Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major popups/firewall turned off/swww.exe


  • This topic is locked This topic is locked
52 replies to this topic

#1 xXSenile

xXSenile

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 16 April 2009 - 04:25 PM

Hi,

I have been getting major popups and my firewall keeps turning off. On top of that, I keep getting a program called swww.exe popping up that has failed to run "application error" and it takes like 5 clicks to cancel it. I have attached my hijack this log

Please help!
xxsenile

Attached Files



BC AdBot (Login to Remove)

 


#2 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 25 April 2009 - 05:55 AM

It has been quite a number of days and I am worried about the viruses on my computer. I see that my Hijack this log has been dled 4 times but I haven't gotten a reply. Any help would be very appreciated!!!

I also found out that when I go to google and search something, and then click on a link it goes to a popup site instead of the address I want to go to !!!!

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 28 April 2009 - 01:52 AM

Hello, my name is fenzodahl512 and welcome to Bleeping Computer.. Please do the following....



Please download The Comedian.exe to your desktop
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
If you see "random" name, just leave it.. If you see "GMER", please rename GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 28 April 2009 - 03:07 PM

Hi,

First of all I would like to thank you a lot for helping since I know you guys are doing it out of your good will. Here are the logs for all 4 things you requested. I will post them all in separate posts like you asked

Malaware bytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2055
Windows 5.1.2600 Service Pack 3

28/04/2009 3:51:13 PM
mbam-log-2009-04-28 (15-51-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 219374
Time elapsed: 28 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
C:\WINDOWS\temp\msb.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Arthur Lau\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

#5 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 28 April 2009 - 03:08 PM

RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Arthur Lau at 2009-04-28 15:55:46
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 120 GB (81%) free of 148 GB
Total RAM: 1012 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:53 PM, on 28/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Arthur Lau\Desktop\RSIT.exe
C:\Program Files\trend micro\Arthur Lau.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...08&m=aoa150
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\31514490.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\mw7so3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\mw7so3.exe (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\vozanije.dll c:\windows\system32\vejorafa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

--
End of file - 6503 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe [2007-09-18 171464]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE [2008-06-04 114688]

C:\Documents and Settings\Arthur Lau\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\vozanije.dll c:\windows\system32\vejorafa.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-18 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\fuzedanu.dll
C:\WINDOWS\system32\vozanije.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe"="C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\AVG\AVG8\avgrsx.exe"="C:\Program Files\AVG\AVG8\avgrsx.exe:*:Enabled:avgrsx"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv"
"C:\Program Files\AVG\AVG8\avgwdsvc.exe"="C:\Program Files\AVG\AVG8\avgwdsvc.exe:*:Enabled:avgwdsvc"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE"="C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE:*:Enabled:E_FATIAEA"
"C:\Program Files\AVG\AVG8\avgscanx.exe"="C:\Program Files\AVG\AVG8\avgscanx.exe:*:Enabled:avgscanx"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8897e66-e7cf-11dd-922b-002269843e38}]
shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6df8bb6-9ba2-11dd-9195-002269843e38}]
shell\AutoRun\command - D:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dac2cfb3-9b79-11dd-9191-002269843e38}]
shell\AutoRun\command - D:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2009-04-28 15:26:27 ----A---- C:\WINDOWS\system32\loader100.exe
2009-04-28 15:00:45 ----D---- C:\Program Files\ERUNT
2009-04-28 01:51:44 ----A---- C:\WINDOWS\system32\loader49.exe
2009-04-16 17:36:20 ----A---- C:\WINDOWS\system32\SelfDel.bat
2009-04-16 17:16:53 ----D---- C:\Program Files\Trend Micro
2009-04-16 17:02:22 ----A---- C:\etfdre.txt
2009-04-15 03:05:37 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-15 03:05:30 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-15 03:02:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-15 03:02:26 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-15 03:01:02 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-15 03:00:50 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-14 21:37:38 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-03-23 00:43:03 ----D---- C:\Documents and Settings\Arthur Lau\Application Data\vlc
2009-03-23 00:41:51 ----D---- C:\Program Files\VideoLAN
2009-03-11 03:02:12 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-02-28 01:16:59 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-13 11:35:15 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 00:24:56 ----D---- C:\Documents and Settings\Arthur Lau\Application Data\Help
2009-02-11 23:41:20 ----A---- C:\WINDOWS\system32\LMRTREND.dll
2009-02-11 23:41:19 ----A---- C:\WINDOWS\system32\dxtmsft3.dll
2009-02-11 23:41:16 ----A---- C:\WINDOWS\system32\unam4ie.exe
2009-02-11 23:41:12 ----A---- C:\WINDOWS\system32\vidx16.dll
2009-02-11 23:41:12 ----A---- C:\WINDOWS\system32\qcut.dll
2009-02-11 23:41:11 ----A---- C:\WINDOWS\system32\w95inf32.dll
2009-02-11 23:41:10 ----A---- C:\WINDOWS\system32\w95inf16.dll
2009-02-11 23:40:40 ----A---- C:\WINDOWS\err.txt

