\At155.job moved successfully.
C:\WINDOWS\tasks\At156.job moved successfully.
C:\WINDOWS\tasks\At157.job moved successfully.
C:\WINDOWS\tasks\At158.job moved successfully.
C:\WINDOWS\tasks\At159.job moved successfully.
C:\WINDOWS\tasks\At160.job moved successfully.
C:\WINDOWS\tasks\At161.job moved successfully.
C:\WINDOWS\tasks\At162.job moved successfully.
C:\WINDOWS\tasks\At163.job moved successfully.
C:\WINDOWS\tasks\At164.job moved successfully.
C:\WINDOWS\tasks\At165.job moved successfully.
C:\WINDOWS\tasks\At166.job moved successfully.
C:\WINDOWS\tasks\At167.job moved successfully.
C:\WINDOWS\tasks\At168.job moved successfully.
C:\WINDOWS\tasks\At169.job moved successfully.
C:\WINDOWS\tasks\At170.job moved successfully.
C:\WINDOWS\tasks\At171.job moved successfully.
C:\WINDOWS\tasks\At172.job moved successfully.
C:\WINDOWS\tasks\At173.job moved successfully.
C:\WINDOWS\tasks\At174.job moved successfully.
C:\WINDOWS\tasks\At175.job moved successfully.
C:\WINDOWS\tasks\At176.job moved successfully.
C:\WINDOWS\tasks\At177.job moved successfully.
C:\WINDOWS\tasks\At178.job moved successfully.
C:\WINDOWS\tasks\At179.job moved successfully.
C:\WINDOWS\tasks\At180.job moved successfully.
C:\WINDOWS\tasks\At181.job moved successfully.
C:\WINDOWS\tasks\At182.job moved successfully.
C:\WINDOWS\tasks\At183.job moved successfully.
C:\WINDOWS\tasks\At184.job moved successfully.
C:\WINDOWS\tasks\At185.job moved successfully.
C:\WINDOWS\tasks\At186.job moved successfully.
C:\WINDOWS\tasks\At187.job moved successfully.
C:\WINDOWS\tasks\At188.job moved successfully.
C:\WINDOWS\tasks\At189.job moved successfully.
C:\WINDOWS\tasks\At190.job moved successfully.
C:\WINDOWS\tasks\At191.job moved successfully.
C:\WINDOWS\tasks\At192.job moved successfully.
C:\WINDOWS\tasks\At193.job moved successfully.
C:\WINDOWS\tasks\At194.job moved successfully.
C:\WINDOWS\tasks\At195.job moved successfully.
C:\WINDOWS\tasks\At196.job moved successfully.
C:\WINDOWS\tasks\At197.job moved successfully.
C:\WINDOWS\tasks\At198.job moved successfully.
C:\WINDOWS\tasks\At199.job moved successfully.
C:\WINDOWS\tasks\At200.job moved successfully.
C:\WINDOWS\tasks\At201.job moved successfully.
C:\WINDOWS\tasks\At202.job moved successfully.
C:\WINDOWS\tasks\At203.job moved successfully.
C:\WINDOWS\tasks\At204.job moved successfully.
C:\WINDOWS\tasks\At205.job moved successfully.
C:\WINDOWS\tasks\At206.job moved successfully.
C:\WINDOWS\tasks\At207.job moved successfully.
C:\WINDOWS\tasks\At208.job moved successfully.
C:\WINDOWS\tasks\At209.job moved successfully.
C:\WINDOWS\tasks\At210.job moved successfully.
C:\WINDOWS\tasks\At211.job moved successfully.
C:\WINDOWS\tasks\At212.job moved successfully.
C:\WINDOWS\tasks\At213.job moved successfully.
C:\WINDOWS\tasks\At214.job moved successfully.
C:\WINDOWS\tasks\At215.job moved successfully.
C:\WINDOWS\tasks\At216.job moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{044706DD-F4C0-41EE-B11E-805947B11893}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winip28.sys\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winip28.sys\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcc7f85a-f4d9-11dd-b3dd-d7d51d8fcdc4}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03212009_123135



GMER log ::

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 12:49:49
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xEE955B4A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwClose [0xEE935C16]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xEE95814E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xEE92DDA2]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateKey [0xEE93ED92]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xEE94D646]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xEE94E15E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xEE92C2FE]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xEE93E682]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateThread [0xEE94BCC6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xEE93CF26]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteKey [0xEE940D4E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteValueKey [0xEE9487A2]
SSDT spge.sys ZwEnumerateKey [0xF7395CA2]
SSDT spge.sys ZwEnumerateValueKey [0xF7396030]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xEE94A666]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xEE93DD86]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xEE9340CF]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0xEE940154]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenProcess [0xEE9508B6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xEE92CD5E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenThread [0xEE94FB36]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xEE957342]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xEE936C8D]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xEE941B82]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryValueKey [0xEE94265E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xEE954D92]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xEE94769E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwReplaceKey [0xEE944216]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xEE95A636]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xEE95AC1A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRestoreKey [0xEE946B6A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xEE9456CA]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xEE946112]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xEE958E36]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xEE9541B6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xEE938BDE]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xEE9499C2]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetValueKey [0xEE9431BA]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xEE952EE6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xEE95380E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xEE95B81A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateProcess [0xEE95166E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xEE952386]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xEE94B23E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xEE9565E6]

