Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection (Trojan).


  • This topic is locked This topic is locked
34 replies to this topic

#1 Surpriser

Surpriser

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 08 May 2009 - 12:58 AM

At first, NOD32 did not want to start after reboot. After I ran it again - it worked well.
Few seconds after that there was a message: generic host process for win32 services has encountered a problem ... sometimes it was refered to nod32.exe, yesterday to svchost.exe ... sometimes for SpybotSD.exe (only when I want to run it) ...

The computer is working fine, speed is normal, no other signs of infection.

I tried this:
- Malwarebyte's scan
- NOD32 scan
- F-Secure online scan
- S&D scan
- Emsi's Soft A-Squared antimalware 4.0
- Dr.WebCureIT now
- SUPERAntiSpyware
- ATF Cleaner

Malwarebytes found "sysguard.exe" and deleted it.
SUPERAntiSpyware found Trojan.Agent/Gen-AlerterALG.
Few days later NOD32 found a threat in c:\windows\system32\drivers\etc\hosts - win32/qhost trojan - quarantined!

I also did:
Upgrade to SP3
Upgrade to IE8
Recheck all updates
Cleaned up the registry with Registry Mechanic
Reinstalled NOD32 (upgraded from version 3 to version 4)

The NOD32 is now starting normally every time but the message (generic host ...) occasionally repeats so I'm still suspecting a malware or any other infection.

Any help would be appreciated!

Thanks

HJT log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 7:40:13,40 on pet 08.05.2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1250.386.1033.18.3327.2717 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\USBDLM\USBDLM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
svchost
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [CnwiDeviceAgent] c:\program files\canon\imageprografstatusmonitor\cnwida.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [RegistryMechanic]
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagep~1.lnk - c:\program files\canon\imageprografstatusmonitor\cnwism.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207202229937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} - hxxp://www.flipviewer.com/exe/fv421.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {08F5FE48-260B-4893-97F9-585DC7EB0E94} = 212.18.32.10,212.18.32.12
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\40pr4v21.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-4-9 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-4-9 731840]
R2 USBDLM;USBDLM;c:\program files\usbdlm\USBDLM.exe [2008-5-5 156672]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-4-1 38656]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [2008-10-22 16384]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-4-10 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-4-10 17700]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\system32\wpv051239875029.exe run --> c:\windows\system32\wpv051239875029.exe run [?]
S3 G;G;d:\tempor~1\g.exe --> d:\tempor~1\G.exe [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-4-11 11520]

=============== Created Last 30 ================

2009-05-07 09:16 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-05-05 11:51 2,938,364 a------- c:\windows\UPREVIEW.TMP
2009-05-05 00:55 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-04 15:25 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-04 15:25 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-04 15:25 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-04 15:25 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-04 15:25 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-04 15:25 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-04 15:25 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-04 15:25 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-04 14:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-04 14:28 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-04 14:28 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-05-04 13:52 <DIR> --d----- c:\documents and settings\user\DoctorWeb
2009-05-04 12:00 26 a------- c:\windows\Zone.Identifier
2009-05-04 11:18 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-04 11:18 294,912 -c------ c:\windows\system32\dllcache\dlimport.exe
2009-05-04 11:16 19,569 a------- c:\windows\003029_.tmp
2009-05-04 10:43 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-05-04 10:42 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-05-04 10:37 <DIR> --d----- c:\windows\ie8updates
2009-05-04 10:36 <DIR> -cd-h--- c:\windows\ie8
2009-05-04 10:07 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-18 14:08 4,508 a------- c:\windows\system32\PerfStringBackup.TMP
2009-04-18 14:08 25,600 a------- c:\windows\system32\drivers\hidbth.sys
2009-04-18 14:07 101,120 a------- c:\windows\system32\drivers\bthpan.sys
2009-04-18 14:07 59,136 a------- c:\windows\system32\drivers\rfcomm.sys
2009-04-18 14:07 151,552 a------- c:\windows\system32\irftp.exe
2009-04-18 14:07 28,160 a------- c:\windows\system32\irmon.dll
2009-04-18 14:07 17,024 a------- c:\windows\system32\drivers\bthenum.sys
2009-04-18 14:07 8,192 a------- c:\windows\system32\wshirda.dll
2009-04-18 14:07 18,944 a------- c:\windows\system32\drivers\bthusb.sys
2009-04-18 14:06 21,504 a------- c:\windows\system32\hidserv.dll
2009-04-18 14:06 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-04-18 14:06 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-04-17 14:04 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-04-17 14:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-17 14:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 14:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 14:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 12:37 <DIR> --d----- c:\program files\Trend Micro
2009-04-17 11:56 <DIR> --d----- c:\windows\pss
2009-04-16 14:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-16 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-16 12:40 13,646 a------- c:\windows\system32\wpa.dbl
2009-04-16 12:34 161,792 a------- c:\windows\SWREG.exe
2009-04-16 12:34 98,816 a------- c:\windows\sed.exe
2009-04-16 12:27 32 a--s---- c:\windows\system32\4174773894.dat
2009-04-09 15:21 94,360 a------- c:\windows\system32\drivers\epfwtdir.sys
2009-04-09 15:18 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-04-09 15:10 113,960 a------- c:\windows\system32\drivers\eamon.sys

==================== Find3M ====================

2009-05-04 11:21 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 16:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 14:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 14:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 14:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 14:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 13:13 1,846,784 a------- c:\windows\system32\win32k.sys
2006-06-24 00:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 7:40:32,90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 23 May 2009 - 10:08 AM

Hello, Surpriser.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Also, you may want to consider tracking this topic by either adding it to your favourites or clicking the Options button at the top of this thread.

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • RSIT Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 25 May 2009 - 12:46 AM

Hello!

Thanks for your time!

