Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i think i've been hijacked! spybot/windows update not working


  • This topic is locked This topic is locked
32 replies to this topic

#1 R!CH

R!CH

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 25 April 2009 - 08:08 PM

hi, i just tried to download sp3 for office 2003 through windows update and it failed to initiate a download. sensing a problem, i tried to run spybot, but i get a 'program has stopped working' error message immediately every time. i tried to run the spybot updater through tea timer, which is running, but i get an 'error retrieving update info file' message. next i tried reinstalling spybot from a saved installer file, but it fails to connect to their server. finally i tried to access safer-networking.org directly, but get 'address not found'. ad-aware is also unable to update its definitions. i know spybot website is up because my friends can load it when i ask them to so my thought now is that i've been hijacked by some trojan that prevents anything on my system from updating/finding a fix. below is my hjt log, please help me solve this problem! thanks...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:19 PM, on 4/25/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{095E9F26-CC19-4B9F-9741-F37143D52571}: NameServer = 85.255.112.72,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.72,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\..\{095E9F26-CC19-4B9F-9741-F37143D52571}: NameServer = 85.255.112.72,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.72,85.255.112.151
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5677 bytes

Edited by R!CH, 25 April 2009 - 08:10 PM.


BC AdBot (Login to Remove)

 


#2 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 25 April 2009 - 08:48 PM

update: i just ran gmer and catchme, both programs found rootkit activity produced by 3 files:


catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Windows\System32\drivers\gxvxcqrdubjpklcdewxkdedjuiyiuccglaucx.sys 32768 bytes
C:\Windows\System32\gxvxccounter 8 bytes
C:\Windows\System32\gxvxcnwymfjijguoactpysmtdhusdllwvjgvu.dll 16384 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


in spite of identifying these files, i am unable to locate them in explorer. i do have folder options set on show hidden files and folders too.

Edited by R!CH, 25 April 2009 - 08:54 PM.


#3 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 26 April 2009 - 12:23 AM

halp

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:26 PM

Posted 26 April 2009 - 02:22 PM

Hello R!CH and Welcome to BleepingComputer.com :thumbup2:

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:26 PM

Posted 26 April 2009 - 02:43 PM

Hi,

Please disable your anti spyware programs during the following steps.
If you are unsure on how to do this, please read this guide
Your anti spyware program is: TeaTimer from Spybot S&D

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
Please post back the logfile from Malwarebytes, as well as the 2 logs created by RSIT: log.txt and info.txt

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 28 April 2009 - 01:55 AM

hi _temp_,

thanks for your response! i forgot to mention that i tried installing malwarebytes and running it prior to this thread, but i encounter the same problem that i do with spybot when opening the program: "program has stopped running" close program prompt pops up immediately. i tried to reinstall it once again following your instructions, but the first 2 websites you posted are blocked in the same way "404". the 3rd link--majorgeeks.com--is where i dl'ed my first installer. i uninstalled malwarebytes and redid the installation with a 2nd dl. same results. i should also note that my windows defender definition updater is blocked as well.

the good news is i was able to run rsit.exe and here are my logs...


log.txt

__________________________________________________________

Logfile of random's system information tool 1.06 (written by random/random)
Run by R!CH at 2009-04-27 23:43:22
Microsoft® Windows Vista™ Home Premium
System drive C: has 404 GB (85%) free of 477 GB
Total RAM: 2046 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:39 PM, on 4/27/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\R!CH\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\R!CH.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{095E9F26-CC19-4B9F-9741-F37143D52571}: NameServer = 85.255.112.72,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.72,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\..\{095E9F26-CC19-4B9F-9741-F37143D52571}: NameServer = 85.255.112.72,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.72,85.255.112.151
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5737 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2573747636-4075412569-133060285-1000.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2009-02-27 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-14 35840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2009-04-14 1006264]
"Kernel and Hardware Abstraction Layer"=C:\Windows\KHALMNPR.EXE [2008-12-18 76304]
"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2008-06-10 1442888]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-03-27 13687328]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2009-03-27 92704]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-04-06 401040]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe [2007-06-14 149024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe [2007-06-14 1945688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe [2009-04-01 203928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe [2007-06-14 1169720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\R!CH\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-14 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\Windows\system32\NvMcTray.dll [2009-03-27 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-14 148888]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Windows\trlrm\RMHSvc.exe"="C:\Windows\trlrm\RMHSvc.exe:*:Enabled:RMHSvc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Windows\trlrm\RMHSvc.exe"="C:\Windows\trlrm\RMHSvc.exe:*:Enabled:RMHSvc.exe"

======File associations======

.js - open - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\dreamweaver.exe","%1"