======List of files/folders modified in the last 3 months======

2009-04-28 15:54:12 ----AD---- C:\WINDOWS\system32
2009-04-28 15:53:43 ----D---- C:\Program Files\Mozilla Firefox
2009-04-28 15:52:33 ----D---- C:\WINDOWS
2009-04-28 15:52:33 ----AD---- C:\WINDOWS\system32\drivers
2009-04-28 15:52:09 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-28 15:41:29 ----D---- C:\WINDOWS\temp
2009-04-28 15:02:04 ----D---- C:\WINDOWS\Prefetch
2009-04-28 15:01:36 ----D---- C:\WINDOWS\ERDNT
2009-04-28 15:00:45 ----RD---- C:\Program Files
2009-04-28 15:00:32 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-28 01:51:53 ----A---- C:\WINDOWS\system32\userinit.exe
2009-04-26 09:10:33 ----D---- C:\Documents and Settings\Arthur Lau\Application Data\EndNote
2009-04-23 20:41:12 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-23 18:41:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-17 16:13:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-16 20:05:42 ----D---- C:\WINDOWS\Minidump
2009-04-16 01:09:45 ----SD---- C:\Documents and Settings\Arthur Lau\Application Data\Microsoft
2009-04-15 15:56:21 ----D---- C:\WINDOWS\system32\wbem
2009-04-15 15:56:21 ----D---- C:\WINDOWS\AppPatch
2009-04-15 03:05:40 ----HD---- C:\WINDOWS\inf
2009-04-15 03:05:33 ----A---- C:\WINDOWS\imsins.BAK
2009-04-15 03:05:17 ----D---- C:\WINDOWS\system32\en-US
2009-04-15 03:05:17 ----D---- C:\Program Files\Internet Explorer
2009-04-15 03:02:47 ----AD---- C:\I386
2009-04-15 03:02:36 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-15 03:02:22 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-04-15 03:02:19 ----SHD---- C:\WINDOWS\Installer
2009-04-15 01:28:33 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-22 11:18:03 ----HD---- C:\$AVG8.VAULT$
2009-03-21 10:06:58 ----A---- C:\WINDOWS\system32\kernel32.dll
2009-03-18 15:48:56 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-18 15:48:08 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-06 10:22:18 ----A---- C:\WINDOWS\system32\pdh.dll
2009-03-05 21:52:59 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-03-05 21:52:56 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-02 20:18:25 ----A---- C:\WINDOWS\system32\wininet.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\url.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\occache.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\mstime.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\msrating.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\icardie.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\extmgr.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-02-20 14:09:35 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-02-20 14:09:35 ----A---- C:\WINDOWS\system32\advpack.dll
2009-02-20 06:20:49 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-02-20 06:20:49 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-02-20 01:14:12 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-02-13 14:30:50 ----D---- C:\Program Files\Starcraft
2009-02-11 23:41:20 ----D---- C:\Program Files\Windows Media Player
2009-02-11 23:41:16 ----D---- C:\WINDOWS\Help
2009-02-09 08:10:49 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-02-09 08:10:48 ----A---- C:\WINDOWS\system32\rpcss.dll
2009-02-09 08:10:48 ----A---- C:\WINDOWS\system32\ntdll.dll
2009-02-09 08:10:48 ----A---- C:\WINDOWS\system32\advapi32.dll
2009-02-06 07:11:05 ----A---- C:\WINDOWS\system32\services.exe
2009-02-06 07:06:41 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2009-02-06 06:39:08 ----A---- C:\WINDOWS\system32\sc.exe
2009-02-06 06:32:56 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2009-02-03 15:59:07 ----A---- C:\WINDOWS\system32\secur32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-18 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-18 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-18 107272]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-05-20 1312576]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2004-12-08 16896]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-05-20 4800000]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-06-30 108800]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2007-10-01 1769984]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-04-24 225024]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 int15.sys;int15.sys; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys []
S3 JMCR;JMCR; C:\WINDOWS\system32\DRIVERS\jmcr.sys [2008-07-07 96856]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TVicPort;TVICPORT; \??\C:\WINDOWS\system32\DRIVERS\TVICPORT.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe []
S2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-16 654848]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

#6 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 28 April 2009 - 03:10 PM

RSIT info:

info.txt logfile of random's system information tool 1.05 2008-12-27 12:46:14

======Uninstall list======

-->C:\Program Files\InstallShield Installation Information\{69333A04-5134-40A5-A055-9166A7AA1EC8}\setup.exe -runfromtemp -l0x0009 -removeonly
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Acer Crystal Eye webcam-->C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer ScreenSaver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Add or Remove Adobe Creative Suite 3 Master Collection-->C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe
Adobe After Effects CS3 Presets-->MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe After Effects CS3-->MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3-->MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Contribute CS3-->MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}
Adobe Creative Suite 3 Master Collection-->MsiExec.exe /I{8718DC03-D066-4957-94E5-50C3C5042E8E}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3-->MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe Encore CS3 Codecs-->MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}
Adobe Encore CS3-->MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Fireworks CS3-->MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029}
Adobe Flash CS3-->MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin-->MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Video Encoder-->MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Premiere Pro CS3 Functional Content-->MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content-->MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Premiere Pro CS3-->MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Setup-->MsiExec.exe /I{4458C442-7376-4CF9-AF58-E8CEA6722363}
Adobe SING CS3-->MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Soundbooth CS3 Codecs-->MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}
Adobe Soundbooth CS3-->MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server-->MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe Video Profiles-->MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3-->MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3-->MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
Atheros for Acer Driver v7.6.0.224_Foxconn Installation Program-->C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\Setup.exe -runfromtemp -l0x0009 -removeonly
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EndNote X1-->MsiExec.exe /I{87F7773C-EC9C-461A-AA7B-4AF8EF54DF49}
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
HijackThis 2.0.2-->"C:\Documents and Settings\Arthur Lau\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
ISI ResearchSoft - Export Helper-->C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
JMicron JMB38X Flash Media Controller-->"C:\Program Files\InstallShield Installation Information\{26604C7E-A313-4D12-867F-7C6E7820BE4C}\setup.exe" delpkg
Launch Manager-->C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB955936)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1D94099C-2BBA-440E-BD5E-093BBDF8F028}
Security Update for Microsoft Office Excel 2007 (KB955470)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6E8637D8-10D6-4568-AA06-E2706F31685E}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TVicPort 4.1 Free Personal Edition-->"c:\TVicPortPersonal\uninstall.exe"
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb957829)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {07A1F6B6-4F1C-418C-A605-755A121C4A16}
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: AVG Anti-Virus Free (disabled) (outdated)