The Logs:
info.txt logfile of random's system information tool 1.06 2009-05-25 07:44:24

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 8.0 Professional Edition-->MsiExec.exe /I{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}
ACDSee 32-->C:\PROGRA~1\ACDSee32\UNWISE.EXE C:\PROGRA~1\ACDSee32\INSTALL.LOG
Adobe Acrobat 7.0 Professional - Hungarian, Slovenian-->msiexec /I {AC76BA86-1033-4700-7760-100000000002}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Attansic Ethernet Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9 -removeonly
Attansic L1 Gigabit Ethernet Driver-->rundll32.exe C:\WINDOWS\system32\Attansic\L1\atcInst.dll,AtcUninst C:\WINDOWS\system32\Attansic\L1 x86 1969 1048 L1
Canon S9000-->C:\WINDOWS\system32\CNMCP3i.exe "-PRINTERNAMECanon S9000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon S9000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon S9000 Installer\Inst2\cnmi0409.dll"
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Corel Applications-->C:\WINDOWS\Corel\Uninst32.exe
Corel Graphics Suite 11-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{07A540AB-D785-11D5-8E89-0090275862A0}
CorelDRAW Graphics Suite X4 - Capture-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF012}
CorelDRAW Graphics Suite X4 - Content-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF016}
CorelDRAW Graphics Suite X4 - Draw-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF013}
CorelDRAW Graphics Suite X4 - Filters-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF017}
CorelDRAW Graphics Suite X4 - FontNav-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF019}
CorelDRAW Graphics SUite X4 - ICA-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF010}
CorelDRAW Graphics Suite X4 - IPM-->MsiExec.exe /I{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}
CorelDRAW Graphics Suite X4 - Lang BR-->MsiExec.exe /I{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}
CorelDRAW Graphics Suite X4 - Lang DE-->MsiExec.exe /I{AEFBAC58-2DDD-4CEF-BDFD-52A5A5F432ED}
CorelDRAW Graphics Suite X4 - Lang EN-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF100}
CorelDRAW Graphics Suite X4 - Lang ES-->MsiExec.exe /I{D2827848-7D2A-4547-9AD1-C965FB3E6344}
CorelDRAW Graphics Suite X4 - Lang FR-->MsiExec.exe /I{9D306690-3173-42CD-94C6-9EF9318AF24B}
CorelDRAW Graphics Suite X4 - Lang IT-->MsiExec.exe /I{D0160DD3-6F62-4F1E-B999-6C68D3AE7390}
CorelDRAW Graphics Suite X4 - Lang NL-->MsiExec.exe /I{A6C27FFF-75EF-4B5B-A64E-F9E128994908}
CorelDRAW Graphics Suite X4 - PP-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF014}
CorelDRAW Graphics Suite X4 - VBA-->MsiExec.exe /I{BF439B41-0252-48DE-8B8B-0430CB26A181}
CorelDRAW Graphics Suite X4-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF000}
CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->c:\Program Files\Common Files\Corel\Shared\Shell Extension\Uninst.exe
CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->MsiExec.exe /X{CE2DA11A-917F-4CF5-AB55-755EC115DD10}
CorelDRAW® Graphics Suite X4-->C:\Program Files\Corel\CorelDRAW Graphics Suite X4\Setup\SetupARP.exe /arp
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
ffdshow [rev 1900] [2008-03-15]-->"C:\Program Files\ffdshow\unins000.exe"
FreeUndelete-->C:\Program Files\FreeUndelete\GLF687.exe /handle:fru
GalleryImages-->MsiExec.exe /I{3C3AB164-964F-419D-A688-810E728B9D7D}
GIF Construction Set Professional 3-->C:\WINDOWS\ALCHUNIN.EXE C:\Program Files\Alchemy Mindworks\GIF Construction Set Professional 3\INSTALLD.TXT
Google SketchUp 7-->MsiExec.exe /I{E5D52570-5EF1-4576-A434-6CCD92268F0F}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
hp LaserJet 5100 Uninstaller-->C:\Program Files\Hewlett-Packard\LJ5100\Uninstall\setup.exe ciuninst.ini
imagePROGRAF Device Setup Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3BDF1F4-0312-4307-811B-DE5E452A7AE6}\setup.exe" -l0x9
imagePROGRAF Status Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66392B7C-C522-450D-97B7-B3E41E170C3B}\setup.exe" -l0x9
iPF5000 Printer Driver Extra Kit-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5B8EE8B-C8C1-475D-8C46-B16B2FEAC4CB}\setup.exe" -l0x9
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
KODAK i1200 - Smart touch-->MsiExec.exe /I{E5E9E8C1-2BD6-4270-893B-1EDB5E276FA4}
KODAK i1210/i1220 Scanner-->C:\WINDOWS\twain_32\Kodak\KDS_I1~1\install\UNWISE.EXE C:\WINDOWS\twain_32\Kodak\KDS_I1~1\install\INSTALL.LOG
Kodak s1220 Photo Scanning System-->C:\PROGRA~1\Kodak\DOCUME~1\S1220P~1\UNWISE.EXE C:\PROGRA~1\Kodak\DOCUME~1\S1220P~1\INSTALL.LOG
Logitech MouseWare 9.79.1 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL
Logitech Registration-->MsiExec.exe /I{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}
Logitech SetPoint-->C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Macromedia Dreamweaver MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010424-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nero 7 Premium-->MsiExec.exe /I{38E0C491-5230-4373-B62E-F1A6E94B1060}
OpenOffice.org 2.4-->MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
QuarkXPress 6.52-->MsiExec.exe /I{FF0B0792-F6E7-4627-B820-EA50617E223B}
QuarkXPress 7.31-->MsiExec.exe /I{A38048C6-89D1-44EC-BC95-E95DD4A19B5E}
QuarkXPress Passport 5.01-->MsiExec.exe /I{A7BF5297-3E74-11D5-B00F-00104B398D77}
QuarkXPress-->MsiExec.exe /I{706EA4A8-97B5-4C29-A0F3-0B38C666F0C4}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x24 -removeonly
Registry Mechanic 6.0-->"C:\Program Files\Registry Mechanic\unins000.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WIBU-KEY Setup (WIBU-KEY Remove)-->C:\Program Files\WIBUKEY\Setup\Setup32.exe /R:{00060000-0000-1004-8002-0000C06B5161}
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xara3D6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3783869-5D14-4838-A042-910DF816D070}\setup.exe" -l0x9