======List of files/folders created in the last 1 months======

2009-04-27 23:43:22 ----D---- C:\rsit
2009-04-27 23:42:07 ----D---- C:\ProgramData\Malwarebytes
2009-04-27 23:42:07 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-27 03:46:46 ----D---- C:\Windows\Minidump
2009-04-25 20:06:53 ----A---- C:\Windows\ntbtlog.txt
2009-04-25 19:24:18 ----D---- C:\Windows\system32\AGEIA
2009-04-25 19:24:18 ----D---- C:\Program Files\AGEIA Technologies
2009-04-25 19:24:09 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-25 19:23:06 ----D---- C:\NVIDIA
2009-04-25 18:59:34 ----A---- C:\Windows\spywall_log.txt
2009-04-25 17:08:35 ----D---- C:\Users\R!CH\AppData\Roaming\Lavasoft
2009-04-25 17:08:24 ----D---- C:\Program Files\Lavasoft
2009-04-23 05:06:22 ----D---- C:\VA_-_Fabric_41_Mixed_By_Luciano-CD-2008-SQ
2009-04-21 14:25:55 ----D---- C:\Guy_Gerber-Timing-(COR12056)-WEB-2009-320
2009-04-21 13:55:09 ----D---- C:\Tiger_Stripes-Hooked__Remixes-(LDS07)-WEB-2008-320
2009-04-21 13:54:44 ----D---- C:\Dave_Lee-Mucho_Macho_(Tiger_Stripes_Remixes)-(Zedd12106)-WEB-2009-SOULFUL
2009-04-21 13:54:43 ----D---- C:\DJ_Kharma_And_Mighty_Atom-Mammagamma-(RSR009)-WEB-2008-320
2009-04-21 13:53:38 ----D---- C:\Ida_Engberg_And_David_West-Supercluster-(PICKADOLL406)-WEB-2009-EPiCFAiL
2009-04-21 13:53:14 ----D---- C:\Losoul-Care-2009-DV8
2009-04-21 13:52:42 ----D---- C:\Oliver_Moldan_And_Norman_Zube-Requiem-(AT051)-WEB-2008-320
2009-04-20 01:42:58 ----D---- C:\RECYCLER
2009-04-17 22:53:33 ----D---- C:\Program Files\Microsoft IntelliType Pro
2009-04-17 17:04:58 ----D---- C:\Program Files\Microsoft Silverlight
2009-04-16 16:05:11 ----A---- C:\Windows\system32\es.dll
2009-04-16 15:23:25 ----D---- C:\Windows\Sun
2009-04-16 14:31:11 ----D---- C:\ProgramData\FLEXnet
2009-04-15 02:53:38 ----D---- C:\Program Files\Safari
2009-04-15 02:37:41 ----D---- C:\Program Files\Common Files\Ahead
2009-04-15 02:37:41 ----D---- C:\Program Files\Ahead
2009-04-15 02:22:51 ----D---- C:\Program Files\Nero 8.3.2.1 - Micro TS - Vista
2009-04-15 02:19:55 ----D---- C:\Users\R!CH\AppData\Roaming\Winamp
2009-04-15 02:19:55 ----D---- C:\Program Files\Winamp
2009-04-15 01:51:00 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-04-14 23:57:46 ----D---- C:\Users\R!CH\AppData\Roaming\Media Player Classic
2009-04-14 23:25:11 ----D---- C:\ProgramData\NOS
2009-04-14 23:25:11 ----D---- C:\Program Files\NOS
2009-04-14 23:06:51 ----HD---- C:\ProgramData\CanonBJ
2009-04-14 23:01:11 ----D---- C:\Program Files\efs
2009-04-14 23:00:56 ----D---- C:\Program Files\Mythicsoft
2009-04-14 22:56:54 ----D---- C:\Users\R!CH\AppData\Roaming\gtk-2.0
2009-04-14 22:55:02 ----D---- C:\Users\R!CH\AppData\Roaming\.purple
2009-04-14 22:49:50 ----D---- C:\Program Files\Pidgin
2009-04-14 22:49:46 ----D---- C:\Program Files\Common Files\GTK
2009-04-14 22:48:41 ----D---- C:\Program Files\WinPcap
2009-04-14 22:47:51 ----D---- C:\Program Files\WMR11
2009-04-14 22:30:52 ----A---- C:\Windows\system32\unrar.dll
2009-04-14 22:30:51 ----A---- C:\Windows\system32\yv12vfw.dll
2009-04-14 22:30:51 ----A---- C:\Windows\system32\xvidvfw.dll
2009-04-14 22:30:51 ----A---- C:\Windows\system32\xvidcore.dll
2009-04-14 22:30:51 ----A---- C:\Windows\system32\qt-dx331.dll
2009-04-14 22:30:51 ----A---- C:\Windows\system32\dpl100.dll
2009-04-14 22:30:51 ----A---- C:\Windows\system32\divx.dll
2009-04-14 22:30:50 ----A---- C:\Windows\system32\ff_vfw.dll.manifest
2009-04-14 22:30:50 ----A---- C:\Windows\system32\ff_vfw.dll
2009-04-14 22:30:49 ----D---- C:\Program Files\K-Lite Codec Pack
2009-04-14 22:30:49 ----A---- C:\Windows\system32\pthreadGC2.dll
2009-04-14 22:26:49 ----D---- C:\Program Files\VirtualDub
2009-04-14 22:20:57 ----D---- C:\Users\R!CH\AppData\Roaming\WinRAR
2009-04-14 22:20:49 ----D---- C:\Users\R!CH\AppData\Roaming\iPodder
2009-04-14 22:20:46 ----D---- C:\Program Files\Juice
2009-04-14 22:20:30 ----D---- C:\Program Files\WinRAR
2009-04-14 22:19:48 ----D---- C:\Program Files\Bradbury
2009-04-14 22:19:48 ----A---- C:\Windows\unlite2.exe
2009-04-14 22:19:46 ----A---- C:\Windows\system32\cfvalidator.dll
2009-04-14 22:19:46 ----A---- C:\Windows\system32\cfssvradmin.dll
2009-04-14 22:19:46 ----A---- C:\Windows\system32\CfShellFtpRds.dll
2009-04-14 22:19:46 ----A---- C:\Windows\system32\CFRegExp.dll
2009-04-14 22:19:46 ----A---- C:\Windows\system32\CFFtp.dll
2009-04-14 22:19:46 ----A---- C:\Windows\system32\CFFileProxy.dll
2009-04-14 22:19:43 ----D---- C:\Program Files\Common Files\Macromedia
2009-04-14 22:19:43 ----A---- C:\Windows\system32\xmltok.dll
2009-04-14 22:19:43 ----A---- C:\Windows\system32\xmlparse.dll
2009-04-14 22:19:43 ----A---- C:\Windows\system32\Sslsvc.dll
2009-04-14 22:19:43 ----A---- C:\Windows\system32\ftppro32.dll
2009-04-14 22:19:43 ----A---- C:\Windows\system32\cfmsg.dll
2009-04-14 22:19:37 ----D---- C:\Program Files\Macromedia
2009-04-14 22:18:18 ----D---- C:\Program Files\Common Files\InstallShield
2009-04-14 22:16:34 ----D---- C:\Users\R!CH\AppData\Roaming\Ableton
2009-04-14 22:15:54 ----D---- C:\Program Files\mp3DirectCut
2009-04-14 21:56:19 ----D---- C:\Program Files\uTorrent
2009-04-14 21:56:12 ----D---- C:\Users\R!CH\AppData\Roaming\uTorrent
2009-04-14 21:55:00 ----D---- C:\Program Files\Amazon
2009-04-14 21:54:17 ----D---- C:\Program Files\AVIcodec
2009-04-14 21:52:28 ----D---- C:\Users\R!CH\AppData\Roaming\DivX
2009-04-14 21:45:44 ----D---- C:\Users\R!CH\AppData\Roaming\Apple Computer
2009-04-14 21:45:11 ----DC---- C:\Windows\system32\DRVSTORE
2009-04-14 21:45:11 ----A---- C:\Windows\system32\GEARAspi.dll
2009-04-14 21:44:56 ----D---- C:\Program Files\iPod
2009-04-14 21:44:55 ----D---- C:\ProgramData\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-14 21:44:54 ----D---- C:\Program Files\iTunes
2009-04-14 21:43:57 ----D---- C:\ProgramData\Apple Computer
2009-04-14 21:43:41 ----D---- C:\Program Files\Apple Software Update
2009-04-14 21:43:11 ----D---- C:\Program Files\Common Files\Apple
2009-04-14 21:43:10 ----D---- C:\ProgramData\Apple
2009-04-14 21:36:18 ----A---- C:\Windows\system32\WNASPI32.DLL
2009-04-14 21:36:15 ----D---- C:\Program Files\Alt MP3 Bitrate Converter
2009-04-14 21:35:17 ----D---- C:\Program Files\Common Files\PX Storage Engine
2009-04-14 21:35:06 ----D---- C:\Program Files\DivX
2009-04-14 21:35:06 ----D---- C:\Program Files\Common Files\DivX Shared
2009-04-14 21:24:37 ----D---- C:\ProgramData\ALM
2009-04-14 21:12:16 ----D---- C:\Program Files\QuickTime
2009-04-14 20:38:17 ----D---- C:\ProgramData\Adobe
2009-04-14 20:34:52 ----D---- C:\Program Files\Bonjour
2009-04-14 20:32:16 ----D---- C:\Program Files\Adobe
2009-04-14 20:30:43 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-04-14 20:28:42 ----D---- C:\Program Files\Common Files\Adobe
2009-04-14 20:26:17 ----D---- C:\Program Files\Alcohol Soft
2009-04-14 19:53:52 ----D---- C:\Program Files\Trend Micro
2009-04-14 19:41:31 ----D---- C:\Program Files\Seagate
2009-04-14 19:41:31 ----D---- C:\Program Files\Common Files\Seagate
2009-04-14 19:39:56 ----A---- C:\latency.exe
2009-04-14 19:39:56 ----A---- C:\cpuz-readme.txt
2009-04-14 19:39:56 ----A---- C:\cpuz.ini
2009-04-14 19:39:56 ----A---- C:\cpuz.exe
2009-04-14 19:39:45 ----A---- C:\Core Temp.exe
2009-04-14 19:34:40 ----D---- C:\Users\R!CH\AppData\Roaming\SmartFTP
2009-04-14 19:33:22 ----D---- C:\Program Files\SmartFTP Client
2009-04-14 19:31:47 ----D---- C:\Users\R!CH\AppData\Roaming\Opera
2009-04-14 19:31:26 ----D---- C:\Program Files\Opera
2009-04-14 19:23:37 ----D---- C:\Users\R!CH\AppData\Roaming\Logitech
2009-04-14 19:23:28 ----D---- C:\ProgramData\LogiShrd
2009-04-14 19:21:59 ----A---- C:\Windows\system32\BtCoreIf.dll
2009-04-14 19:21:56 ----A---- C:\Windows\system32\KemXML.dll
2009-04-14 19:21:56 ----A---- C:\Windows\system32\KemWnd.dll
2009-04-14 19:21:56 ----A---- C:\Windows\system32\KemUtil.dll
2009-04-14 19:21:56 ----A---- C:\Windows\system32\kemutb.dll
2009-04-14 19:21:44 ----D---- C:\ProgramData\Logitech
2009-04-14 19:21:43 ----HD---- C:\Program Files\InstallShield Installation Information
2009-04-14 19:21:40 ----D---- C:\Program Files\Common Files\Logishrd
2009-04-14 19:21:37 ----D---- C:\Program Files\Logitech
2009-04-14 19:17:24 ----D---- C:\Users\R!CH\AppData\Roaming\Macromedia
2009-04-14 19:17:24 ----D---- C:\Users\R!CH\AppData\Roaming\Adobe
2009-04-14 19:16:24 ----A---- C:\Windows\system32\javaws.exe
2009-04-14 19:16:24 ----A---- C:\Windows\system32\javaw.exe
2009-04-14 19:16:24 ----A---- C:\Windows\system32\java.exe
2009-04-14 19:16:24 ----A---- C:\Windows\system32\deploytk.dll
2009-04-14 19:16:06 ----D---- C:\Program Files\Java
2009-04-14 19:14:32 ----D---- C:\Windows\system32\Macromed
2009-04-14 19:07:36 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-04-14 19:07:36 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-14 18:50:41 ----D---- C:\Users\R!CH\AppData\Roaming\Mozilla
2009-04-14 18:50:34 ----D---- C:\Program Files\Mozilla Firefox
2009-04-14 18:45:21 ----A---- C:\Windows\ODBC.INI
2009-04-14 18:45:11 ----A---- C:\Windows\system32\mdimon.dll
2009-04-14 18:44:40 ----D---- C:\Program Files\Microsoft ActiveSync
2009-04-14 18:44:37 ----D---- C:\Program Files\Common Files\DESIGNER
2009-04-14 18:44:25 ----D---- C:\Windows\PCHEALTH
2009-04-14 18:44:25 ----D---- C:\Program Files\Microsoft.NET
2009-04-14 18:44:25 ----D---- C:\Program Files\Microsoft Office
2009-04-14 18:41:27 ----RHD---- C:\MSOCache
2009-04-14 18:25:19 ----A---- C:\Windows\system32\msshsq.dll
2009-04-14 18:21:54 ----D---- C:\ProgramData\NVIDIA
2009-04-14 17:09:04 ----A---- C:\Windows\system32\nvuninst.exe
2009-04-14 17:09:04 ----A---- C:\Windows\system32\nvcpluir.dll
2009-04-14 17:09:04 ----A---- C:\Windows\system32\nvcplui.exe
2009-04-14 17:07:59 ----A---- C:\Windows\system32\winipsec.dll
2009-04-14 17:07:59 ----A---- C:\Windows\system32\FwRemoteSvr.dll