System event log

Computer Name: ARTHUR
Event Code: 3
Message: \Device\ACPIEC: The embedded controller (EC) hardware returned data when none was requested. This may indicate that the BIOS is incorectly trying to access the EC without syncronizing with the OS. The data is being ignored.

Record Number: 1872280
Source Name: ACPIEC
Time Written: 20081221003705.000000-300
Event Type: warning
User:

Computer Name: ARTHUR
Event Code: 3
Message: \Device\ACPIEC: The embedded controller (EC) hardware returned data when none was requested. This may indicate that the BIOS is incorectly trying to access the EC without syncronizing with the OS. The data is being ignored.

Record Number: 1872279
Source Name: ACPIEC
Time Written: 20081221003705.000000-300
Event Type: warning
User:

Computer Name: ARTHUR
Event Code: 3
Message: \Device\ACPIEC: The embedded controller (EC) hardware returned data when none was requested. This may indicate that the BIOS is incorectly trying to access the EC without syncronizing with the OS. The data is being ignored.

Record Number: 1872278
Source Name: ACPIEC
Time Written: 20081221003705.000000-300
Event Type: warning
User:

Computer Name: ARTHUR
Event Code: 3
Message: \Device\ACPIEC: The embedded controller (EC) hardware returned data when none was requested. This may indicate that the BIOS is incorectly trying to access the EC without syncronizing with the OS. The data is being ignored.

Record Number: 1872277
Source Name: ACPIEC
Time Written: 20081221003705.000000-300
Event Type: warning
User:

Computer Name: ARTHUR
Event Code: 3
Message: \Device\ACPIEC: The embedded controller (EC) hardware returned data when none was requested. This may indicate that the BIOS is incorectly trying to access the EC without syncronizing with the OS. The data is being ignored.

Record Number: 1872276
Source Name: ACPIEC
Time Written: 20081221003705.000000-300
Event Type: warning
User:

Application event log

Computer Name: ARTHUR
Event Code: 102
Message: wuaueng.dll (3692) SUS20ClientDataStore: The database engine started a new instance (0).

Record Number: 5
Source Name: ESENT
Time Written: 20081016075656.000000-240
Event Type: information
User:

Computer Name: ARTHUR
Event Code: 100
Message: wuauclt (3692) The database engine 5.01.2600.5512 started.

Record Number: 4
Source Name: ESENT
Time Written: 20081016075656.000000-240
Event Type: information
User:

Computer Name: ARTHUR
Event Code: 0
Message:
Record Number: 3
Source Name: GoogleDesktopManager-080708-050100
Time Written: 20081016075637.000000-240
Event Type: information
User:

Computer Name: ARTHUR
Event Code: 0
Message:
Record Number: 2
Source Name: GoogleDesktopManager-080708-050100
Time Written: 20081016075637.000000-240
Event Type: information
User:

Computer Name: ARTHUR
Event Code: 5000
Message:
Record Number: 1
Source Name: McLogEvent
Time Written: 20081016075629.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 28 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=1c02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