=====HijackThis Backups=====

O23 - Service: Adobe LM Service AdobeAlerter (AdobeAlerter) - Unknown owner - C:\WINDOWS\system32\wpv051239875029.exe (file missing) [2009-04-17]
O23 - Service: Windows Management Instrumentation Driver Extensions WmiIDriverT (WmiIDriverT) - Unknown owner - C:\WINDOWS\system32\adsnwd.exe [2009-04-17]
O23 - Service: Windows Management Instrumentation Driver Extensions WmiIDriverT (WmiIDriverT) - Unknown owner - C:\WINDOWS\system32\adsnwd.exe [2009-04-17]
O23 - Service: Adobe LM Service AdobeAlerter (AdobeAlerter) - Unknown owner - C:\WINDOWS\system32\wpv051239875029.exe (file missing) [2009-04-17]

Hosts File Missing
======Security center information======

AV: ESET NOD32 Antivirus 4.0

======System event log======

Computer Name: user
Event Code: 2021
Message: The server was unable to allocate a work item 1 times in the last 60 seconds.

Record Number: 13163
Source Name: Srv
Time Written: 20090323082739.000000+060
Event Type: warning
User:

Computer Name: user
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13160
Source Name: Tcpip
Time Written: 20090323080457.000000+060
Event Type: warning
User:

Computer Name: user
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13129
Source Name: Tcpip
Time Written: 20090320080223.000000+060
Event Type: warning
User:

Computer Name: user
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13100
Source Name: Tcpip
Time Written: 20090319082901.000000+060
Event Type: warning
User:

Computer Name: user
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13099
Source Name: Tcpip
Time Written: 20090319081517.000000+060
Event Type: warning
User:

=====Application event log=====

Computer Name: user
Event Code: 1000
Message: Faulting application winword.exe, version 9.0.0.2823, faulting module winword.exe, version 9.0.0.2823, fault address 0x00232fbf.

Record Number: 1108
Source Name: Application Error
Time Written: 20080909151627.000000+120
Event Type: error
User:

Computer Name: user
Event Code: 1517
Message: Windows saved user user\user registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1105
Source Name: Userenv
Time Written: 20080908162509.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: user
Event Code: 12001
Message:
Record Number: 1096
Source Name: usnjsvc
Time Written: 20080905140313.000000+120
Event Type:
User:

Computer Name: user
Event Code: 1517
Message: Windows saved user user\user registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1093
Source Name: Userenv
Time Written: 20080904141612.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: user
Event Code: 1517
Message: Windows saved user user\user registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1086
Source Name: Userenv
Time Written: 20080902161128.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=4
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Adobe\AGL
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 7, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=1707
"TEMP"=D:\temporary
"TMP"=D:\temporary
"windir"=%SystemRoot%

-----------------EOF-----------------


Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2009-05-25 07:44:21
Microsoft Windows XP Professional Service Pack 3
System drive C: has 284 GB (93%) free of 305 GB
Total RAM: 3327 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:22, on 25.5.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\USBDLM\USBDLM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CnwiDeviceAgent] C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: imagePROGRAF Status Monitor.lnk = C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207202229937
O16 - DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} - http://www.flipviewer.com/exe/fv421.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08F5FE48-260B-4893-97F9-585DC7EB0E94}: NameServer = 212.18.32.10,212.18.32.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{08F5FE48-260B-4893-97F9-585DC7EB0E94}: NameServer = 212.18.32.10,212.18.32.12
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeAlerter (AdobeAlerter) - Unknown owner - C:\WINDOWS\system32\wpv051239875029.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: G - Unknown owner - d:\TEMPOR~1\G.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - c:\Program Files\USBDLM\USBDLM.exe

--
End of file - 8947 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1450960922-682003330-1003.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-03-21 16126464]
"HP Network Registry Agent"=C:\WINDOWS\system32\hpnra.exe [2000-10-26 49152]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"CnwiDeviceAgent"=C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe [2007-08-21 71504]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"Bluetooth Connection Assistant"=LBTWIZ.EXE -silent []
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"RegistryMechanic"= []
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-04-09 2029640]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-12 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
imagePROGRAF Status Monitor.lnk - C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Documents and Settings\user\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-02-26 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\m2\mirc.exe"="C:\Program Files\m2\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\totalcmd\TOTALCMD.EXE"="C:\Program Files\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Program Files\Quark\QuarkXPress 6.1\QuarkXPress Passport.exe"="C:\Program Files\Quark\QuarkXPress 6.1\QuarkXPress Passport.exe:*:Enabled:QuarkXPress Passport 6.5r0"
"C:\Program Files\Canon\imagePROGRAF Device Setup Utility\cnwids.exe"="C:\Program Files\Canon\imagePROGRAF Device Setup Utility\cnwids.exe:*:Enabled:imagePROGRAF Device Setup Utility"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe"="C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe:*:Enabled:imagePROGRAF Status Monitor"
"C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe"="C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe:*:Enabled:imagePROGRAF Device Agent"
"C:\Program Files\Quark\QuarkXPress 7.3\QuarkXPress Passport.exe"="C:\Program Files\Quark\QuarkXPress 7.3\QuarkXPress Passport.exe:*:Enabled:QuarkXPress 7.31r0"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17fd34f1-8df5-11dd-8188-001e8c54721b}]
shell\AutoRun\command - H:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ef1c21b-10fb-11dd-811b-001e8c54721b}]
shell\AutoRun\command - I:\fooool.exe
shell\explore\command - I:\fooool.exe
shell\open\command - I:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ef1c21c-10fb-11dd-811b-001e8c54721b}]
shell\AutoRun\command - I:\fooool.exe
shell\explore\command - I:\fooool.exe
shell\open\command - I:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70a957a2-baba-11dd-81b0-001e8c54721b}]
shell\AutoRun\command - I:\Autorun.exe /run
shell\Shell00\command - I:\Autorun.exe /run
shell\Shell01\command - I:\Autorun.exe /action
shell\Shell02\command - I:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9244438f-15cf-11dd-8120-001e8c54721b}]
shell\AutoRun\command - fooool.exe
shell\explore\command - fooool.exe
shell\open\command - fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab75c6c8-1bfd-11dd-8123-001e8c54721b}]
shell\AutoRun\command - I:\fooool.exe
shell\explore\command - I:\fooool.exe
shell\open\command - I:\fooool.exe