2009-04-14 17:07:58 ----A---- C:\Windows\system32\polstore.dll
2009-04-14 17:07:58 ----A---- C:\Windows\system32\IPSECSVC.DLL
2009-04-14 17:07:03 ----A---- C:\Windows\system32\riched32.dll
2009-04-14 17:07:03 ----A---- C:\Windows\system32\riched20.dll
2009-04-14 17:07:01 ----A---- C:\Windows\system32\rasser.dll
2009-04-14 17:07:01 ----A---- C:\Windows\system32\rasmxs.dll
2009-04-14 17:07:01 ----A---- C:\Windows\system32\rasdiag.dll
2009-04-14 17:07:01 ----A---- C:\Windows\system32\rascfg.dll
2009-04-14 17:07:01 ----A---- C:\Windows\system32\netcfgx.dll
2009-04-14 17:07:01 ----A---- C:\Windows\system32\msftedit.dll
2009-04-14 17:07:00 ----A---- C:\Windows\system32\ipnathlp.dll
2009-04-14 17:07:00 ----A---- C:\Windows\system32\icsunattend.exe
2009-04-14 17:06:59 ----A---- C:\Windows\system32\wshqos.dll
2009-04-14 17:06:59 ----A---- C:\Windows\system32\traffic.dll
2009-04-14 17:06:59 ----A---- C:\Windows\system32\pacerprf.dll
2009-04-14 17:06:59 ----A---- C:\Windows\system32\localspl.dll
2009-04-14 17:06:59 ----A---- C:\Windows\system32\dps.dll
2009-04-14 17:06:59 ----A---- C:\Windows\system32\cdd.dll
2009-04-14 17:06:05 ----A---- C:\Windows\system32\PortableDeviceTypes.dll
2009-04-14 17:06:05 ----A---- C:\Windows\system32\PortableDeviceClassExtension.dll
2009-04-14 17:06:05 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2009-04-14 17:05:10 ----A---- C:\Windows\system32\msoert2.dll
2009-04-14 17:05:10 ----A---- C:\Windows\system32\msoeacct.dll
2009-04-14 17:05:10 ----A---- C:\Windows\system32\ACCTRES.dll
2009-04-14 17:04:11 ----A---- C:\Windows\system32\wtsapi32.dll
2009-04-14 17:04:09 ----A---- C:\Windows\system32\wlansvc.dll
2009-04-14 17:04:09 ----A---- C:\Windows\system32\wlanmsm.dll
2009-04-14 17:04:09 ----A---- C:\Windows\system32\wlanhlp.dll
2009-04-14 17:04:09 ----A---- C:\Windows\system32\wlanapi.dll
2009-04-14 17:04:09 ----A---- C:\Windows\system32\sysmain.dll
2009-04-14 17:04:08 ----A---- C:\Windows\system32\wlansec.dll
2009-04-14 17:03:16 ----A---- C:\Windows\system32\WebClnt.dll
2009-04-14 17:02:20 ----A---- C:\Windows\system32\winsrv.dll
2009-04-14 17:02:20 ----A---- C:\Windows\system32\csrsrv.dll
2009-04-14 16:58:51 ----A---- C:\Windows\system32\winhttp.dll
2009-04-14 16:57:11 ----A---- C:\Windows\system32\gdi32.dll
2009-04-14 16:54:40 ----A---- C:\Windows\system32\mcupdate_GenuineIntel.dll
2009-04-14 16:53:51 ----A---- C:\Windows\system32\xolehlp.dll
2009-04-14 16:53:51 ----A---- C:\Windows\system32\msdtcprx.dll
2009-04-14 16:52:07 ----A---- C:\Windows\system32\Apphlpdm.dll
2009-04-14 16:52:05 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-04-14 16:52:05 ----A---- C:\Windows\system32\gameux.dll
2009-04-14 16:51:10 ----A---- C:\Windows\system32\wmpeffects.dll
2009-04-14 16:50:19 ----A---- C:\Windows\system32\msxml3r.dll
2009-04-14 16:50:19 ----A---- C:\Windows\system32\msxml3.dll
2009-04-14 16:49:28 ----A---- C:\Windows\system32\msscp.dll
2009-04-14 16:48:36 ----A---- C:\Windows\system32\MediaMetadataHandler.dll
2009-04-14 16:47:45 ----A---- C:\Windows\system32\FirewallAPI.dll
2009-04-14 16:47:44 ----A---- C:\Windows\system32\wfapigp.dll
2009-04-14 16:47:44 ----A---- C:\Windows\system32\MPSSVC.dll
2009-04-14 16:47:44 ----A---- C:\Windows\system32\icfupgd.dll
2009-04-14 16:47:44 ----A---- C:\Windows\system32\cmifw.dll
2009-04-14 16:47:43 ----A---- C:\Windows\system32\iphlpsvc.dll
2009-04-14 16:46:53 ----A---- C:\Windows\system32\netapi32.dll
2009-04-14 16:45:54 ----A---- C:\Windows\system32\tzres.dll
2009-04-14 16:44:43 ----A---- C:\Windows\system32\mcmde.dll
2009-04-14 16:44:43 ----A---- C:\Windows\system32\EncDec.dll
2009-04-14 16:44:42 ----A---- C:\Windows\system32\psisdecd.dll
2009-04-14 16:43:47 ----A---- C:\Windows\system32\wmploc.DLL
2009-04-14 16:43:47 ----A---- C:\Windows\system32\wmp.dll
2009-04-14 16:43:46 ----A---- C:\Windows\system32\spwmp.dll
2009-04-14 16:43:46 ----A---- C:\Windows\system32\dxmasf.dll
2009-04-14 16:42:26 ----A---- C:\Windows\system32\shell32.dll
2009-04-14 16:39:03 ----A---- C:\Windows\system32\DWWIN.EXE
2009-04-14 16:38:21 ----A---- C:\Windows\explorer.exe
2009-04-14 16:36:51 ----A---- C:\Windows\system32\hcrstco.dll
2009-04-14 16:36:51 ----A---- C:\Windows\system32\hccoin.dll
2009-04-14 16:35:24 ----A---- C:\Windows\system32\netcfg.exe
2009-04-14 16:35:23 ----A---- C:\Windows\system32\tcpipcfg.dll
2009-04-14 16:35:23 ----A---- C:\Windows\system32\netiougc.exe
2009-04-14 16:34:14 ----A---- C:\Windows\system32\NlsLexicons0045.dll
2009-04-14 16:34:13 ----A---- C:\Windows\system32\NlsLexicons0047.dll
2009-04-14 16:34:13 ----A---- C:\Windows\system32\NlsLexicons0046.dll
2009-04-14 16:34:12 ----A---- C:\Windows\system32\NlsLexicons0049.dll
2009-04-14 16:34:12 ----A---- C:\Windows\system32\NlsLexicons0039.dll
2009-04-14 16:34:12 ----A---- C:\Windows\system32\NlsLexicons0021.dll
2009-04-14 16:34:12 ----A---- C:\Windows\system32\NlsLexicons0020.dll
2009-04-14 16:34:11 ----A---- C:\Windows\system32\NlsLexicons0026.dll
2009-04-14 16:34:11 ----A---- C:\Windows\system32\NlsLexicons0024.dll
2009-04-14 16:34:11 ----A---- C:\Windows\system32\NlsLexicons0022.dll
2009-04-14 16:34:10 ----A---- C:\Windows\system32\NlsLexicons0027.dll
2009-04-14 16:34:10 ----A---- C:\Windows\system32\NlsLexicons0011.dll
2009-04-14 16:34:10 ----A---- C:\Windows\system32\NlsLexicons0010.dll
2009-04-14 16:34:09 ----A---- C:\Windows\system32\NlsLexicons0018.dll
2009-04-14 16:34:09 ----A---- C:\Windows\system32\NlsLexicons0013.dll
2009-04-14 16:34:08 ----A---- C:\Windows\system32\NlsLexicons0019.dll
2009-04-14 16:34:08 ----A---- C:\Windows\system32\NlsLexicons0003.dll
2009-04-14 16:34:08 ----A---- C:\Windows\system32\NlsLexicons0002.dll
2009-04-14 16:34:08 ----A---- C:\Windows\system32\NlsLexicons0001.dll
2009-04-14 16:34:07 ----A---- C:\Windows\system32\NlsLexicons0009.dll
2009-04-14 16:34:07 ----A---- C:\Windows\system32\NlsLexicons0007.dll
2009-04-14 16:34:06 ----A---- C:\Windows\system32\NlsLexicons004e.dll
2009-04-14 16:34:06 ----A---- C:\Windows\system32\NlsLexicons004c.dll
2009-04-14 16:34:06 ----A---- C:\Windows\system32\NlsLexicons004b.dll
2009-04-14 16:34:06 ----A---- C:\Windows\system32\NlsLexicons004a.dll
2009-04-14 16:34:05 ----A---- C:\Windows\system32\NlsLexicons003e.dll
2009-04-14 16:34:05 ----A---- C:\Windows\system32\NlsLexicons002a.dll
2009-04-14 16:34:05 ----A---- C:\Windows\system32\NlsLexicons001a.dll
2009-04-14 16:34:04 ----A---- C:\Windows\system32\NlsLexicons001d.dll
2009-04-14 16:34:04 ----A---- C:\Windows\system32\NlsLexicons001b.dll
2009-04-14 16:34:03 ----A---- C:\Windows\system32\NlsLexicons000c.dll
2009-04-14 16:34:03 ----A---- C:\Windows\system32\NlsLexicons000a.dll
2009-04-14 16:34:02 ----A---- C:\Windows\system32\NlsLexicons0416.dll
2009-04-14 16:34:02 ----A---- C:\Windows\system32\NlsLexicons0414.dll
2009-04-14 16:34:02 ----A---- C:\Windows\system32\NlsLexicons000f.dll
2009-04-14 16:34:02 ----A---- C:\Windows\system32\NlsLexicons000d.dll
2009-04-14 16:34:01 ----A---- C:\Windows\system32\NlsModels0011.dll
2009-04-14 16:34:01 ----A---- C:\Windows\system32\NlsLexicons081a.dll
2009-04-14 16:34:01 ----A---- C:\Windows\system32\NlsLexicons0816.dll
2009-04-14 16:34:00 ----A---- C:\Windows\system32\NlsData0049.dll
2009-04-14 16:34:00 ----A---- C:\Windows\system32\NlsData0047.dll
2009-04-14 16:34:00 ----A---- C:\Windows\system32\NlsData0046.dll
2009-04-14 16:34:00 ----A---- C:\Windows\system32\NlsData0045.dll
2009-04-14 16:34:00 ----A---- C:\Windows\system32\NlsData0039.dll
2009-04-14 16:33:59 ----A---- C:\Windows\system32\NlsData0027.dll
2009-04-14 16:33:59 ----A---- C:\Windows\system32\NlsData0026.dll
2009-04-14 16:33:59 ----A---- C:\Windows\system32\NlsData0024.dll
2009-04-14 16:33:59 ----A---- C:\Windows\system32\NlsData0022.dll
2009-04-14 16:33:59 ----A---- C:\Windows\system32\NlsData0021.dll
2009-04-14 16:33:59 ----A---- C:\Windows\system32\NlsData0020.dll
2009-04-14 16:33:58 ----A---- C:\Windows\system32\NlsData0018.dll
2009-04-14 16:33:58 ----A---- C:\Windows\system32\NlsData0013.dll
2009-04-14 16:33:58 ----A---- C:\Windows\system32\NlsData0011.dll
2009-04-14 16:33:58 ----A---- C:\Windows\system32\NlsData0010.dll
2009-04-14 16:33:57 ----A---- C:\Windows\system32\NlsData0019.dll
2009-04-14 16:33:57 ----A---- C:\Windows\system32\NlsData0003.dll
2009-04-14 16:33:57 ----A---- C:\Windows\system32\NlsData0002.dll
2009-04-14 16:33:57 ----A---- C:\Windows\system32\NlsData0001.dll
2009-04-14 16:33:57 ----A---- C:\Windows\system32\NlsData0000.dll
2009-04-14 16:33:56 ----A---- C:\Windows\system32\NlsData0009.dll
2009-04-14 16:33:56 ----A---- C:\Windows\system32\NlsData0007.dll
2009-04-14 16:33:55 ----A---- C:\Windows\system32\NlsData004b.dll
2009-04-14 16:33:55 ----A---- C:\Windows\system32\NlsData004a.dll
2009-04-14 16:33:54 ----A---- C:\Windows\system32\NlsData004e.dll
2009-04-14 16:33:54 ----A---- C:\Windows\system32\NlsData004c.dll
2009-04-14 16:33:54 ----A---- C:\Windows\system32\NlsData003e.dll
2009-04-14 16:33:54 ----A---- C:\Windows\system32\NlsData002a.dll
2009-04-14 16:33:54 ----A---- C:\Windows\system32\NlsData001a.dll
2009-04-14 16:33:53 ----A---- C:\Windows\system32\NlsData001d.dll
2009-04-14 16:33:53 ----A---- C:\Windows\system32\NlsData001b.dll
2009-04-14 16:33:53 ----A---- C:\Windows\system32\NlsData000a.dll
2009-04-14 16:33:52 ----A---- C:\Windows\system32\NlsData0416.dll
2009-04-14 16:33:52 ----A---- C:\Windows\system32\NlsData0414.dll
2009-04-14 16:33:52 ----A---- C:\Windows\system32\NlsData000f.dll
2009-04-14 16:33:52 ----A---- C:\Windows\system32\NlsData000d.dll
2009-04-14 16:33:52 ----A---- C:\Windows\system32\NlsData000c.dll
2009-04-14 16:33:51 ----A---- C:\Windows\system32\NlsData081a.dll
2009-04-14 16:33:51 ----A---- C:\Windows\system32\NlsData0816.dll
2009-04-14 16:33:51 ----A---- C:\Windows\system32\NaturalLanguage6.dll
2009-04-14 16:33:50 ----A---- C:\Windows\system32\NlsLexicons0c1a.dll