GMER log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 16:05:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 86889870 ZwEnumerateKey
Code 869551B0 ZwFlushInstructionCache
Code 867EC1AE IofCallDriver
Code 868A627E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 867EC1B3
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 868A6283
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 86889874
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 869551B4
? fktdamg.sys The system cannot find the file specified. !
? C:\WINDOWS\System32\drivers\e11d0992.sys The system cannot find the file specified. !
? C:\WINDOWS\System32\drivers\c34db57a.sys The system cannot find the file specified. !
? C:\WINDOWS\System32\drivers\1c6cea2.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[2808] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[2816] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[2824] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[2832] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 1E9401C7
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] ECE90045
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560002F0
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [00451E94] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 02F0DEE8
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] F45DE856
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 02F959E8
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 0343D7E8
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] ADE8F075
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830002EF
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] A006C70C
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E800451E
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 89E8C68B
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C2000344
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 1EA006C7
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] F5E80045
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 40E95ECE
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830002F0
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] F3A9E856
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] AC01C700
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E900451E
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 451EAC06
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 7CE85607
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590002F3
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 449C60B8
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 432EE800
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0003
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0002EF77
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 451EA006
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0343DBE8
IAT C:\WINDOWS\System32\svchost.exe[2808] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 1E9401C7
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] ECE90045
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560002F0
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [00451E94] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 02F0DEE8
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] F45DE856
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 02F959E8
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 0343D7E8
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] ADE8F075
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830002EF
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] A006C70C
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E800451E
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 89E8C68B
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C2000344
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 1EA006C7
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] F5E80045
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 40E95ECE
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830002F0
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] F3A9E856
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] AC01C700
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E900451E
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 451EAC06
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 7CE85607
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590002F3
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 449C60B8
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 432EE800
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0003
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0002EF77
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 451EA006
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0343DBE8
IAT C:\WINDOWS\System32\svchost.exe[2816] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 1E9401C7
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] ECE90045
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560002F0
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [00451E94] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 02F0DEE8
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] F45DE856
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 02F959E8
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 0343D7E8
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] ADE8F075
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830002EF
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] A006C70C
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E800451E
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 89E8C68B
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C2000344
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 1EA006C7
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] F5E80045
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 40E95ECE
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830002F0
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] F3A9E856
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] AC01C700
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E900451E
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 451EAC06
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 7CE85607
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590002F3
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 449C60B8
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 432EE800
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0003
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0002EF77
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 451EA006
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0343DBE8
IAT C:\WINDOWS\System32\svchost.exe[2824] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 1E9401C7
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] ECE90045
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560002F0
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [00451E94] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 02F0DEE8
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] F45DE856
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 02F959E8
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 0343D7E8
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] ADE8F075
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830002EF
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] A006C70C
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E800451E
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 89E8C68B
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C2000344
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 1EA006C7
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] F5E80045
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 40E95ECE
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830002F0
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] F3A9E856
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590002
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] AC01C700
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E900451E
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 451EAC06
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 7CE85607
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590002F3
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 449C60B8
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 432EE800
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0003
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0002EF77
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 451EA006
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0343DBE8
IAT C:\WINDOWS\System32\svchost.exe[2832] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 1c6cea2.sys
Device \Driver\NDIS \Device\Ndis [86AFB984] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip 1c6cea2.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp 1c6cea2.sys

Device \Driver\AvgTdiX \Device\AvgTdi 1c6cea2.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp 1c6cea2.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp 1c6cea2.sys

Device \FileSystem\Fastfat \Fat A8CE8D20
Device \FileSystem\Fastfat \Fat A8D00631

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#7 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 28 April 2009 - 03:13 PM

I accidentally posted the GMER and RSIT log files in the same reply, but they are both there.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 29 April 2009 - 12:45 AM

IMPORTANT!! Please disable these programs (if present) before proceed with our fixes.. . Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

1. SpySweeper
2. Spyware Doctor
3. Windows Defender
4. Trojan Hunter
5. WinPatrol
6. Spybot S&D
7. Lavasoft Ad-Aware




Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\31514490.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\mw7so3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\mw7so3.exe (User 'Default user')
O20 - AppInit_DLLs: C:\WINDOWS\system32\vozanije.dll c:\windows\system32\vejorafa.dll


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    
    :files
    C:\WINDOWS\TEMP\31514490.exe
    C:\WINDOWS\TEMP\mw7so3.exe
    C:\WINDOWS\system32\vozanije.dll
    c:\windows\system32\vejorafa.dll
    C:\WINDOWS\system32\fuzedanu.dll
    C:\WINDOWS\system32\vozanije.dll
    C:\WINDOWS\system32\loader100.exe
    C:\WINDOWS\system32\loader49.exe
    C:\WINDOWS\system32\SelfDel.bat
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Run RSIT again... Post these logs in your next reply..

1. OTMoveIt3
2. RSIT log.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 29 April 2009 - 02:43 AM

Here are the two logs:

OT:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\WINDOWS\TEMP\31514490.exe moved successfully.
C:\WINDOWS\TEMP\mw7so3.exe moved successfully.
File/Folder C:\WINDOWS\system32\vozanije.dll not found.
File/Folder c:\windows\system32\vejorafa.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\fuzedanu.dll
C:\WINDOWS\system32\fuzedanu.dll NOT unregistered.
C:\WINDOWS\system32\fuzedanu.dll moved successfully.
File/Folder C:\WINDOWS\system32\vozanije.dll not found.
C:\WINDOWS\system32\loader100.exe moved successfully.
C:\WINDOWS\system32\loader49.exe moved successfully.
C:\WINDOWS\system32\SelfDel.bat moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ARTHUR~1\LOCALS~1\Temp\etilqs_slWd1zglfrNnQzwy4AFt scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Arthur Lau\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\msb.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\nsrbgxod.bak scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04292009_033315

Files moved on Reboot...
File C:\DOCUME~1\ARTHUR~1\LOCALS~1\Temp\etilqs_slWd1zglfrNnQzwy4AFt not found!
DllUnregisterServer procedure not found in C:\WINDOWS\temp\msb.dll
C:\WINDOWS\temp\msb.dll NOT unregistered.
C:\WINDOWS\temp\msb.dll moved successfully.
C:\WINDOWS\temp\nsrbgxod.bak moved successfully.
C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Arthur Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\urlclassifier3.sqlite moved successfully.