INT 0x62 ? 8636BBF8
INT 0x82 ? 8636BBF8
INT 0x94 ? 85DC2BF8
INT 0xA4 ? 85DC2BF8
INT 0xB4 ? 85DC2BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 443 804E3114 12 Bytes [E6, 2E, 95, EE, 0E, 38, 95, ...] {OUT 0x2e, AL; XCHG EBP, EAX; OUT DX, AL ; PUSH CS; CMP [EBP-0x6a47e512], DL; OUT DX, AL }
? spge.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6F7462C 5 Bytes JMP 85DC21D8
.text a7i3miyo.SYS F6E1E386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a7i3miyo.SYS F6E1E3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a7i3miyo.SYS F6E1E3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a7i3miyo.SYS F6E1E3C9 1 Byte [2E]
.text a7i3miyo.SYS F6E1E3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[204] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 009AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[204] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 009AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[204] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 009AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[204] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 009AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[204] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 009AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[336] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[336] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[336] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[336] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\spoolsv.exe[336] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe[520] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 005227E8 C:\PROGRA~1\QUICKH~1\QUICKH~2\acs.exe (Quick Heal Firewall Service/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[684] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[684] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[684] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[684] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\wscntfy.exe[684] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[704] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[704] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[704] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[704] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[704] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe[732] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 0099B4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe[732] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 0099B4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe[732] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 0099B82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe[732] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 0099B858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe[732] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 0099B514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe[752] kernel32.dll!LoadResource 7C80A065 5 Bytes JMP 00564FD0 C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe (Quick Heal User Interface/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe[752] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 0055F10C C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe (Quick Heal User Interface/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe[752] USER32.dll!EnableWindow 77D4C4D4 5 Bytes JMP 00E9FC24 C:\PROGRA~1\QUICKH~1\QUICKH~2\op_cmn.dll (Quick Heal Common Controls Library/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe[752] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 0055F164 C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe (Quick Heal User Interface/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe[752] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 0055F138 C:\PROGRA~1\QUICKH~1\QUICKH~2\op_mon.exe (Quick Heal User Interface/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE[776] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 009CB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE[776] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 009CB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE[776] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 009CB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE[776] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 009CB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\OnlineNT.EXE[776] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 009CB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE[780] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 008EB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE[780] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 008EB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE[780] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 008EB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE[780] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 008EB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE[780] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 008EB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe[836] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 006AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe[836] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 006AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe[836] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 006AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe[836] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 006AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe[836] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 006AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[848] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[848] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[848] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[848] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\ctfmon.exe[848] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe[932] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 009BB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe[932] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 009BB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe[932] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 009BB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe[932] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 009BB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe[932] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 009BB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[1028] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[1028] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[1028] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[1028] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[1028] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\winlogon.exe[1124] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\services.exe[1172] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe[1484] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe[1484] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe[1484] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe[1484] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe[1484] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\explorer.exe[2080] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\explorer.exe[2080] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\explorer.exe[2080] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\explorer.exe[2080] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\explorer.exe[2080] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\igfxtray.exe[2524] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 008FB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\igfxtray.exe[2524] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 008FB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\igfxtray.exe[2524] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 008FB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\igfxtray.exe[2524] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 008FB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\igfxtray.exe[2524] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 008FB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\hkcmd.exe[2684] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 008EB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\hkcmd.exe[2684] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 008EB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\hkcmd.exe[2684] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 008EB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\hkcmd.exe[2684] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 008EB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\system32\hkcmd.exe[2684] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 