2009-04-14 16:33:50 ----A---- C:\Windows\system32\NlsData0c1a.dll
2009-04-14 16:30:52 ----A---- C:\Windows\system32\setupapi.dll
2009-04-14 16:30:31 ----A---- C:\Windows\system32\wpd_ci.dll
2009-04-14 16:30:31 ----A---- C:\Windows\system32\srdelayed.exe
2009-04-14 16:30:31 ----A---- C:\Windows\system32\srcore.dll
2009-04-14 16:30:31 ----A---- C:\Windows\system32\srclient.dll
2009-04-14 16:30:31 ----A---- C:\Windows\system32\rstrui.exe
2009-04-14 16:30:30 ----A---- C:\Windows\system32\winresume.exe
2009-04-14 16:30:30 ----A---- C:\Windows\system32\winload.exe
2009-04-14 16:30:30 ----A---- C:\Windows\system32\kd1394.dll
2009-04-14 16:30:30 ----A---- C:\Windows\system32\ci.dll
2009-04-14 16:30:29 ----A---- C:\Windows\system32\umpnpmgr.dll
2009-04-14 16:30:29 ----A---- C:\Windows\system32\oleaut32.dll
2009-04-14 16:30:29 ----A---- C:\Windows\system32\nshhttp.dll
2009-04-14 16:30:29 ----A---- C:\Windows\system32\kbd106n.dll
2009-04-14 16:30:29 ----A---- C:\Windows\system32\drvinst.exe
2009-04-14 16:30:29 ----A---- C:\Windows\system32\dpx.dll
2009-04-14 16:30:29 ----A---- C:\Windows\system32\cfgmgr32.dll
2009-04-14 16:30:28 ----A---- C:\Windows\system32\unlodctr.exe
2009-04-14 16:30:28 ----A---- C:\Windows\system32\schedsvc.dll
2009-04-14 16:30:28 ----A---- C:\Windows\system32\prflbmsg.dll
2009-04-14 16:30:28 ----A---- C:\Windows\system32\lodctr.exe
2009-04-14 16:30:28 ----A---- C:\Windows\system32\loadperf.dll
2009-04-14 16:30:27 ----A---- C:\Windows\system32\f3ahvoas.dll
2009-04-14 16:30:27 ----A---- C:\Windows\system32\dispci.dll
2009-04-14 16:30:27 ----A---- C:\Windows\system32\batt.dll
2009-04-14 16:29:23 ----A---- C:\Windows\system32\rpcss.dll
2009-04-14 16:29:23 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-04-14 16:29:22 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-04-14 16:29:22 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-04-14 16:29:22 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-04-14 16:29:21 ----A---- C:\Windows\system32\sdohlp.dll
2009-04-14 16:29:21 ----A---- C:\Windows\system32\iasrecst.dll
2009-04-14 16:29:21 ----A---- C:\Windows\system32\iasdatastore.dll
2009-04-14 16:29:21 ----A---- C:\Windows\system32\iasads.dll
2009-04-14 16:27:10 ----A---- C:\Windows\system32\WMASF.DLL
2009-04-14 16:27:10 ----A---- C:\Windows\system32\LAPRXY.DLL
2009-04-14 16:27:10 ----A---- C:\Windows\system32\asferror.dll
2009-04-14 16:26:28 ----A---- C:\Windows\system32\secur32.dll
2009-04-14 16:26:28 ----A---- C:\Windows\system32\lsass.exe
2009-04-14 16:26:28 ----A---- C:\Windows\system32\lsasrv.dll
2009-04-14 16:26:28 ----A---- C:\Windows\system32\kernel32.dll
2009-04-14 16:26:27 ----A---- C:\Windows\system32\apilogen.dll
2009-04-14 16:26:27 ----A---- C:\Windows\system32\amxread.dll
2009-04-14 16:25:34 ----A---- C:\Windows\system32\slwmi.dll
2009-04-14 16:25:34 ----A---- C:\Windows\system32\SLUI.exe
2009-04-14 16:25:34 ----A---- C:\Windows\system32\SLCommDlg.dll
2009-04-14 16:25:34 ----A---- C:\Windows\system32\SLC.dll
2009-04-14 16:25:34 ----A---- C:\Windows\system32\mcbuilder.exe
2009-04-14 16:25:33 ----A---- C:\Windows\system32\SLUINotify.dll
2009-04-14 16:25:33 ----A---- C:\Windows\system32\SLsvc.exe
2009-04-14 16:25:33 ----A---- C:\Windows\system32\SLLUA.exe
2009-04-14 16:25:33 ----A---- C:\Windows\system32\slcinst.dll
2009-04-14 16:24:48 ----A---- C:\Windows\system32\WindowsCodecs.dll
2009-04-14 16:24:48 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2009-04-14 16:24:47 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2009-04-14 16:23:37 ----A---- C:\Windows\system32\ntprint.exe
2009-04-14 16:23:37 ----A---- C:\Windows\system32\ntprint.dll
2009-04-14 16:23:36 ----A---- C:\Windows\system32\dhcpcsvc6.dll
2009-04-14 16:23:36 ----A---- C:\Windows\system32\dhcpcsvc.dll
2009-04-14 16:23:36 ----A---- C:\Windows\system32\dhcpcmonitor.dll
2009-04-14 16:23:36 ----A---- C:\Windows\system32\authui.dll
2009-04-14 16:23:35 ----A---- C:\Windows\system32\sendmail.dll
2009-04-14 16:23:35 ----A---- C:\Windows\system32\msvidc32.dll
2009-04-14 16:23:35 ----A---- C:\Windows\system32\msvfw32.dll
2009-04-14 16:23:35 ----A---- C:\Windows\system32\msrle32.dll
2009-04-14 16:23:35 ----A---- C:\Windows\system32\mciavi32.dll
2009-04-14 16:23:35 ----A---- C:\Windows\system32\avifil32.dll
2009-04-14 16:23:35 ----A---- C:\Windows\system32\avicap32.dll
2009-04-14 16:22:52 ----A---- C:\Windows\system32\win32spl.dll
2009-04-14 16:22:52 ----A---- C:\Windows\system32\printcom.dll
2009-04-14 16:22:16 ----A---- C:\Windows\system32\wshrm.dll
2009-04-14 16:21:40 ----A---- C:\Windows\system32\sbunattend.exe
2009-04-14 16:19:57 ----A---- C:\Windows\system32\dnsrslvr.dll
2009-04-14 16:19:57 ----A---- C:\Windows\system32\dnscacheugc.exe
2009-04-14 16:19:57 ----A---- C:\Windows\system32\dnsapi.dll
2009-04-14 16:18:52 ----A---- C:\Windows\system32\schannel.dll
2009-04-14 16:17:36 ----SHD---- C:\Windows\Installer
2009-04-14 16:16:14 ----A---- C:\Windows\system32\infocardapi.dll
2009-04-14 16:16:14 ----A---- C:\Windows\system32\icardres.dll
2009-04-14 16:16:14 ----A---- C:\Windows\system32\icardagt.exe
2009-04-14 16:16:10 ----A---- C:\Windows\system32\PresentationNative_v0300.dll
2009-04-14 16:16:10 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2009-04-14 16:16:10 ----A---- C:\Windows\system32\PresentationHost.exe
2009-04-14 16:16:10 ----A---- C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-14 16:13:09 ----D---- C:\Windows\Panther
2009-04-14 16:07:50 ----A---- C:\Windows\system32\dfshim.dll
2009-04-14 16:07:49 ----A---- C:\Windows\system32\netfxperf.dll
2009-04-14 16:07:48 ----A---- C:\Windows\system32\mscoree.dll
2009-04-14 16:07:47 ----A---- C:\Windows\system32\mscories.dll
2009-04-14 16:07:47 ----A---- C:\Windows\system32\mscorier.dll
2009-04-14 15:58:40 ----A---- C:\Windows\system32\rrinstaller.exe
2009-04-14 15:58:40 ----A---- C:\Windows\system32\mfps.dll
2009-04-14 15:58:40 ----A---- C:\Windows\system32\mferror.dll
2009-04-14 15:58:40 ----A---- C:\Windows\system32\mf.dll
2009-04-14 15:58:39 ----A---- C:\Windows\system32\WMVCORE.DLL
2009-04-14 15:58:39 ----A---- C:\Windows\system32\WMNetMgr.dll
2009-04-14 15:58:39 ----A---- C:\Windows\system32\mfpmp.exe
2009-04-14 15:58:39 ----A---- C:\Windows\system32\logagent.exe
2009-04-14 15:58:10 ----A---- C:\Windows\system32\rpcrt4.dll
2009-04-14 15:57:46 ----A---- C:\Windows\system32\INETRES.dll
2009-04-14 15:57:46 ----A---- C:\Windows\system32\inetcomm.dll
2009-04-14 15:57:29 ----A---- C:\Windows\system32\connect.dll
2009-04-14 15:57:13 ----A---- C:\Windows\system32\wmi.dll
2009-04-14 15:57:13 ----A---- C:\Windows\system32\imagehlp.dll
2009-04-14 15:56:58 ----A---- C:\Windows\system32\quartz.dll
2009-04-14 15:56:29 ----A---- C:\Windows\system32\crypt32.dll
2009-04-14 15:56:07 ----A---- C:\Windows\system32\user32.dll
2009-04-14 15:55:54 ----A---- C:\Windows\system32\msxml6r.dll
2009-04-14 15:55:54 ----A---- C:\Windows\system32\msxml6.dll
2009-04-14 15:55:17 ----A---- C:\Windows\system32\iedkcs32.dll
2009-04-14 15:55:17 ----A---- C:\Windows\system32\ieakui.dll
2009-04-14 15:55:17 ----A---- C:\Windows\system32\ieaksie.dll
2009-04-14 15:55:17 ----A---- C:\Windows\system32\advpack.dll
2009-04-14 15:55:17 ----A---- C:\Windows\system32\admparse.dll
2009-04-14 15:55:16 ----A---- C:\Windows\system32\wininet.dll
2009-04-14 15:55:16 ----A---- C:\Windows\system32\jsproxy.dll
2009-04-14 15:55:16 ----A---- C:\Windows\system32\ieapfltr.dll
2009-04-14 15:55:16 ----A---- C:\Windows\system32\dxtrans.dll
2009-04-14 15:55:16 ----A---- C:\Windows\system32\dxtmsft.dll
2009-04-14 15:55:15 ----A---- C:\Windows\system32\msfeeds.dll
2009-04-14 15:55:14 ----A---- C:\Windows\system32\ieui.dll
2009-04-14 15:55:14 ----A---- C:\Windows\system32\ieframe.dll
2009-04-14 15:55:12 ----A---- C:\Windows\system32\mshtmler.dll
2009-04-14 15:55:12 ----A---- C:\Windows\system32\mshtmled.dll
2009-04-14 15:55:12 ----A---- C:\Windows\system32\mshtml.dll
2009-04-14 15:55:12 ----A---- C:\Windows\system32\ieencode.dll
2009-04-14 15:55:11 ----A---- C:\Windows\system32\mstime.dll
2009-04-14 15:55:10 ----A---- C:\Windows\system32\icardie.dll
2009-04-14 15:55:09 ----A---- C:\Windows\system32\urlmon.dll
2009-04-14 15:55:09 ----A---- C:\Windows\system32\occache.dll
2009-04-14 15:55:09 ----A---- C:\Windows\system32\ieUnatt.exe
2009-04-14 15:55:08 ----A---- C:\Windows\system32\pngfilt.dll
2009-04-14 15:55:08 ----A---- C:\Windows\system32\iesetup.dll
2009-04-14 15:55:08 ----A---- C:\Windows\system32\iertutil.dll
2009-04-14 15:55:08 ----A---- C:\Windows\system32\iernonce.dll
2009-04-14 15:55:08 ----A---- C:\Windows\system32\ie4uinit.exe
2009-04-14 15:53:36 ----A---- C:\Windows\system32\qmgr.dll
2009-04-14 15:26:32 ----D---- C:\Users\R!CH\AppData\Roaming\Identities
2009-04-14 15:26:19 ----SD---- C:\Users\R!CH\AppData\Roaming\Microsoft
2009-04-14 15:26:19 ----D---- C:\Users\R!CH\AppData\Roaming\Media Center Programs
2009-04-14 15:25:35 ----A---- C:\Windows\system32\wucltux.dll
2009-04-14 15:25:34 ----A---- C:\Windows\system32\wups2.dll
2009-04-14 15:25:34 ----A---- C:\Windows\system32\wuaueng.dll
2009-04-14 15:25:34 ----A---- C:\Windows\system32\wuauclt.exe
2009-04-14 15:25:01 ----A---- C:\Windows\system32\wups.dll
2009-04-14 15:25:01 ----A---- C:\Windows\system32\wudriver.dll
2009-04-14 15:25:01 ----A---- C:\Windows\system32\wuapi.dll
2009-04-14 15:24:25 ----A---- C:\Windows\system32\wuwebv.dll
2009-04-14 15:24:25 ----A---- C:\Windows\system32\wuapp.exe
2009-04-14 15:19:51 ----RASH---- C:\Boot.ini.saved
2009-04-14 15:16:54 ----D---- C:\Windows\SoftwareDistribution
2009-04-14 15:15:44 ----D---- C:\Windows\Debug
2009-04-14 15:14:25 ----D---- C:\Windows\Prefetch
2009-04-14 15:05:12 ----SH---- C:\Boot.BAK
2009-04-14 15:05:12 ----RAS---- C:\BOOTSECT.BAK
2009-04-14 15:05:09 ----SHD---- C:\Boot
2009-04-14 07:20:07 ----SHD---- C:\System Volume Information