Here is the RST log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Arthur Lau at 2009-04-29 03:40:12
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 122 GB (82%) free of 148 GB
Total RAM: 1012 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:17 AM, on 29/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Arthur Lau\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Arthur Lau.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...08&m=aoa150
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\ARTHUR~1\protect.dll,_IWMPEvents@16
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

--
End of file - 6550 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"=C:\WINDOWS\system32\autochk.dll [2009-04-29 24064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"autochk"=C:\DOCUME~1\ARTHUR~1\protect.dll [2009-04-28 24064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe [2007-09-18 171464]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE [2008-06-04 114688]

C:\Documents and Settings\Arthur Lau\Start Menu\Programs\Startup
ChkDisk.dll
ChkDisk.lnk - C:\WINDOWS\system32\rundll32.exe
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-18 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe"="C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\AVG\AVG8\avgrsx.exe"="C:\Program Files\AVG\AVG8\avgrsx.exe:*:Enabled:avgrsx"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv"
"C:\Program Files\AVG\AVG8\avgwdsvc.exe"="C:\Program Files\AVG\AVG8\avgwdsvc.exe:*:Enabled:avgwdsvc"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE"="C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE:*:Enabled:E_FATIAEA"
"C:\Program Files\AVG\AVG8\avgscanx.exe"="C:\Program Files\AVG\AVG8\avgscanx.exe:*:Enabled:avgscanx"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8897e66-e7cf-11dd-922b-002269843e38}]
shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6df8bb6-9ba2-11dd-9195-002269843e38}]
shell\AutoRun\command - D:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dac2cfb3-9b79-11dd-9191-002269843e38}]
shell\AutoRun\command - D:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2009-04-29 03:33:15 ----D---- C:\_OTMoveIt
2009-04-28 16:08:26 ----ASH---- C:\WINDOWS\system32\autochk.dll
2009-04-28 16:08:24 ----A---- C:\WINDOWS\system32\lmppcsetup.exe
2009-04-28 15:00:45 ----D---- C:\Program Files\ERUNT
2009-04-16 17:16:53 ----D---- C:\Program Files\Trend Micro
2009-04-16 17:02:22 ----A---- C:\etfdre.txt
2009-04-15 03:05:37 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-15 03:05:30 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-15 03:02:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-15 03:02:26 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-15 03:01:02 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-15 03:00:50 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-14 21:37:38 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-03-23 00:43:03 ----D---- C:\Documents and Settings\Arthur Lau\Application Data\vlc
2009-03-23 00:41:51 ----D---- C:\Program Files\VideoLAN
2009-03-11 03:02:12 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:02:00 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-02-28 01:16:59 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-13 11:35:15 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 00:24:56 ----D---- C:\Documents and Settings\Arthur Lau\Application Data\Help
2009-02-11 23:41:20 ----A---- C:\WINDOWS\system32\LMRTREND.dll
2009-02-11 23:41:19 ----A---- C:\WINDOWS\system32\dxtmsft3.dll
2009-02-11 23:41:16 ----A---- C:\WINDOWS\system32\unam4ie.exe
2009-02-11 23:41:12 ----A---- C:\WINDOWS\system32\vidx16.dll
2009-02-11 23:41:12 ----A---- C:\WINDOWS\system32\qcut.dll
2009-02-11 23:41:11 ----A---- C:\WINDOWS\system32\w95inf32.dll
2009-02-11 23:41:10 ----A---- C:\WINDOWS\system32\w95inf16.dll
2009-02-11 23:40:40 ----A---- C:\WINDOWS\err.txt