======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2009-05-25 07:44:21 ----D---- C:\rsit
2009-05-19 11:33:43 ----A---- C:\WINDOWS\UPREVIEW.TMP
2009-05-05 03:00:34 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-05-04 15:28:08 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2009-05-04 15:28:03 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-04 15:25:42 ----D---- C:\WINDOWS\system32\XPSViewer
2009-05-04 15:25:39 ----D---- C:\Program Files\MSBuild
2009-05-04 15:25:32 ----D---- C:\Program Files\Reference Assemblies
2009-05-04 15:25:12 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-05-04 15:25:12 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-05-04 15:25:12 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-05-04 15:22:41 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-05-04 15:22:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-05-04 14:28:49 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-04 14:28:34 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-04 14:28:34 ----D---- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2009-05-04 11:53:36 ----D---- C:\WINDOWS\Prefetch
2009-05-04 11:36:58 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-04 11:36:29 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-04 11:36:02 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-04 11:35:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-04 11:35:06 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-04 11:34:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-04 11:34:10 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-04 11:33:41 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-04 11:33:13 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-04 11:32:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-05-04 11:32:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-05-04 11:31:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-04 11:31:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-04 11:30:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-04 11:30:18 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-04 11:29:51 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-04 11:29:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-05-04 11:28:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-04 11:28:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-04 11:27:58 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-04 11:27:29 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-05-04 11:27:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-05-04 11:26:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-05-04 11:26:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-05-04 11:25:41 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-04 11:25:14 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-04 11:24:46 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-05-04 11:24:15 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-04 11:23:49 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-05-04 11:23:16 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-04 11:20:33 ----N---- C:\WINDOWS\system32\smtpapi.dll
2009-05-04 11:20:33 ----N---- C:\WINDOWS\system32\rwnh.dll
2009-05-04 11:20:33 ----N---- C:\WINDOWS\system32\comsdupd.exe
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\credssp.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\azroles.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\ieencode.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapsvc.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapqec.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eappprxy.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapphost.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eappgnui.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eappcfg.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapolqec.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3ui.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3svc.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3msm.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3api.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dimsroam.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kmsvc.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdpash.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\onex.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\nv4_disp.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\napstat.exe
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\napmontr.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\napipsec.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mssha.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mmcperf.exe
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mmcex.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\tspkg.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slserv.exe
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slrundll.exe
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slgen.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slextspk.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slcoinst.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\setupn.exe
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\s3gnb.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\rasqec.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qutil.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qcliprov.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qagentrt.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qagent.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2009-05-04 11:20:26 ----N---- C:\WINDOWS\system32\wmphoto.dll
2009-05-04 11:20:26 ----N---- C:\WINDOWS\system32\wlanapi.dll
2009-05-04 11:20:26 ----N---- C:\WINDOWS\slrundll.exe
2009-05-04 11:20:24 ----D---- C:\WINDOWS\system32\scripting
2009-05-04 11:20:20 ----D---- C:\WINDOWS\system32\en
2009-05-04 11:20:20 ----D---- C:\WINDOWS\system32\bits
2009-05-04 11:20:20 ----D---- C:\WINDOWS\l2schemas
2009-05-04 11:18:42 ----D---- C:\WINDOWS\ServicePackFiles
2009-05-04 11:17:14 ----D---- C:\WINDOWS\network diagnostic
2009-05-04 11:16:04 ----A---- C:\WINDOWS\003029_.tmp
2009-05-04 11:14:18 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-05-04 10:53:52 ----A---- C:\WINDOWS\system32\STKIT432.DLL
2009-05-04 10:53:48 ----D---- C:\Program Files\Registry Mechanic
2009-05-04 10:37:56 ----D---- C:\WINDOWS\ie8updates
2009-05-04 10:37:15 ----D---- C:\WINDOWS\WBEM
2009-05-04 10:36:32 ----HDC---- C:\WINDOWS\ie8
2009-05-04 10:36:32 ----D---- C:\WINDOWS\system32\en-US
2009-05-04 10:08:36 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$