008EB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2820] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2820] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2820] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2820] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2820] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3012] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3012] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3012] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3012] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Documents and Settings\Administrator\Desktop\gmer\gmer.exe[3012] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[3084] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[3084] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[3084] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[3084] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe[3084] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[3208] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[3208] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[3208] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[3208] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[3208] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Huawei\MT882\dslagent.exe[3232] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Huawei\MT882\dslagent.exe[3232] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Huawei\MT882\dslagent.exe[3232] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Huawei\MT882\dslagent.exe[3232] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Huawei\MT882\dslagent.exe[3232] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Winamp\winampa.exe[3324] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Winamp\winampa.exe[3324] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Winamp\winampa.exe[3324] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Winamp\winampa.exe[3324] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Winamp\winampa.exe[3324] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\Twain_32\4100\HotKey.exe[3352] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\Twain_32\4100\HotKey.exe[3352] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\Twain_32\4100\HotKey.exe[3352] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\Twain_32\4100\HotKey.exe[3352] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\Twain_32\4100\HotKey.exe[3352] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\QuickTime\qttask.exe[3664] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\QuickTime\qttask.exe[3664] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\QuickTime\qttask.exe[3664] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\QuickTime\qttask.exe[3664] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\QuickTime\qttask.exe[3664] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3924] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3924] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3924] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3924] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe[3924] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\SOUNDMAN.EXE[4004] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\SOUNDMAN.EXE[4004] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\SOUNDMAN.EXE[4004] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\SOUNDMAN.EXE[4004] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\WINDOWS\SOUNDMAN.EXE[4004] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE[4024] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 100AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE[4024] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 100AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE[4024] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 100AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE[4024] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 100AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE[4024] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 100AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE[4048] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 009AB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE[4048] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 009AB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE[4048] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 009AB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE[4048] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 009AB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE[4048] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 009AB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE[4068] USER32.dll!SetWindowPos 77D4C78E 5 Bytes JMP 009EB4E8 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE[4068] USER32.dll!SetForegroundWindow 77D566A7 5 Bytes JMP 009EB4BC c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE[4068] USER32.dll!ChangeDisplaySettingsExA 77D66A51 5 Bytes JMP 009EB82C c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE[4068] USER32.dll!ChangeDisplaySettingsExW 77D891B6 5 Bytes JMP 009EB858 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)
.text C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE[4068] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 009EB514 c:\progra~1\quickh~1\quickh~2\wl_hook.dll (Quick Heal Hooking Module/Quick Heal Technologies (P) Ltd.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8636E2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73A8C4C] spge.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F73A8CA0] spge.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7378040] spge.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F737813C] spge.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73780BE] spge.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73787FC] spge.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73786D2] spge.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 85DC22D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7388048] spge.sys
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlInitUnicodeString] 0975013E
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!swprintf] 1B42E853
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeSetEvent] C4830000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoCreateSymbolicLink] B05E5F04
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E58B5B01
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] CCCCC35D
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmFreeMappingAddress] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 53EC8B55
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 08758B56
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmUnmapIoSpace] 0214BE83
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 57000000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IofCompleteRequest] 45C60674
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IofCallDriver] 020C868B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmAllocateMappingAddress] C0850000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 808A1074
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoConnectInterrupt] 00000804
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoDetachDevice] A03CF024
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeWaitForSingleObject] 0B45950F
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeInitializeEvent] 45C604EB
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 458A000B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlInitAnsiString] 88C0840B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 840F0946
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoQueueWorkItem] 000000C1
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmMapIoSpace] 14B30E8B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 1C8286C6
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoReportDetectedDevice] 88010000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoReportResourceForDetection] 001C859E
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] A19E8800
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!NlsMbCodePageTag] C600001C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!PoRequestPowerIrp] 001C8686
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 00001CA2
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!sprintf] 70518B01
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 8D52006A
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ObfDereferenceObject] 001C8886
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 55E85000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 8B000023
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ZwClose] 70518B0E
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 8D52016A
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 001CA486
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 41E85000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 8B000023
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!PoCallDriver] 18C4830E
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoCreateDevice] 1C8D9E88
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 9E880000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 00001CA9
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ZwOpenKey] 0E798366