======List of files/folders modified in the last 3 months======

2009-04-29 03:38:15 ----D---- C:\Program Files\Mozilla Firefox
2009-04-29 03:37:27 ----D---- C:\WINDOWS\temp
2009-04-29 03:37:27 ----AD---- C:\WINDOWS\system32
2009-04-29 03:34:55 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-28 16:50:37 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-28 16:17:27 ----D---- C:\WINDOWS\Prefetch
2009-04-28 15:58:49 ----D---- C:\rsit
2009-04-28 15:57:26 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-28 15:52:33 ----D---- C:\WINDOWS
2009-04-28 15:52:33 ----AD---- C:\WINDOWS\system32\drivers
2009-04-28 15:01:36 ----D---- C:\WINDOWS\ERDNT
2009-04-28 15:00:45 ----RD---- C:\Program Files
2009-04-28 01:51:53 ----A---- C:\WINDOWS\system32\userinit.exe
2009-04-26 09:10:33 ----D---- C:\Documents and Settings\Arthur Lau\Application Data\EndNote
2009-04-23 18:41:22 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-17 16:13:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-16 20:05:42 ----D---- C:\WINDOWS\Minidump
2009-04-16 01:09:45 ----SD---- C:\Documents and Settings\Arthur Lau\Application Data\Microsoft
2009-04-15 15:56:21 ----D---- C:\WINDOWS\system32\wbem
2009-04-15 15:56:21 ----D---- C:\WINDOWS\AppPatch
2009-04-15 03:05:40 ----HD---- C:\WINDOWS\inf
2009-04-15 03:05:33 ----A---- C:\WINDOWS\imsins.BAK
2009-04-15 03:05:17 ----D---- C:\WINDOWS\system32\en-US
2009-04-15 03:05:17 ----D---- C:\Program Files\Internet Explorer
2009-04-15 03:02:47 ----AD---- C:\I386
2009-04-15 03:02:36 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-15 03:02:22 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-04-15 03:02:19 ----SHD---- C:\WINDOWS\Installer
2009-04-15 01:28:33 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-22 11:18:03 ----HD---- C:\$AVG8.VAULT$
2009-03-21 10:06:58 ----A---- C:\WINDOWS\system32\kernel32.dll
2009-03-18 15:48:56 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-18 15:48:08 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-06 10:22:18 ----A---- C:\WINDOWS\system32\pdh.dll
2009-03-05 21:52:59 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-03-05 21:52:56 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-02 20:18:25 ----A---- C:\WINDOWS\system32\wininet.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\url.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\occache.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\mstime.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\msrating.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-02-20 14:09:38 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-02-20 14:09:37 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\icardie.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\extmgr.dll
2009-02-20 14:09:36 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-02-20 14:09:35 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-02-20 14:09:35 ----A---- C:\WINDOWS\system32\advpack.dll
2009-02-20 06:20:49 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-02-20 06:20:49 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-02-20 01:14:12 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-02-13 14:30:50 ----D---- C:\Program Files\Starcraft
2009-02-11 23:41:20 ----D---- C:\Program Files\Windows Media Player
2009-02-11 23:41:16 ----D---- C:\WINDOWS\Help
2009-02-09 08:10:49 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-02-09 08:10:48 ----A---- C:\WINDOWS\system32\rpcss.dll
2009-02-09 08:10:48 ----A---- C:\WINDOWS\system32\ntdll.dll
2009-02-09 08:10:48 ----A---- C:\WINDOWS\system32\advapi32.dll
2009-02-06 07:11:05 ----A---- C:\WINDOWS\system32\services.exe
2009-02-06 07:06:41 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2009-02-06 06:39:08 ----A---- C:\WINDOWS\system32\sc.exe
2009-02-06 06:32:56 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2009-02-03 15:59:07 ----A---- C:\WINDOWS\system32\secur32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-18 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-18 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-03-18 107272]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-05-20 1312576]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2004-12-08 16896]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-05-20 4800000]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-06-30 108800]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2007-10-01 1769984]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-04-24 225024]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 int15.sys;int15.sys; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys []
S3 JMCR;JMCR; C:\WINDOWS\system32\DRIVERS\jmcr.sys [2008-07-07 96856]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 TVicPort;TVICPORT; \??\C:\WINDOWS\system32\DRIVERS\TVICPORT.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe []
S2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-16 654848]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 29 April 2009 - 03:08 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 29 April 2009 - 05:35 AM

ComboFix 09-04-28.02 - Arthur Lau 29/04/2009 6:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.632 [GMT -4:00]
Running from: c:\documents and settings\Arthur Lau\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Arthur Lau\protect.dll
c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\e11d0992.sys
c:\windows\system32\uniq.tll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_e11d0992


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 10:06 . 2009-04-29 10:06 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-29 07:33 . 2009-04-29 07:33 -------- d-----w C:\_OTMoveIt
2009-04-28 19:00 . 2009-04-28 19:00 -------- d-----w c:\program files\ERUNT
2009-04-17 20:13 . 2009-04-29 10:27 89448 ----a-w c:\windows\system32\drivers\1c6cea2.sys
2009-04-16 21:21 . 2009-04-29 10:27 109010 ----a-w c:\windows\system32\drivers\c34db57a.sys
2009-04-16 21:16 . 2009-04-28 19:58 -------- d-----w c:\program files\Trend Micro
2009-04-15 01:37 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 07:44 . 2008-10-16 11:59 93200 ----a-w c:\documents and settings\Arthur Lau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 22:41 . 2008-11-29 04:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 20:28 . 2008-04-15 03:00 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-06 19:32 . 2008-11-29 04:31 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-11-29 04:31 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-23 04:41 . 2009-03-23 04:41 -------- d-----w c:\program files\VideoLAN
2009-03-18 19:48 . 2008-10-15 21:11 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-18 19:48 . 2008-10-15 21:11 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-18 19:48 . 2008-10-15 21:11 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-06 14:22 . 2008-04-15 03:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-08-14 01:54 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-15 03:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-12 03:41 . 2009-02-12 03:41 4608 ----a-w c:\windows\system32\w95inf32.dll
2009-02-12 03:41 . 2009-02-12 03:41 2272 ----a-w c:\windows\system32\w95inf16.dll
2009-02-09 12:10 . 2008-04-15 03:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-15 03:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-04-15 03:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-15 03:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-04-15 03:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-04-15 03:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-04-15 03:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2008-04-15 03:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-04-15 03:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-04-15 03:00 56832 ----a-w c:\windows\system32\secur32.dll
.

------- Sigcheck -------

[-] 2009-04-16 20:28 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-16 20:28 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2008-4-14 33280]

c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"= "c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll" [2007-08-24 2212224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-02-20 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 19:56 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-18 19:48 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_FATIAEA.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 avg8emc;AVG Free8 E-mail Scanner; [x]
R2 avg8wd;AVG Free8 WatchDog; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-18 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-18 107272]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8897e66-e7cf-11dd-922b-002269843e38}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6df8bb6-9ba2-11dd-9195-002269843e38}]
\Shell\AutoRun\command - D:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dac2cfb3-9b79-11dd-9191-002269843e38}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
SharedTaskScheduler-{8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-PostBootReminder-{7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1008&m=aoa150
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: {{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\MICROS~2\Office12\REFIEBAR.DLL
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} -
Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - c:\progra~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
Handler: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
Handler: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} -
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
FF - ProfilePath - c:\documents and settings\Arthur Lau\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 06:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxitqrpoep.sys 83456 bytes executable
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxbdrtctqprj.tmp 132096 bytes executable
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxcxssetxyex.tmp 106496 bytes executable
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxxtaxuxhnki.tmp 343040 bytes executable
c:\windows\system32\ovfsthxjjowpgtd.dll 18432 bytes executable
c:\windows\system32\ovfsthxppgtkqdw.dll 18432 bytes executable
c:\windows\system32\ovfsthxvuomsnkc.dll 60928 bytes executable
c:\windows\system32\ovfsthxwkuarhvq.dat 43 bytes
c:\windows\system32\ovfsthxyaoyuogn.dat 214031 bytes