======List of files/folders modified in the last 1 months======

2009-05-25 07:41:33 ----A---- C:\WINDOWS\wincmd.ini
2009-05-22 14:51:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-22 14:44:54 ----A---- C:\WINDOWS\wcx_ftp.ini
2009-05-22 14:09:25 ----D---- C:\Program Files\Mozilla Firefox
2009-05-21 08:27:38 ----RD---- C:\Program Files
2009-05-21 08:10:27 ----D---- C:\WINDOWS\system32
2009-05-19 15:04:01 ----D---- C:\WINDOWS\system32\drivers
2009-05-19 11:33:43 ----D---- C:\WINDOWS
2009-05-19 11:32:56 ----A---- C:\WINDOWS\magic32.ini
2009-05-19 08:10:38 ----D---- C:\WINDOWS\system32\wbem
2009-05-15 13:39:44 ----D---- C:\Planet9
2009-05-12 20:16:30 ----SHD---- C:\WINDOWS\Installer
2009-05-12 09:28:12 ----SD---- C:\WINDOWS\Tasks
2009-05-12 09:15:25 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-07 09:36:53 ----A---- C:\WINDOWS\amebis.ini
2009-05-07 09:28:45 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-07 09:16:29 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-05 09:46:39 ----HD---- C:\WINDOWS\inf
2009-05-05 07:28:39 ----D---- C:\Downloads
2009-05-05 03:00:53 ----A---- C:\WINDOWS\imsins.BAK
2009-05-05 03:00:49 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-05 03:00:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-04 17:53:38 ----D---- C:\Program Files\Common Files
2009-05-04 17:01:13 ----D---- C:\WINDOWS\Microsoft.NET
2009-05-04 17:01:10 ----RSD---- C:\WINDOWS\assembly
2009-05-04 15:28:04 ----D---- C:\WINDOWS\WinSxS
2009-05-04 15:27:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-05-04 15:25:36 ----RSD---- C:\WINDOWS\Fonts
2009-05-04 15:25:23 ----D---- C:\WINDOWS\system32\spool
2009-05-04 15:24:04 ----D---- C:\Program Files\Internet Explorer
2009-05-04 15:11:24 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-04 14:43:14 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-04 12:34:57 ----D---- C:\WINDOWS\temp
2009-05-04 11:56:58 ----D---- C:\Program Files\utils
2009-05-04 11:55:22 ----A---- C:\WINDOWS\OEWABLog.txt
2009-05-04 11:54:09 ----A---- C:\WINDOWS\setuplog.txt
2009-05-04 11:53:08 ----D---- C:\WINDOWS\AppPatch
2009-05-04 11:53:07 ----D---- C:\WINDOWS\system32\Setup
2009-05-04 11:24:30 ----D---- C:\Program Files\Messenger
2009-05-04 11:22:58 ----D---- C:\WINDOWS\security
2009-05-04 11:20:44 ----D---- C:\Program Files\Windows Media Player
2009-05-04 11:20:32 ----D---- C:\WINDOWS\system32\inetsrv
2009-05-04 11:20:32 ----D---- C:\WINDOWS\ime
2009-05-04 11:20:32 ----D---- C:\WINDOWS\Help
2009-05-04 11:20:26 ----D---- C:\WINDOWS\system32\usmt
2009-05-04 11:20:20 ----D---- C:\WINDOWS\PeerNet
2009-05-04 11:20:20 ----D---- C:\Program Files\Movie Maker
2009-05-04 11:18:31 ----D---- C:\WINDOWS\system32\Restore
2009-05-04 11:18:31 ----D---- C:\WINDOWS\system32\npp
2009-05-04 11:18:31 ----D---- C:\WINDOWS\mui
2009-05-04 11:18:30 ----D---- C:\WINDOWS\msagent
2009-05-04 11:18:29 ----D---- C:\WINDOWS\srchasst
2009-05-04 11:18:29 ----D---- C:\Program Files\NetMeeting
2009-05-04 11:18:28 ----D---- C:\WINDOWS\system32\Com
2009-05-04 11:18:26 ----D---- C:\Program Files\Windows NT
2009-05-04 11:18:26 ----D---- C:\Program Files\Outlook Express
2009-05-04 11:18:25 ----D---- C:\Program Files\Common Files\System
2009-05-04 11:18:12 ----D---- C:\WINDOWS\system32\oobe
2009-05-04 11:18:10 ----D---- C:\WINDOWS\system
2009-05-04 11:14:18 ----D---- C:\WINDOWS\ehome
2009-05-04 10:37:17 ----D---- C:\WINDOWS\system32\config
2009-05-04 10:37:10 ----D---- C:\WINDOWS\Media

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-04-09 94360]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-04-09 113960]
R2 WIBUKEY;WIBU-KEY Kernel Driver; C:\WINDOWS\SYSTEM32\DRIVERS\WibuKey.sys [2006-11-22 72704]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 38656]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-02-26 2863616]
R3 AtiHdmiService;ATI Function Driver for HDMI Service; C:\WINDOWS\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-26 4395008]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-02-29 20240]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-02-29 28944]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
R3 Wibukey2;Wibukey2; C:\WINDOWS\system32\drivers\wibukey2.sys [2006-11-09 16384]
S1 AEC671X;AEC671X; C:\WINDOWS\System32\drivers\AEC671X.SYS [2008-04-11 12128]
S1 DMX3191;DMX3191; C:\WINDOWS\System32\drivers\DMX3191.SYS [2008-04-11 17700]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-14 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-14 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-14 18944]
S3 catchme;catchme; \??\d:\TEMPOR~1\catchme.sys []
S3 HidBth;Microsoft Bluetooth HID Miniport; C:\WINDOWS\system32\DRIVERS\hidbth.sys [2008-04-14 25600]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-17 25505]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-14 59136]
S3 scsiscan;SCSI Scanner Driver; C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2008-04-14 11520]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-02-26 520192]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 USBDLM;USBDLM; c:\Program Files\USBDLM\USBDLM.exe [2008-04-20 156672]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter; C:\WINDOWS\system32\wpv051239875029.exe run []
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-02-25 593920]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-04-03 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-04-09 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 G;G; d:\TEMPOR~1\G.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 26 May 2009 - 05:41 AM

Hi!

Thanks for posting your log.

Logs take a while to process due to intensive research that must be done. Please give me some time to look over your logs and I will post back soon :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 27 May 2009 - 05:19 AM

Hello, Surpriser.
P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Messenger Plus! Warning!

Messenger Plus comes bundled with Adware, which is what may have caused part of your infection. If you really need it, you may install it again after the cleaning process - but do make sure you deselect any bundled adware that you are faced with during the install process :thumbup2: .

Go to Start > Control Panel > Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist: Messenger Plus!




Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

I:\fooool.exe
H:\setup.exe
I:\Autorun.exe


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

NEXT:

Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
NEXT:

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • Jotti Log(s)
  • ComboFix.txt
  • Fresh HijackThis Log

Edited by aommaster, 27 May 2009 - 05:19 AM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#6 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 28 May 2009 - 12:50 AM

Hello! That was quick! ;)

Yes, I'm using P2P once in a while - but have downloaded .avi files onzy.

The files you recommended for sending to Jotti are no longer there. I even don't have a drive named H: and I don't recall activating virtual drive.
I tried to search all over the disks and had no luck finding them.