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 74AAB000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoStartTimer] 8186C636
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeInitializeTimer] 1A00001C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoInitializeTimer] 1C8386C6
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeInitializeDpc] C6020000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeInitializeSpinLock] 001C8E86
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoInitializeIrp] 86C60200
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ZwCreateKey] 00001CAA
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 959E8802
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ZwSetValueKey] 001CB19E
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeInsertQueueDpc] 96868800
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 8800001C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoStartPacket] 001CB286
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] C61AEB00
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C8186
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoFreeMdl] 86C61200
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmUnlockPages] 00001C83
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8E868801
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 8800001C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 001CAA86
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 80968B00
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8900001C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoStartNextPacket] 001C9C96
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeBugCheckEx] C6168B00
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CB986
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeSetTimer] 428A0A00
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeCancelTimer] BA86880C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!_allmul] 8B00001C
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmProbeAndLockPages] 24A48DFA
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!_except_handler3] 00000000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!PoSetPowerState] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 8D3F0304
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlWriteRegistryValue] CB033043
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!_aulldiv] 0673C13B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!strstr] C13B0003
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!_strupr] 8366FA72
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeQuerySystemTime] 75000E7B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!KeTickCount] 307B8D00
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00AA840F
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoDeleteDevice] 83660000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoAllocateWorkItem] C6647400
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoAllocateIrp] 001CBB86
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoAllocateMdl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 968D5140
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00001C90
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 2266E852
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 478B0000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!ExFreePoolWithTag] 50016A40
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoFreeIrp] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!IoFreeWorkItem] E8510000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!InitSafeBootMode] 00002254
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlCompareMemory] 6A18538B
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 868D5200
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!memmove] 00001C98
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[ntoskrnl.exe!MmHighestUserAddress] 2242E850
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!KfAcquireSpinLock] 8A000002
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!READ_PORT_UCHAR] 83880846
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!KeGetCurrentIrql] 000001C0
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!KfRaiseIrql] 2C4EB70F
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!KfLowerIrql] 8303C183
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!HalGetInterruptVector] D103FCE1
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!HalTranslateBusAddress] 2E7E8366
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!KeStallExecutionProcessor] 8D1C7400
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!KfReleaseSpinLock] 83893204
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00000218
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!READ_PORT_USHORT] 2E4EB70F
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 021C8B89
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[HAL.dll!WRITE_PORT_UCHAR] B70F0000
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[WMILIB.SYS!WmiSystemControl] 03D00304
IAT \SystemRoot\System32\Drivers\a7i3miyo.SYS[WMILIB.SYS!WmiCompleteRequest] 0CB389F2
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6DEF226] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EE9496B0] \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EE930292] \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom 8636A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9C2BFE0F-911E-499F-8709-10A013437DB4} 862441F8
Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbuhci \Device\USBPDO-0 85DC11F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 863D91F8
Device \Driver\dmio \Device\DmControl\DmConfig 863D91F8
Device \Driver\dmio \Device\DmControl\DmPnP 863D91F8
Device \Driver\dmio \Device\DmControl\DmInfo 863D91F8
Device \Driver\usbuhci \Device\USBPDO-1 85DC11F8
Device \Driver\usbuhci \Device\USBPDO-2 85DC11F8
Device \Driver\usbehci \Device\USBPDO-3 85D9E1F8
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp emltdi.sys (emltdi.sys/Quick Heal Technologies (P) Ltd.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8636C1F8
Device \Driver\sptd \Device\490014820 spge.sys
Device \Driver\Cdrom \Device\CdRom0 85DCA500
Device \Driver\Ftdisk \Device\HarddiskVolume2 8636C1F8
Device \Driver\Cdrom \Device\CdRom1 85DCA500
Device \Driver\Ftdisk \Device\HarddiskVolume3 8636C1F8
Device \Driver\atapi \Device\Ide\IdePort0 8636B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8636B1F8
Device \Driver\atapi \Device\Ide\IdePort1 8636B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8636B1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 862441F8
Device \Driver\NetBT \Device\NetbiosSmb 862441F8
Device \Driver\PCI_PNP8570 \Device\0000005a spge.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{0573AB9A-B381-4E89-8A95-A5109288F2E5} 862441F8
Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbuhci \Device\USBFDO-0 85DC11F8
Device \Driver\usbuhci \Device\USBFDO-1 85DC11F8
Device \Driver\usbuhci \Device\USBFDO-2 85DC11F8
Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85F91500
Device \Driver\usbehci \Device\USBFDO-3 85D9E1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85F91500
Device \Driver\Ftdisk \Device\FtControl 8636C1F8
Device \Driver\a7i3miyo \Device\Scsi\a7i3miyo1 85DE1500
Device \Driver\a7i3miyo \Device\Scsi\a7i3miyo1Port2Path0Target0Lun0 85DE1500
Device \FileSystem\Fastfat \Fat 8636A1F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 861D7500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x30 0x14 0x02 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEC 0x1A 0x8E 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5C 0x08 0x82 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x30 0x14 0x02 0x21 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEC 0x1A 0x8E 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5C 0x08 0x82 0x64 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----


Awaiting for furthur instruction.

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:44 PM

Posted 21 March 2009 - 02:26 PM

Hello zake,

Good work so far. :thumbup2: We have a little more work to do.

1.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

2.
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
3.

When ever I connect to internet I am given this warning from Quick heal email protection that SVCHOST.EXE is trying to send emails and if I do not recognise it I should click on no to stop it from doing so. THis happens every other second. As I am writing this I have recivied more 7 warnings.

Are You still getting this warning?

Things to include in your next reply:
Kaspersky report
A new RSIT log
How is your computer running? Any signs or symptoms of infection?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:44 PM

Posted 22 March 2009 - 08:35 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post. Just because your machine may be running better does not mean it is clean. I will let you know when your machine is all clean

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 25 March 2009 - 10:48 AM

At the User's request, this thread will now be closed.

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users