scan completed successfully
hidden files: 9

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\rapavogo.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-29 6:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 10:32
ComboFix2.txt 2008-12-27 19:37

Pre-Run: 127,414,874,112 bytes free
Post-Run: 127,424,126,976 bytes free

221 --- E O F --- 2009-04-15 07:05


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:16 AM, on 29/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...08&m=aoa150
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

--
End of file - 6046 bytes

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 29 April 2009 - 07:14 AM

Next instruction is in your pm.. Then post the log here

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 29 April 2009 - 01:27 PM

Here is the new combofix log:

ComboFix 09-04-29.01 - Arthur Lau 29/04/2009 14:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.490 [GMT -4:00]
Running from: c:\documents and settings\Arthur Lau\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Arthur Lau\protect.dll
c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 10:06 . 2009-04-29 10:42 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-29 07:33 . 2009-04-29 07:33 -------- d-----w C:\_OTMoveIt
2009-04-28 19:00 . 2009-04-28 19:00 -------- d-----w c:\program files\ERUNT
2009-04-17 20:13 . 2009-04-29 18:20 89448 ----a-w c:\windows\system32\drivers\1c6cea2.sys
2009-04-16 21:21 . 2009-04-29 18:20 109010 ----a-w c:\windows\system32\drivers\c34db57a.sys
2009-04-16 21:16 . 2009-04-28 19:58 -------- d-----w c:\program files\Trend Micro
2009-04-15 01:37 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 10:40 . 2008-10-15 21:11 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 10:40 . 2008-10-15 21:11 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 10:40 . 2008-10-15 21:11 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 07:44 . 2008-10-16 11:59 93200 ----a-w c:\documents and settings\Arthur Lau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 22:41 . 2008-11-29 04:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 20:28 . 2008-04-15 03:00 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-06 19:32 . 2008-11-29 04:31 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-11-29 04:31 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-23 04:41 . 2009-03-23 04:41 -------- d-----w c:\program files\VideoLAN
2009-03-06 14:22 . 2008-04-15 03:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-08-14 01:54 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-15 03:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-12 03:41 . 2009-02-12 03:41 4608 ----a-w c:\windows\system32\w95inf32.dll
2009-02-12 03:41 . 2009-02-12 03:41 2272 ----a-w c:\windows\system32\w95inf16.dll
2009-02-09 12:10 . 2008-04-15 03:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-15 03:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-04-15 03:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-15 03:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-04-15 03:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-04-15 03:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-04-15 03:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2008-04-15 03:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-04-15 03:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-04-15 03:00 56832 ----a-w c:\windows\system32\secur32.dll
.

------- Sigcheck -------

[-] 2009-04-16 20:28 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-16 20:28 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-29_10.27.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-15 19:59 . 2009-04-29 07:40 64262 c:\windows\system32\perfc009.dat
+ 2008-08-15 19:59 . 2009-04-29 10:31 64262 c:\windows\system32\perfc009.dat
+ 2008-08-15 19:59 . 2009-04-29 10:31 405878 c:\windows\system32\perfh009.dat
- 2008-08-15 19:59 . 2009-04-29 07:40 405878 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-29 1932568]
"autochk"="c:\windows\system32\autochk.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\windows\system32\config\SYSTEM~1\protect.dll" [BU]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2008-4-14 33280]

c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 19:56 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 10:40 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_FATIAEA.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-29 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8897e66-e7cf-11dd-922b-002269843e38}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6df8bb6-9ba2-11dd-9195-002269843e38}]
\Shell\AutoRun\command - D:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dac2cfb3-9b79-11dd-9191-002269843e38}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1008&m=aoa150
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Arthur Lau\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 14:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxitqrpoep.sys 83456 bytes executable
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxbdrtctqprj.tmp 132096 bytes executable
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxcxssetxyex.tmp 106496 bytes executable
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxxtaxuxhnki.tmp 343040 bytes executable
c:\windows\system32\ovfsthxjjowpgtd.dll 18432 bytes executable
c:\windows\system32\ovfsthxppgtkqdw.dll 18432 bytes executable
c:\windows\system32\ovfsthxvuomsnkc.dll 60928 bytes executable
c:\windows\system32\ovfsthxwkuarhvq.dat 43 bytes
c:\windows\system32\ovfsthxyaoyuogn.dat 214438 bytes

scan completed successfully
hidden files: 9

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\rapavogo.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-04-29 14:22
ComboFix-quarantined-files.txt 2009-04-29 18:22
ComboFix2.txt 2009-04-29 10:32
ComboFix3.txt 2008-12-27 19:37

Pre-Run: 127,255,957,504 bytes free
Post-Run: 127,377,260,544 bytes free

181 --- E O F --- 2009-04-15 07:05

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 29 April 2009 - 02:46 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=219945&view=findpost&p=1243791