======List of files/folders modified in the last 1 months======

2009-04-27 23:43:26 ----D---- C:\Windows\Temp
2009-04-27 23:42:10 ----D---- C:\Windows\system32\drivers
2009-04-27 23:42:07 ----RD---- C:\Program Files
2009-04-27 23:42:07 ----HD---- C:\ProgramData
2009-04-27 03:50:59 ----D---- C:\Windows\System32
2009-04-27 03:50:59 ----D---- C:\Windows\inf
2009-04-27 03:50:59 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-04-27 03:46:46 ----D---- C:\Windows
2009-04-25 19:24:09 ----D---- C:\Program Files\Common Files
2009-04-25 19:23:47 ----D---- C:\Windows\system32\catroot
2009-04-25 17:08:25 ----SD---- C:\ProgramData\Microsoft
2009-04-24 11:55:25 ----D---- C:\Windows\system32\catroot2
2009-04-20 10:39:07 ----D---- C:\Windows\system32\LogFiles
2009-04-17 22:56:48 ----D---- C:\Windows\system32\Tasks
2009-04-17 22:53:35 ----RSD---- C:\Windows\Fonts
2009-04-17 22:53:13 ----D---- C:\Windows\winsxs
2009-04-16 17:02:15 ----D---- C:\Windows\servicing
2009-04-16 00:01:36 ----D---- C:\Windows\system32\WDI
2009-04-14 21:44:15 ----D---- C:\Program Files\Internet Explorer
2009-04-14 19:30:20 ----D---- C:\Windows\Tasks
2009-04-14 19:23:16 ----D---- C:\Program Files\Common Files\microsoft shared
2009-04-14 18:45:07 ----RSD---- C:\Windows\assembly
2009-04-14 18:44:41 ----D---- C:\Windows\ShellNew
2009-04-14 18:41:32 ----D---- C:\Windows\system
2009-04-14 18:18:18 ----D---- C:\Windows\Microsoft.NET
2009-04-14 18:17:51 ----ASH---- C:\Program Files\desktop.ini
2009-04-14 18:17:42 ----D---- C:\Windows\rescache
2009-04-14 18:13:25 ----D---- C:\Windows\system32\en-US
2009-04-14 18:13:24 ----D---- C:\Windows\system32\ras
2009-04-14 18:13:24 ----D---- C:\Windows\system32\icsxml
2009-04-14 18:13:24 ----D---- C:\Program Files\Windows Calendar
2009-04-14 18:13:20 ----D---- C:\Windows\system32\wbem
2009-04-14 18:13:20 ----D---- C:\Program Files\Windows Mail
2009-04-14 18:13:20 ----D---- C:\Program Files\Common Files\System
2009-04-14 18:13:19 ----D---- C:\Program Files\Windows Defender
2009-04-14 18:13:18 ----D---- C:\Windows\AppPatch
2009-04-14 18:13:17 ----D---- C:\Windows\ehome
2009-04-14 18:13:17 ----D---- C:\Program Files\Windows Media Player
2009-04-14 18:13:16 ----D---- C:\Windows\system32\migration
2009-04-14 18:13:10 ----D---- C:\Windows\system32\manifeststore
2009-04-14 18:13:07 ----D---- C:\Windows\system32\SLUI
2009-04-14 18:13:02 ----D---- C:\Program Files\Windows Sidebar
2009-04-14 18:13:00 ----D---- C:\Windows\system32\XPSViewer
2009-04-14 17:09:00 ----D---- C:\Windows\Help
2009-04-14 15:28:27 ----D---- C:\Windows\Logs
2009-04-14 15:26:43 ----SHD---- C:\$Recycle.Bin
2009-04-14 15:26:08 ----RD---- C:\Users
2009-04-14 15:23:28 ----D---- C:\Windows\system32\restore
2009-04-06 07:57:26 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2009-04-14 32768]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2008-12-18 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2008-12-18 37392]
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\Windows\System32\Drivers\LUsbFilt.Sys [2008-12-18 28816]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-03-27 7738816]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2009-03-06 140800]
S3 a3xk4snn;a3xk4snn; C:\Windows\system32\drivers\a3xk4snn.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\Windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 NPF;NetGroup Packet Filter Driver; C:\Windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-03-26 36864]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [2007-06-14 411168]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-03-27 207392]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-04-14 654848]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-02-19 121360]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]

-----------------EOF-----------------


__________________________________________________________



info.txt


__________________________________________________________



info.txt logfile of random's system information tool 1.06 2009-04-27 23:43:43

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Ad-Aware SE Professional-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Add or Remove Adobe Creative Suite 3 Master Collection-->C:\Program Files\Common Files\Adobe\Installers\8bb24e071e5922899698c2105557bd2\Setup.exe
Adobe After Effects CS3 Presets-->MsiExec.exe /I{185D0A67-E066-44AE-926D-F6305813301C}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3-->MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite 3 Master Collection-->MsiExec.exe /I{7162AC2C-733F-4127-ACAD-C5F0F27D123D}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3-->MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Fireworks CS3-->MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029}
Adobe Flash CS3-->MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Video Encoder-->MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Setup-->MsiExec.exe /I{9BA4F9C5-7CB4-492C-9B97-89E36AFA0AB9}
Adobe SING CS3-->MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Video Profiles-->MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3-->MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Agent Ransack Version 1.7.3-->"C:\Program Files\Mythicsoft\Agent Ransack\unins000.exe"
AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
Alt MP3 Bitrate Converter 7.0-->"C:\Program Files\Alt MP3 Bitrate Converter\unins000.exe"
Amazon MP3 Downloader 1.0.3-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Apple Mobile Device Support-->MsiExec.exe /I{AFA20D47-69C3-4030-8DF8-D37466E70F13}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVIcodec (remove only)-->"C:\Program Files\AVIcodec\uninst.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Effective File Search 6.1-->"C:\Program Files\efs\UnRun.exe" "C:\Program Files\efs\Uninst.exe"
GTK+ Runtime 2.14.7 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
iTunes-->MsiExec.exe /I{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Juice 2.2-->C:\Program Files\Juice\uninst.exe
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
K-Lite Codec Pack 4.7.5 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech SetPoint-->"C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe" -runfromtemp -l0x0009 -removeonly
Macromedia HomeSite 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74307C3F-EBD4-11D4-A4D9-0010A4C3AFF0}\Setup.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.9)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero Mega Plugin Pack-->MsiExec.exe /I{EF901A4B-A25A-4962-83C6-C6691D062ED9}
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Pidgin-->C:\Program Files\Pidgin\pidgin-uninst.exe
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Safari-->MsiExec.exe /I{AF10D7E4-D29A-45DA-8050-B116097B69B5}
Seagate DiscWizard-->MsiExec.exe /X{81A60A13-224D-4637-8203-3EAC03B121A4}
SmartFTP Client-->MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TopStyle Lite (Version 2)-->C:\Windows\unlite2.exe "C:\Program Files\Bradbury\TopStyle2"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WM Recorder-->C:\Program Files\WMR11\Uninstal.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AS: Spybot - Search and Destroy (disabled)
AS: Windows Defender (outdated)