I also downloaded HostsXpert. When I ran it this message appears: HOSTS file does not exists, press OK to create HOSTS file, cancel to QUIT.

What shall I do next?

Thank you very much!

Edited by Surpriser, 28 May 2009 - 12:51 AM.


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 28 May 2009 - 05:01 AM

Hello

Glad to be of help :thumbup2:

Yes, please re-create your hosts file, as your logs indicate that it is missing. Once done, please continue with the running of combofix, and we'll work from there :)

Edited by aommaster, 28 May 2009 - 05:02 AM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 28 May 2009 - 05:30 AM

The Combofix log:

ComboFix 09-05-26.05 - user 28.05.2009 12:26.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.386.1033.18.3327.2761 [GMT 2:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-28 10:27 . 2008-04-14 03:42 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-28 10:27 . 2008-04-14 03:42 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-07 07:16 . 2009-05-07 07:16 -------- d-sh--w c:\documents and settings\user\IECompatCache
2009-05-04 13:25 . 2009-05-04 13:25 -------- d-----w c:\windows\system32\XPSViewer
2009-05-04 13:25 . 2009-05-04 13:25 -------- d-----w c:\program files\MSBuild
2009-05-04 13:25 . 2009-05-04 13:25 -------- d-----w c:\program files\Reference Assemblies
2009-05-04 13:25 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-04 13:25 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-04 13:25 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-04 13:25 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-04 13:25 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-04 13:25 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-04 13:25 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-04 12:29 . 2009-05-04 15:51 117760 ----a-w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-04 12:28 . 2009-05-04 12:28 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-04 12:28 . 2009-05-04 15:53 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-04 12:28 . 2009-05-04 12:28 -------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-04 11:52 . 2009-05-04 11:52 -------- d-----w c:\documents and settings\user\DoctorWeb
2009-05-04 09:53 . 2009-05-04 09:53 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-04 09:18 . 2009-05-04 09:18 -------- d-----w c:\windows\ServicePackFiles
2009-05-04 09:18 . 2008-04-14 03:42 294912 -c----w c:\windows\system32\dllcache\dlimport.exe
2009-05-04 08:43 . 2009-05-04 08:43 -------- d-sh--w c:\documents and settings\user\PrivacIE
2009-05-04 08:42 . 2009-05-04 08:42 -------- d-sh--w c:\documents and settings\user\IETldCache
2009-05-04 08:37 . 2009-05-04 08:37 -------- d-----w c:\windows\ie8updates
2009-05-04 08:36 . 2009-05-04 08:36 -------- dc-h--w c:\windows\ie8
2009-05-04 08:07 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 10:06 . 2009-05-28 10:06 2938364 ----a-w c:\windows\UPREVIEW.TMP
2009-05-05 05:22 . 2008-04-03 07:51 224416 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 13:27 . 2009-04-18 12:08 4508 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-05-04 09:56 . 2008-04-10 09:23 -------- d-----w c:\program files\utils
2009-05-04 09:21 . 2008-03-31 22:26 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-20 12:18 . 2008-04-03 07:58 -------- d-----w c:\program files\Google
2009-04-20 12:18 . 2008-03-31 22:34 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-19 16:34 . 2009-04-19 16:34 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-18 14:43 . 2008-04-03 09:51 -------- d---a-w c:\program files\m2
2009-04-18 12:06 . 2009-04-18 12:06 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-04-17 12:37 . 2008-04-03 07:53 -------- d-----w c:\program files\ACDSee32
2009-04-17 12:04 . 2009-04-17 12:04 -------- d-----w c:\documents and settings\user\Application Data\Malwarebytes
2009-04-03 12:25 . 2008-06-09 09:54 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-03-30 08:20 . 2008-09-01 05:56 -------- d-----w c:\program files\totalcmd
2009-03-30 05:31 . 2009-03-30 05:31 57344 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-1145949c-n\Decora-SSE.dll
2009-03-30 05:31 . 2009-03-30 05:31 24064 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-5c3c0dae-n\Decora-D3D.dll
2009-03-30 05:31 . 2009-03-30 05:31 315392 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-457630ce-n\jogl.dll
2009-03-30 05:31 . 2009-03-30 05:31 20480 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-457630ce-n\jogl_awt.dll
2009-03-30 05:31 . 2009-03-30 05:31 114688 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-457630ce-n\jogl_cg.dll
2009-03-30 05:31 . 2009-03-30 05:31 20480 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-1f488ab4-n\gluegen-rt.dll
2009-03-30 05:31 . 2009-03-30 05:31 499712 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f829b53-n\msvcp71.dll
2009-03-30 05:31 . 2009-03-30 05:31 499712 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f829b53-n\jmc.dll
2009-03-30 05:31 . 2009-03-30 05:31 348160 ----a-w c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2f829b53-n\msvcr71.dll
2009-03-30 05:31 . 2008-04-10 09:55 -------- d-----w c:\program files\Java
2009-03-30 05:30 . 2009-03-30 05:30 152576 ----a-w c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-23 14:03 . 2008-05-22 12:22 1 ----a-w c:\documents and settings\user\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-03-09 03:19 . 2008-12-10 07:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 02:34 . 2006-02-28 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2006-02-28 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2006-02-28 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2006-02-28 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2006-02-28 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2006-02-28 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2006-02-28 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2006-02-28 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2006-02-28 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2006-02-28 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Network Registry Agent"="c:\windows\system32\hpnra.exe" [2000-10-26 49152]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CnwiDeviceAgent"="c:\program files\Canon\imagePROGRAFStatusMonitor\cnwida.exe" [2007-08-21 71504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\user\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
imagePROGRAF Status Monitor.lnk - c:\program files\Canon\imagePROGRAFStatusMonitor\cnwism.exe [2008-4-11 354128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-1 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Quark\\QuarkXPress 6.1\\QuarkXPress Passport.exe"=
"c:\\Program Files\\Canon\\imagePROGRAF Device Setup Utility\\cnwids.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Canon\\imagePROGRAFStatusMonitor\\cnwism.exe"=
"c:\\Program Files\\Canon\\imagePROGRAFStatusMonitor\\cnwida.exe"=
"c:\\Program Files\\Quark\\QuarkXPress 7.3\\QuarkXPress Passport.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24274:TCP"= 24274:TCP:BitComet 24274 TCP
"24274:UDP"= 24274:UDP:BitComet 24274 UDP
"7792:TCP"= 7792:TCP:BitComet 7792 TCP
"7792:UDP"= 7792:UDP:BitComet 7792 UDP