KillAll::

Driver::
1c6cea2
c34db57a
ovfsthxitqrpoep

Collect::
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\drivers\1c6cea2.sys
c:\windows\system32\drivers\c34db57a.sys
c:\windows\system32\drivers\ovfsthxitqrpoep.sys
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxbdrtctqprj.tmp
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxcxssetxyex.tmp
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxxtaxuxhnki.tmp
c:\windows\system32\ovfsthxjjowpgtd.dll
c:\windows\system32\ovfsthxppgtkqdw.dll
c:\windows\system32\ovfsthxvuomsnkc.dll
c:\windows\system32\ovfsthxwkuarhvq.dat
c:\windows\system32\ovfsthxyaoyuogn.dat
c:\windows\system32\rapavogo.dll

File::
c:\windows\system32\autochk.dll
c:\windows\system32\config\SYSTEM~1\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.
Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 xXSenile

xXSenile
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 29 April 2009 - 04:11 PM

Here is the CF log file:

ComboFix 09-04-29.01 - Arthur Lau 29/04/2009 16:58.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.453 [GMT -4:00]
Running from: c:\documents and settings\Arthur Lau\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Arthur Lau\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\autochk.dll
c:\windows\system32\config\SYSTEM~1\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxbdrtctqprj.tmp
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxcxssetxyex.tmp
c:\docume~1\ARTHUR~1\LOCALS~1\Temp\ovfsthxxtaxuxhnki.tmp
c:\documents and settings\Arthur Lau\protect.dll
c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\SYSTEM~1\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\drivers\1c6cea2.sys
c:\windows\system32\drivers\c34db57a.sys
c:\windows\system32\drivers\ovfsthxitqrpoep.sys
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\ovfsthxjjowpgtd.dll
c:\windows\system32\ovfsthxppgtkqdw.dll
c:\windows\system32\ovfsthxvuomsnkc.dll
c:\windows\system32\ovfsthxwkuarhvq.dat
c:\windows\system32\ovfsthxyaoyuogn.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_1c6cea2
-------\Service_c34db57a
-------\Service_ovfsthxsaufigvf


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 07:33 . 2009-04-29 07:33 -------- d-----w C:\_OTMoveIt
2009-04-28 19:00 . 2009-04-28 19:00 -------- d-----w c:\program files\ERUNT
2009-04-17 20:13 . 2009-04-29 21:03 89448 ----a-w c:\windows\system32\drivers\1c6cea2.sys
2009-04-16 21:16 . 2009-04-28 19:58 -------- d-----w c:\program files\Trend Micro
2009-04-15 01:37 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 10:40 . 2008-10-15 21:11 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 10:40 . 2008-10-15 21:11 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 10:40 . 2008-10-15 21:11 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 07:44 . 2008-10-16 11:59 93200 ----a-w c:\documents and settings\Arthur Lau\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 22:41 . 2008-11-29 04:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 20:28 . 2008-04-15 03:00 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-06 19:32 . 2008-11-29 04:31 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-11-29 04:31 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-23 04:41 . 2009-03-23 04:41 -------- d-----w c:\program files\VideoLAN
2009-03-06 14:22 . 2008-04-15 03:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-08-14 01:54 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-15 03:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-12 03:41 . 2009-02-12 03:41 4608 ----a-w c:\windows\system32\w95inf32.dll
2009-02-12 03:41 . 2009-02-12 03:41 2272 ----a-w c:\windows\system32\w95inf16.dll
2009-02-09 12:10 . 2008-04-15 03:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-15 03:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2008-04-15 03:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-15 03:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-04-15 03:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-04-15 03:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-04-15 03:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2008-04-15 03:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-04-15 03:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-04-15 03:00 56832 ----a-w c:\windows\system32\secur32.dll
.

------- Sigcheck -------

[-] 2009-04-16 20:28 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-16 20:28 213120 F822B76094D2F27EE01A4399A64EF934 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-29_10.27.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-15 19:59 . 2009-04-29 07:40 64262 c:\windows\system32\perfc009.dat
+ 2008-08-15 19:59 . 2009-04-29 10:31 64262 c:\windows\system32\perfc009.dat
+ 2008-08-15 19:59 . 2009-04-29 10:31 405878 c:\windows\system32\perfh009.dat
- 2008-08-15 19:59 . 2009-04-29 07:40 405878 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-29 1932568]

c:\documents and settings\Arthur Lau\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 19:56 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 10:40 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_FATIAEA.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-29 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8897e66-e7cf-11dd-922b-002269843e38}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6df8bb6-9ba2-11dd-9195-002269843e38}]
\Shell\AutoRun\command - D:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dac2cfb3-9b79-11dd-9191-002269843e38}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1008&m=aoa150
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Arthur Lau\Application Data\Mozilla\Firefox\Profiles\4nqmraaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 17:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-29 17:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 21:07
ComboFix2.txt 2009-04-29 18:22
ComboFix3.txt 2009-04-29 10:32
ComboFix4.txt 2008-12-27 19:37

Pre-Run: 127,314,317,312 bytes free
Post-Run: 127,313,862,656 bytes free

194 --- E O F --- 2009-04-15 07:05


Here is the new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:00 PM, on 29/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...08&m=aoa150
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

--
End of file - 6356 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users