======System event log======

Computer Name: RICH-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001A4D43BF39. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 20452
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090426062241.000000-000
Event Type: Warning
User:

Computer Name: RICH-PC
Event Code: 10010
Message: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.
Record Number: 20464
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20090426121448.000000-000
Event Type: Error
User:

Computer Name: RICH-PC
Event Code: 16
Message: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
Record Number: 20693
Source Name: Microsoft-Windows-WindowsUpdateClient
Time Written: 20090427093851.874799-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: RICH-PC
Event Code: 15300
Message: MTP WPD Driver has failed to start. Error 0x80070005.
Record Number: 20694
Source Name: Microsoft-Windows-WPD-MTPClassDriver
Time Written: 20090427102102.000000-000
Event Type: Error
User:

Computer Name: RICH-PC
Event Code: 10010
Message: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.
Record Number: 20939
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20090428063906.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: RICH-PC
Event Code: 8210
Message: The scheduled restore point could not be created. Additional information: (0x81000109).
Record Number: 1601
Source Name: System Restore
Time Written: 20090427112801.000000-000
Event Type: Error
User:

Computer Name: RICH-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2573747636-4075412569-133060285-1000:
Process 1012 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2573747636-4075412569-133060285-1000

Record Number: 1608
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090428063916.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: RICH-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2573747636-4075412569-133060285-1000_Classes:
Process 1012 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2573747636-4075412569-133060285-1000_CLASSES

Record Number: 1609
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090428063918.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: RICH-PC
Event Code: 1000
Message: Faulting application mbam.exe, version 1.36.0.0, time stamp 0x49da6531, faulting module mbam.exe, version 1.36.0.0, time stamp 0x49da6531, exception code 0x80000003, fault offset 0x00002e88, process id 0xf14, application start time 0x01c9c7cc86864528.
Record Number: 1630
Source Name: Application Error
Time Written: 20090428064240.000000-000
Event Type: Error
User:

Computer Name: RICH-PC
Event Code: 1000
Message: Faulting application mbam.exe, version 1.36.0.0, time stamp 0x49da6531, faulting module mbam.exe, version 1.36.0.0, time stamp 0x49da6531, exception code 0x80000003, fault offset 0x00002e88, process id 0xf28, application start time 0x01c9c7cc96313208.
Record Number: 1631
Source Name: Application Error
Time Written: 20090428064306.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: RICH-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RICH-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 3309
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090428064058.667807-000
Event Type: Audit Success
User:

Computer Name: RICH-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 3310
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090428064058.667807-000
Event Type: Audit Success
User:

Computer Name: RICH-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: RICH-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 3311
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090428064415.171007-000
Event Type: Audit Success
User:

Computer Name: RICH-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RICH-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 3312
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090428064415.172007-000
Event Type: Audit Success
User:

Computer Name: RICH-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 3313
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090428064415.172007-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0f07
"NUMBER_OF_PROCESSORS"=4
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:26 PM

Posted 28 April 2009 - 07:09 AM

Welcome back, :thumbup2:

have you tried renaming the setup from Malwarebytes before executing it? If not please do so and try to install Malwarebytes one last time. If this doesn't work, we'll try a different tool.

Please post back how things turned out.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 28 April 2009 - 02:59 PM

at last! ok renaming the setup file didn't work, but renaming mbam.exe to mb.exe did! i was able to run a quick scan, which identified the dnschanger trojan and remove it. here's the log for reference...



Malwarebytes' Anti-Malware 1.36
Database version: 2043
Windows 6.0.6000

4/28/2009 12:40:47 PM
mbam-log-2009-04-28 (12-40-47).txt

Scan type: Quick Scan
Objects scanned: 64414
Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.72,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{095e9f26-cc19-4b9f-9741-f37143d52571}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.72,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.72,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{095e9f26-cc19-4b9f-9741-f37143d52571}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.72,85.255.112.151 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-4-3-24-100011878-100015296-100011275-4172.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.



now windows update is connecting to the server and i got my sp3, but mbam.exe and spybotsd.exe will still cause a fatal error upon opening "program has stopped working". i guess not a big deal unless this means there's still malware on my system. any idea why these files names are still shorting out? maybe a registry entry i can track down and fix? either way, thanks again for walking me through this _temp_

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:26 PM

Posted 28 April 2009 - 08:55 PM

Hello R!CH, :thumbup2:

you're welcome. :)

Malwarebytes did take out a part of the infection, however you are still infected. The malfunction of Spybot and Malwarebytes are a sign of it.

In order to remove the remains I would like to ask you to run Combofix:

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Please insert all usb-drives before running Combofix
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 29 April 2009 - 03:07 AM

got it, here you go:


ComboFix 09-04-28.02 - R!CH 04/29/2009 0:48.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2046.1091 [GMT -7:00]
Running from: c:\users\R!CH\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxcqrdubjpklcdewxkdedjuiyiuccglaucx.sys
c:\windows\system32\gxvxcnwymfjijguoactpysmtdhusdllwvjgvu.dll
c:\windows\system32\pthreadGC2.dll
d:\recycler\S-4-3-24-100011878-100015296-100011275-4172.com
e:\recycler\S-4-3-24-100011878-100015296-100011275-4172.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 21:45 . 2009-04-26 02:56 28672 ----a-w C:\catchme.exe
2009-04-28 21:45 . 2009-04-28 06:38 781909 ----a-w C:\RSIT.exe
2009-04-28 21:45 . 2009-03-27 23:36 286208 ----a-w C:\gmer.exe
2009-04-28 19:36 . 2009-04-28 19:36 -------- d-----w c:\users\R!CH\AppData\Roaming\Malwarebytes
2009-04-28 19:35 . 2009-04-28 19:40 -------- d-----w c:\program files\Malwarebytes
2009-04-28 06:43 . 2009-04-28 06:43 -------- d-----w C:\rsit
2009-04-28 06:42 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 06:42 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 06:42 . 2009-04-28 06:42 -------- d-----w c:\programdata\Malwarebytes
2009-04-28 06:42 . 2009-04-28 06:42 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-28 06:42 . 2009-04-28 06:42 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 02:24 . 2009-04-26 02:24 -------- d-----w c:\windows\system32\AGEIA
2009-04-26 02:24 . 2009-04-26 02:24 -------- d-----w c:\program files\AGEIA Technologies
2009-04-26 02:24 . 2009-04-26 02:24 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-26 02:23 . 2009-04-26 02:23 -------- d-----w C:\NVIDIA
2009-04-26 01:59 . 2009-04-26 02:11 36 ---h--r c:\windows\sued.dat
2009-04-26 01:52 . 2009-04-26 01:52 -------- d-----w c:\users\R!CH\Pavark
2009-04-26 00:08 . 2009-04-26 00:08 -------- d-----w c:\users\R!CH\AppData\Roaming\Lavasoft
2009-04-26 00:08 . 2009-04-26 00:08 -------- d-----w c:\program files\Lavasoft
2009-04-23 12:06 . 2009-04-23 12:11 -------- d-----w C:\VA_-_Fabric_41_Mixed_By_Luciano-CD-2008-SQ
2009-04-21 21:25 . 2009-04-21 21:26 -------- d-----w C:\Guy_Gerber-Timing-(COR12056)-WEB-2009-320
2009-04-21 20:55 . 2009-04-21 21:05 -------- d-----w C:\Tiger_Stripes-Hooked__Remixes-(LDS07)-WEB-2008-320
2009-04-21 20:54 . 2009-04-21 21:17 -------- d-----w C:\Dave_Lee-Mucho_Macho_(Tiger_Stripes_Remixes)-(Zedd12106)-WEB-2009-SOULFUL
2009-04-21 20:54 . 2009-04-21 20:59 -------- d-----w C:\DJ_Kharma_And_Mighty_Atom-Mammagamma-(RSR009)-WEB-2008-320
2009-04-21 20:53 . 2009-04-21 20:54 -------- d-----w C:\Ida_Engberg_And_David_West-Supercluster-(PICKADOLL406)-WEB-2009-EPiCFAiL
2009-04-21 20:53 . 2009-04-21 20:56 -------- d-----w C:\Losoul-Care-2009-DV8
2009-04-21 20:52 . 2009-04-22 00:16 -------- d-----w C:\Oliver_Moldan_And_Norman_Zube-Requiem-(AT051)-WEB-2008-320
2009-04-19 21:17 . 2009-04-19 21:17 -------- d-----w c:\users\R!CH\AppData\Local\Apple
2009-04-18 05:53 . 2009-04-18 05:53 -------- d-----w c:\program files\Microsoft IntelliType Pro
2009-04-18 00:04 . 2009-04-18 00:04 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-16 23:05 . 2009-04-16 23:05 268800 ----a-w c:\windows\system32\es.dll
2009-04-16 22:23 . 2009-04-16 22:23 -------- d-----w c:\windows\Sun
2009-04-16 21:31 . 2009-04-16 21:31 -------- d-----w c:\programdata\FLEXnet
2009-04-16 21:31 . 2009-04-16 21:31 -------- d-----w c:\users\All Users\FLEXnet
2009-04-15 09:54 . 2009-04-15 09:54 98828 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-15 09:53 . 2009-04-15 09:53 -------- d-----w c:\program files\Safari
2009-04-15 09:37 . 2009-04-15 09:37 -------- d-----w c:\program files\Common Files\Ahead
2009-04-15 09:37 . 2009-04-15 09:37 -------- d-----w c:\program files\Ahead
2009-04-15 09:22 . 2009-04-15 09:23 -------- d-----w c:\program files\Nero 8.3.2.1 - Micro TS - Vista
2009-04-15 09:19 . 2009-04-15 09:39 -------- d-----w c:\users\R!CH\AppData\Roaming\Winamp
2009-04-15 09:19 . 2009-04-22 22:23 -------- d-----w c:\program files\Winamp
2009-04-15 08:51 . 2009-04-15 08:51 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-15 07:35 . 2009-04-15 07:35 -------- d-----w c:\users\R!CH\AppData\Local\Cooliris
2009-04-15 06:57 . 2009-04-15 06:57 -------- d-----w c:\users\R!CH\AppData\Roaming\Media Player Classic
2009-04-15 06:25 . 2009-04-15 08:35 -------- d-----w c:\programdata\NOS
2009-04-15 06:25 . 2009-04-15 08:35 -------- d-----w c:\users\All Users\NOS
2009-04-15 06:25 . 2009-04-15 08:35 -------- d-----w c:\program files\NOS
2009-04-15 06:06 . 2009-04-15 06:06 -------- d--h--w c:\programdata\CanonBJ
2009-04-15 06:06 . 2009-04-15 06:06 -------- d--h--w c:\users\All Users\CanonBJ
2009-04-15 06:01 . 2009-04-15 09:49 -------- d-----w c:\program files\efs
2009-04-15 06:00 . 2009-04-15 06:00 -------- d-----w c:\program files\Mythicsoft
2009-04-15 05:56 . 2009-04-15 05:56 -------- d-----w c:\users\R!CH\AppData\Roaming\gtk-2.0
2009-04-15 05:55 . 2009-04-28 06:31 -------- d-----w c:\users\R!CH\AppData\Roaming\.purple
2009-04-15 05:49 . 2009-04-15 09:47 -------- d-----w c:\program files\Pidgin
2009-04-15 05:49 . 2009-04-15 05:49 -------- d-----w c:\program files\Common Files\GTK
2009-04-15 05:48 . 2009-04-15 05:48 -------- d-----w c:\program files\WinPcap
2009-04-15 05:47 . 2009-04-15 05:48 -------- d-----w c:\program files\WMR11
2009-04-15 05:41 . 2009-04-16 21:30 -------- d-----w c:\users\R!CH\AppData\Local\Adobe
2009-04-15 05:30 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll
2009-04-15 05:30 . 2004-01-25 16:18 217088 ----a-w c:\windows\system32\yv12vfw.dll
2009-04-15 05:30 . 2008-12-07 18:08 795648 ----a-w c:\windows\system32\xvidcore.dll
2009-04-15 05:30 . 2008-12-07 18:08 130048 ----a-w c:\windows\system32\xvidvfw.dll
2009-04-15 05:30 . 2008-11-06 16:37 3596288 ----a-w c:\windows\system32\qt-dx331.dll
2009-04-15 05:30 . 2008-12-11 00:33 86016 ----a-w c:\windows\system32\dpl100.dll
2009-04-15 05:30 . 2008-11-06 16:33 684032 ----a-w c:\windows\system32\divx.dll
2009-04-15 05:30 . 2009-03-02 18:10 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-04-15 05:30 . 2009-04-15 05:31 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-15 05:26 . 2009-04-15 05:27 -------- d-----w c:\program files\VirtualDub
2009-04-15 05:20 . 2009-04-15 09:54 -------- d-----w c:\users\R!CH\AppData\Local\Apple Computer
2009-04-15 05:20 . 2009-04-15 05:20 -------- d-----w c:\users\R!CH\AppData\Roaming\iPodder
2009-04-15 05:20 . 2009-04-15 05:45 -------- d-----w c:\program files\Juice
2009-04-15 05:18 . 2009-04-15 05:18 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-15 05:16 . 2009-04-15 05:16 -------- d-----w c:\users\R!CH\AppData\Roaming\Ableton
2009-04-15 05:15 . 2009-04-15 05:21 -------- d-----w c:\program files\mp3DirectCut
2009-04-15 04:56 . 2009-04-15 09:28 -------- d-----w c:\program files\uTorrent
2009-04-15 04:56 . 2009-04-23 12:18 -------- d-----w c:\users\R!CH\AppData\Roaming\uTorrent
2009-04-15 04:55 . 2009-04-15 04:55 -------- d-----w c:\program files\Amazon
2009-04-15 04:54 . 2009-04-15 04:54 -------- d-----w c:\program files\AVIcodec
2009-04-15 04:52 . 2009-04-20 08:41 -------- d-----w c:\users\R!CH\AppData\Roaming\DivX
2009-04-15 04:45 . 2009-04-18 02:21 -------- d-----w c:\users\R!CH\AppData\Roaming\Apple Computer
2009-04-15 04:45 . 2008-04-17 19:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-15 04:45 . 2009-03-19 23:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-15 04:45 . 2009-04-15 04:45 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-15 04:44 . 2009-04-15 04:44 -------- d-----w c:\program files\iPod
2009-04-15 04:44 . 2009-04-15 04:45 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-15 04:44 . 2009-04-15 04:45 -------- d-----w c:\users\All Users\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-15 04:44 . 2009-04-15 09:28 -------- d-----w c:\program files\iTunes
2009-04-15 04:43 . 2009-04-15 04:44 -------- d-----w c:\programdata\Apple Computer
2009-04-15 04:43 . 2009-04-15 04:44 -------- d-----w c:\users\All Users\Apple Computer
2009-04-15 04:43 . 2009-04-15 04:43 -------- d-----w c:\program files\Apple Software Update
2009-04-15 04:43 . 2009-04-15 04:44 -------- d-----w c:\program files\Common Files\Apple
2009-04-15 04:43 . 2009-04-15 04:43 -------- d-----w c:\programdata\Apple
2009-04-15 04:43 . 2009-04-15 04:43 -------- d-----w c:\users\All Users\Apple
2009-04-15 04:36 . 2002-07-17 22:23 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-15 04:36 . 2002-07-17 22:20 84832 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-15 04:36 . 2009-04-15 04:36 -------- d-----w c:\program files\Alt MP3 Bitrate Converter
2009-04-15 04:35 . 2009-04-15 04:35 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-04-15 04:35 . 2009-04-15 04:35 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-15 04:35 . 2009-04-15 05:29 -------- d-----w c:\program files\DivX
2009-04-15 04:24 . 2009-04-15 04:24 -------- d-----w c:\programdata\ALM
2009-04-15 04:24 . 2009-04-15 04:24 -------- d-----w c:\users\All Users\ALM
2009-04-15 04:12 . 2009-04-15 04:44 -------- d-----w c:\program files\QuickTime
2009-04-15 03:38 . 2009-04-15 08:49 -------- d-----w c:\users\All Users\Adobe
2009-04-15 03:34 . 2009-04-15 04:44 -------- d-----w c:\program files\Bonjour
2009-04-15 03:30 . 2009-04-15 03:30 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-15 03:28 . 2009-04-15 08:49 -------- d-----w c:\program files\Common Files\Adobe
2009-04-15 03:26 . 2009-04-15 03:26 -------- d-----w c:\program files\Alcohol Soft
2009-04-15 02:56 . 2009-04-15 02:56 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-15 02:53 . 2009-04-15 02:53 -------- d-----w c:\program files\Trend Micro
2009-04-15 02:41 . 2009-04-15 02:41 32768 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-04-15 02:41 . 2009-04-15 02:41 392320 ----a-w c:\windows\system32\drivers\timntr.sys
2009-04-15 02:41 . 2009-04-15 02:41 120992 ----a-w c:\windows\system32\drivers\snapman.sys
2009-04-15 02:41 . 2009-04-15 02:41 -------- d-----w c:\program files\Common Files\Seagate
2009-04-15 02:41 . 2009-04-15 02:41 -------- d-----w c:\program files\Seagate
2009-04-15 02:39 . 2009-04-15 02:39 1071425 ----a-w C:\cpuz.exe
2009-04-15 02:39 . 2009-04-15 02:39 49152 ----a-w C:\latency.exe
2009-04-15 02:39 . 2009-04-15 02:39 183296 ----a-w C:\Core Temp.exe
2009-04-15 02:34 . 2009-04-15 02:34 -------- d-----w c:\users\R!CH\AppData\Roaming\SmartFTP
2009-04-15 02:33 . 2009-04-15 09:26 -------- d-----w c:\program files\SmartFTP Client
2009-04-15 02:31 . 2009-04-15 02:31 -------- d-----w c:\users\R!CH\AppData\Local\Opera
2009-04-15 02:31 . 2009-04-17 01:22 -------- d-----w c:\program files\Opera
2009-04-15 02:30 . 2009-04-15 02:30 -------- d-----w c:\users\R!CH\AppData\Local\Google
2009-04-15 02:30 . 2009-04-15 02:30 -------- d-----w c:\users\R!CH\AppData\Local\Apps
2009-04-15 02:30 . 2009-04-15 02:30 -------- d-----w c:\users\R!CH\AppData\Local\Deployment
2009-04-15 02:23 . 2009-04-15 02:23 -------- d-----w c:\users\R!CH\AppData\Roaming\Logitech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 07:55 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-29 07:55 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-04-29 07:55 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat
2009-04-29 07:55 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-28 22:23 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-04-28 22:15 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Sidebar
2009-04-28 22:15 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Photo Gallery
2009-04-28 22:15 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Journal
2009-04-28 22:15 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Collaboration
2009-04-28 22:15 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Calendar
2009-04-28 22:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-28 22:15 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Defender
2009-04-28 22:11 . 2006-11-02 10:32 101376 ----a-w c:\windows\system32\ifxcardm.dll
2009-04-28 22:10 . 2006-11-02 10:32 79872 ----a-w c:\windows\system32\axaltocm.dll
2009-04-28 21:17 . 2009-04-14 22:26 54128 ----a-w c:\users\R!CH\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-28 21:03 . 2009-04-28 21:03 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-28 21:03 . 2009-04-28 21:03 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-15 05:19 . 2009-04-15 05:19 -------- d-----w c:\program files\Bradbury
2009-04-15 05:19 . 2009-04-15 05:19 -------- d-----w c:\program files\Common Files\Macromedia
2009-04-15 05:19 . 2009-04-15 05:19 -------- d-----w c:\program files\Macromedia
2009-04-15 02:22 . 2009-04-15 02:22 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-04-15 02:22 . 2009-04-15 02:22 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-04-15 02:22 . 2009-04-15 02:22 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-04-14 23:52 . 2009-04-14 23:52 2560 ----a-w c:\windows\AppPatch\AcRes.dll
2009-04-14 23:52 . 2009-04-14 23:52 537600 ----a-w c:\windows\AppPatch\AcLayers.dll
2009-04-14 23:52 . 2009-04-14 23:52 449536 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2009-04-14 23:52 . 2009-04-14 23:52 2144256 ----a-w c:\windows\AppPatch\AcGenral.dll
2009-04-14 23:52 . 2009-04-14 23:52 173056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2009-04-14 23:39 . 2009-04-14 22:26 680 ----a-w c:\users\R!CH\AppData\Local\d3d9caps.dat
2009-04-14 23:33 . 2009-04-14 23:33 1965056 ----a-w c:\windows\system32\NlsData0027.dll
2009-04-14 23:30 . 2009-04-14 23:30 613888 ----a-w c:\windows\system32\wpd_ci.dll
2009-04-14 23:26 . 2009-04-14 23:26 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-04-14 22:58 . 2009-04-14 22:58 98816 ----a-w c:\windows\system32\mfps.dll
2009-04-14 22:58 . 2009-04-14 22:58 52736 ----a-w c:\windows\system32\rrinstaller.exe
2009-04-14 22:58 . 2009-04-14 22:58 2855424 ----a-w c:\windows\system32\mf.dll
2009-04-14 22:58 . 2009-04-14 22:58 2048 ----a-w c:\windows\system32\mferror.dll
2009-04-14 22:58 . 2009-04-14 22:58 24576 ----a-w c:\windows\system32\mfpmp.exe
2009-04-14 22:58 . 2009-04-14 22:58 996352 ----a-w c:\windows\system32\WMNetMgr.dll
2009-04-14 22:58 . 2009-04-14 22:58 94720 ----a-w c:\windows\system32\logagent.exe
2009-04-14 22:58 . 2009-04-14 22:58 84992 ----a-w c:\windows\system32\drivers\srvnet.sys
2009-04-14 22:58 . 2009-04-14 22:58 58368 ----a-w c:\windows\system32\drivers\mrxsmb20.sys
2009-04-14 22:58 . 2009-04-14 22:58 130048 ----a-w c:\windows\system32\drivers\srv2.sys
2009-04-14 22:58 . 2009-04-14 22:58 101888 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2009-04-14 22:58 . 2009-04-14 22:58 788992 ----a-w c:\windows\system32\rpcrt4.dll
2009-04-14 22:55 . 2009-04-14 22:55 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-26 22:23 . 2009-03-26 22:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2009-03-26 22:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-08 11:34 . 2009-04-28 21:28 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-04-28 21:29 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-04-28 21:29 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-04-28 21:28 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-04-28 21:28 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-04-28 21:28 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-04-28 21:28 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-04-28 21:28 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-04-28 21:28 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-04-28 21:29 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-04-28 21:29 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-04-28 21:29 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-04-28 21:28 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-04-28 21:29 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-04-28 21:29 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-04-28 21:28 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-04-28 21:29 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 16:06 . 2009-03-06 16:06 140800 ----a-w c:\windows\system32\drivers\Rtlh86.sys
2009-03-05 13:54 . 2009-03-05 13:54 73728 ----a-w c:\windows\system32\RtNicProp32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 92704]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-14 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Windows\\trlrm\\RMHSvc.exe"= c:\windows\trlrm\RMHSvc.exe:*:Enabled:RMHSvc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B36FC15-B584-4A92-B54C-F7AE93A898AB}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{4ED193C9-C613-4CF7-B44F-A402E85E8D79}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{06700BB3-B471-47E7-989A-B61F39C9E4A2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9B1D193B-328B-4055-9188-7B311AAFF5AD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{377143C9-4FEF-45CC-B817-C11AA3CE7BC9}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{06E8D1BF-1B63-494E-9033-3459A01BBA93}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{88BD3D0F-8264-44A0-98AE-D3D4801FA5BA}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{2724CD1A-1780-4167-882C-CFE208AC7818}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{C4E65B94-4C27-4A02-BB6F-74267306F7A2}"= UDP:63136:63136tcp
"{1B4613E8-9C1B-4239-B440-69B1D2972B6C}"= TCP:63136:63136udp
"TCP Query User{98186753-DA39-407F-8CEB-F89285F6483C}c:\\program files\\pidgin\\pidgin.exe"= UDP:c:\program files\pidgin\pidgin.exe:Pidgin
"UDP Query User{BDF65DA6-29D5-430B-9CE1-2AE8CF47DA66}c:\\program files\\pidgin\\pidgin.exe"= TCP:c:\program files\pidgin\pidgin.exe:Pidgin
"{8449BA35-9CE9-43DE-9B37-8828DFC237CE}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{078D9FD3-A7D5-4C04-B9DF-055C12357909}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Windows\\trlrm\\RMHSvc.exe"= c:\windows\trlrm\RMHSvc.exe:*:Enabled:RMHSvc.exe