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9.4.2009 15:21 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9.4.2009 15:19 731840]
R2 USBDLM;USBDLM;c:\program files\USBDLM\USBDLM.exe [5.5.2008 8:14 156672]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [1.4.2008 0:34 38656]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [20.7.2007 18:40 84992]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [11.4.2008 11:33 11520]
R3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [22.10.2008 14:23 16384]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [10.4.2008 11:23 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [10.4.2008 11:23 17700]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter;c:\windows\system32\wpv051239875029.exe run --> c:\windows\system32\wpv051239875029.exe run [?]
S3 G;G;d:\tempor~1\G.exe --> d:\tempor~1\G.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1450960922-682003330-1003.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-12 07:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE
HKLM-Run-RegistryMechanic - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
TCP: {08F5FE48-260B-4893-97F9-585DC7EB0E94} = 212.18.32.10,212.18.32.12
DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} - hxxp://www.flipviewer.com/exe/fv421.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\40pr4v21.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\user\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 12:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(14732)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-05-28 12:29
ComboFix-quarantined-files.txt 2009-05-28 10:28

Pre-Run: 297.521.455.104 bytes free
Post-Run: 297.557.291.008 bytes free

200 --- E O F --- 2009-05-12 18:16

#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 28 May 2009 - 03:47 PM

Hello, Surpriser.
First, let's deal with your 'missing' drives. Do you have any external hard drives, flash drives, or any other form of removal storage devices? If so, let me know, as they could be infected too.

NEXT:

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Select the download that's appropriate for your Operating System
  • Download the file & save it as it's originally named
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next promt, click No. We don't want to run a Combofix scan just yet
NEXT:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

d:\tempor~1\G.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please note that for the above file, the likely folder is "Temporary Internet Files"

In your next reply, please include the following:
  • Jotti Log(s)
  • Answer to my question regarding your drives

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 28 May 2009 - 04:00 PM

Yes, I have an external USB drive. I checked it and it's clean (contains no executables).
However, sometimes other USB drives are used but I don't have them any more.

I'm having troubles finding the recovery console for Service Pack 3? What am I missing?

#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 28 May 2009 - 04:31 PM

Hi! :thumbup2:

Please download the SP2 recovery console. Also, once that is complete, I'd like to see the Jotti results too :)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 29 May 2009 - 12:53 AM

Hello aommaster! ;)

I successfully installed the recovery console.

No sign of G.exe in temporary folder.

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 29 May 2009 - 03:14 AM

Hello, Surpriser.

Not a problem at all. Let's run another RSIT scan to see the current state of your machine. Also, let me know if you are experiencing any problems with your PC at the moment.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • log.txt
  • info.txt
  • Description of any remaining problems

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 29 May 2009 - 03:20 AM

Hello again,

I'm experiencing zero troubles. ;)
I never had actually, except for some stolen FTP passwords - happened twice, before this topic. See also: http://www.bleepingcomputer.com/forums/ind...p;#entry1226927

Thanks again for your (quick) help!

The logs:

Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2009-05-29 10:16:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 284 GB (93%) free of 305 GB
Total RAM: 3327 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:53, on 29.5.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\USBDLM\USBDLM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Quark\QuarkXPress 7.3\QuarkXPress Passport.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Corel\CorelDRAW Graphics Suite X4\Programs\CorelDRW.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
d:\TEMPOR~1\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
d:\TEMPOR~1\Adobelm_Cleanup.0001
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CnwiDeviceAgent] C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: imagePROGRAF Status Monitor.lnk = C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1207202229937
O16 - DPF: {B19FDE22-5907-4315-B558-1D537E86C3E1} - http://www.flipviewer.com/exe/fv421.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08F5FE48-260B-4893-97F9-585DC7EB0E94}: NameServer = 212.18.32.10,212.18.32.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{08F5FE48-260B-4893-97F9-585DC7EB0E94}: NameServer = 212.18.32.10,212.18.32.12
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeAlerter (AdobeAlerter) - Unknown owner - C:\WINDOWS\system32\wpv051239875029.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: G - Unknown owner - d:\TEMPOR~1\G.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - c:\Program Files\USBDLM\USBDLM.exe