R0 fcjrurg;fcjrurg; [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]


--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2573747636-4075412569-133060285-1000.job
- c:\users\R!CH\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-15 02:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sfgate.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\R!CH\AppData\Roaming\Mozilla\Firefox\Profiles\yyof0pe0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\users\R!CH\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 00:58
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SOFTWARE\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg9c.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg9c.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg9c.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg9c.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg9c.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9c.exe,-101"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9c.exe"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_USERS\SYSTEM\ControlSet001\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcryswqnaoaonqwjbilicaiybddxtspeje.sys"

[HKEY_USERS\SYSTEM\ControlSet002\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcryswqnaoaonqwjbilicaiybddxtspeje.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(3628)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\SmartFTP Client\SmartHook.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Windows Defender\MSASCui.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-04-29 1:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 08:04

Pre-Run: 423,174,578,176 bytes free
Post-Run: 421,873,680,384 bytes free

406 --- E O F --- 2009-04-28 21:56


:thumbup2:

#11 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 29 April 2009 - 05:42 AM

ok an update:

first more back story... before i ran combofix i had attempted to dl and install vista's sp1, which would reach 100% completion of stage 3 of 3, then tell me it failed to update and was reverting back to its restore point. when the system restarted after reverting, i ran combofix. once it restarted sp1 tried to reinstall itself and it worked! as windows restarted, teatimer alerts began popping up. i accepted a couple, then became suspicious and denied the other half. then the next 31 vista security updates popped up in windows update and i went ahead with those updates. 5 of them succeeded, 26 of them failed. i tried to reinstall those failed 26, but all 26 failed again. i'm not sure if these failures are a result of me denying the changes in teatimer or something else. for reference, here's what i allowed and denied in teatimer....


4/28/2009 12:29:36 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
4/28/2009 12:35:37 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes\mbamgui.exe /install /silent") added in System Startup global entry!
4/28/2009 12:43:43 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
4/28/2009 2:17:32 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") added in Session manager!
4/28/2009 2:17:40 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") added in Session manager!
4/28/2009 2:22:51 PM Allowed (based on user decision) value "BootExecute" (new data: "") deleted in Session manager!
4/28/2009 2:22:53 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
4/28/2009 2:42:27 PM Allowed (based on user decision) value "Local Page" (new data: "C:\Windows\System32\blank.htm") changed in Browser page!
4/28/2009 11:25:04 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") added in Session manager!
4/28/2009 11:25:05 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") added in Session manager!
4/28/2009 11:51:13 PM Allowed (based on user decision) value "BootExecute" (new data: "") deleted in Session manager!
4/28/2009 11:51:13 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
4/28/2009 11:51:23 PM Allowed (based on user decision) value "DisableCMD" (new data: "0") added in Disable Command!
4/29/2009 1:00:35 AM Allowed (based on user decision) value "Windows Defender" (new data: "") deleted in System Startup global entry!
4/29/2009 2:43:01 AM Allowed (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
4/29/2009 2:43:15 AM Denied (based on user decision) value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") added in Browser page!
4/29/2009 2:43:20 AM Denied (based on user decision) value "CustomizeSearch" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm") added in Browser page!
4/29/2009 2:43:49 AM Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!
4/29/2009 2:43:56 AM Allowed (based on user decision) value "Shell" (new data: "Explorer.exe") changed in Winlogon!
4/29/2009 2:44:00 AM Allowed (based on user decision) value "System" (new data: "") added in Winlogon!
4/29/2009 2:44:12 AM Denied (based on user decision) value "scrnsave.exe" (new data: "") deleted in Desktop settings!
4/29/2009 2:44:15 AM Denied (based on user decision) value "DisableCMD" (new data: "") deleted in Disable Command!
4/29/2009 2:44:21 AM Denied (based on user decision) value "DisableRegistryTools" (new data: "0") added in Disable Registrytool!


if some of these denials are critical to my system running properly, then how do i fix them?

here is a list of the failed updates:

Attached File  fails.jpg   295.43KB   18 downloads

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:26 PM

Posted 29 April 2009 - 07:29 AM

Hello R!CH,

please do not make any changes to your system unless instructed too. This might make everything more complicated. We will focus on updating your system later on. :thumbup2:


Now open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadGC2.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadGC2.dll.vir
) do zip Files_for_submission %%g
del %0

Save this as zip.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on zip.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file here --> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Once you have successfully uploaded the file please proceed with the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Service::
fcjrurg

RegLockDel::
[HKEY_USERS\SYSTEM\ControlSet001\Services\gxvxcserv.sys]
[HKEY_USERS\SYSTEM\ControlSet002\Services\gxvxcserv.sys]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 29 April 2009 - 02:07 PM

my apologies. i tried to run zip.bat, but i get a 'windows command processor has stopped working' error. how should i proceed?

#14 R!CH

R!CH
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 29 April 2009 - 02:17 PM

i have archived the contents of 'C:\Qoobox\Quarantine\C\WINDOWS\system32\' as 'Files_for_submission.rar', do you want me to upload this file and continue with the combofix?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:26 PM

Posted 29 April 2009 - 05:48 PM

Hi R!CH,

could you please zip only the following file and submit it:

C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadGC2.dll.vir


Continue with the instructions above, after that :thumbup2:

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users