--
End of file - 9417 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1450960922-682003330-1003.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-03-21 16126464]
"HP Network Registry Agent"=C:\WINDOWS\system32\hpnra.exe [2000-10-26 49152]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"CnwiDeviceAgent"=C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe [2007-08-21 71504]
"Kernel and Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-04-09 2029640]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-12 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
imagePROGRAF Status Monitor.lnk - C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Documents and Settings\user\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-02-26 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\totalcmd\TOTALCMD.EXE"="C:\Program Files\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Program Files\Quark\QuarkXPress 6.1\QuarkXPress Passport.exe"="C:\Program Files\Quark\QuarkXPress 6.1\QuarkXPress Passport.exe:*:Enabled:QuarkXPress Passport 6.5r0"
"C:\Program Files\Canon\imagePROGRAF Device Setup Utility\cnwids.exe"="C:\Program Files\Canon\imagePROGRAF Device Setup Utility\cnwids.exe:*:Enabled:imagePROGRAF Device Setup Utility"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe"="C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwism.exe:*:Enabled:imagePROGRAF Status Monitor"
"C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe"="C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe:*:Enabled:imagePROGRAF Device Agent"
"C:\Program Files\Quark\QuarkXPress 7.3\QuarkXPress Passport.exe"="C:\Program Files\Quark\QuarkXPress 7.3\QuarkXPress Passport.exe:*:Enabled:QuarkXPress 7.31r0"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2009-05-29 10:16:51 ----D---- C:\rsit
2009-05-29 07:48:46 ----RASHD---- C:\cmdcons
2009-05-29 07:47:51 ----SD---- C:\ComboFix
2009-05-28 12:32:53 ----SHD---- C:\RECYCLER
2009-05-28 12:29:12 ----D---- C:\WINDOWS\temp
2009-05-28 12:27:52 ----A---- C:\WINDOWS\system32\proquota.exe
2009-05-28 12:26:22 ----A---- C:\WINDOWS\PEV.exe
2009-05-28 12:06:49 ----A---- C:\WINDOWS\UPREVIEW.TMP
2009-05-05 03:00:34 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-05-04 15:28:08 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2009-05-04 15:28:03 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-04 15:25:42 ----D---- C:\WINDOWS\system32\XPSViewer
2009-05-04 15:25:39 ----D---- C:\Program Files\MSBuild
2009-05-04 15:25:32 ----D---- C:\Program Files\Reference Assemblies
2009-05-04 15:25:12 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2009-05-04 15:25:12 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2009-05-04 15:25:12 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-05-04 15:22:41 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-05-04 15:22:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-05-04 14:28:49 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-04 14:28:34 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-04 14:28:34 ----D---- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2009-05-04 11:53:36 ----D---- C:\WINDOWS\Prefetch
2009-05-04 11:36:58 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-04 11:36:29 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-04 11:36:02 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-04 11:35:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-04 11:35:06 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-04 11:34:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-04 11:34:10 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-04 11:33:41 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-04 11:33:13 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-04 11:32:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-05-04 11:32:18 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-05-04 11:31:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-04 11:31:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-04 11:30:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-04 11:30:18 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-04 11:29:51 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-04 11:29:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-05-04 11:28:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-04 11:28:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-04 11:27:58 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-04 11:27:29 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-05-04 11:27:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-05-04 11:26:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-05-04 11:26:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-05-04 11:25:41 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-04 11:25:14 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-04 11:24:46 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-05-04 11:24:15 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-04 11:23:49 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-05-04 11:23:16 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-04 11:20:33 ----N---- C:\WINDOWS\system32\smtpapi.dll
2009-05-04 11:20:33 ----N---- C:\WINDOWS\system32\rwnh.dll
2009-05-04 11:20:33 ----N---- C:\WINDOWS\system32\comsdupd.exe
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\credssp.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\azroles.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2009-05-04 11:20:31 ----N---- C:\WINDOWS\system32\aaclient.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\ieencode.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapsvc.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapqec.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eappprxy.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapphost.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eappgnui.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eappcfg.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\eapolqec.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3ui.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3svc.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3msm.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dot3api.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dimsroam.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2009-05-04 11:20:30 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kmsvc.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdpash.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2009-05-04 11:20:29 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\onex.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\nv4_disp.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\napstat.exe
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\napmontr.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\napipsec.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mssha.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mmcperf.exe
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mmcex.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-05-04 11:20:28 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\tspkg.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\tsgqec.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slserv.exe
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slrundll.exe
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slgen.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slextspk.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\slcoinst.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\setupn.exe
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\s3gnb.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\rasqec.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qutil.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qcliprov.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qagentrt.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\qagent.dll
2009-05-04 11:20:27 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2009-05-04 11:20:26 ----N---- C:\WINDOWS\system32\wmphoto.dll
2009-05-04 11:20:26 ----N---- C:\WINDOWS\system32\wlanapi.dll
2009-05-04 11:20:26 ----N---- C:\WINDOWS\slrundll.exe
2009-05-04 11:20:24 ----D---- C:\WINDOWS\system32\scripting
2009-05-04 11:20:20 ----D---- C:\WINDOWS\system32\en
2009-05-04 11:20:20 ----D---- C:\WINDOWS\system32\bits
2009-05-04 11:20:20 ----D---- C:\WINDOWS\l2schemas
2009-05-04 11:18:42 ----D---- C:\WINDOWS\ServicePackFiles
2009-05-04 11:17:14 ----D---- C:\WINDOWS\network diagnostic
2009-05-04 11:16:04 ----A---- C:\WINDOWS\003029_.tmp
2009-05-04 11:14:18 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-05-04 10:53:52 ----A---- C:\WINDOWS\system32\STKIT432.DLL
2009-05-04 10:53:48 ----D---- C:\Program Files\Registry Mechanic
2009-05-04 10:37:56 ----D---- C:\WINDOWS\ie8updates
2009-05-04 10:37:15 ----D---- C:\WINDOWS\WBEM
2009-05-04 10:36:32 ----HDC---- C:\WINDOWS\ie8
2009-05-04 10:36:32 ----D---- C:\WINDOWS\system32\en-US
2009-05-04 10:08:36 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$

======List of files/folders modified in the last 1 months======

2009-05-29 08:14:10 ----A---- C:\WINDOWS\wincmd.ini
2009-05-29 07:49:47 ----D---- C:\WINDOWS
2009-05-29 07:49:42 ----D---- C:\WINDOWS\system32
2009-05-29 07:48:53 ----RASH---- C:\boot.ini
2009-05-29 07:48:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-28 13:42:45 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-28 12:39:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-28 12:39:05 ----D---- C:\WINDOWS\system32\drivers
2009-05-28 12:33:15 ----D---- C:\Program Files\ACDSee32
2009-05-28 12:28:29 ----SD---- C:\WINDOWS\Tasks
2009-05-28 12:28:07 ----A---- C:\WINDOWS\system.ini
2009-05-28 12:27:58 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-28 12:27:32 ----D---- C:\WINDOWS\AppPatch
2009-05-28 12:27:30 ----D---- C:\Program Files\Common Files
2009-05-28 12:00:18 ----A---- C:\WINDOWS\magic32.ini
2009-05-28 10:02:36 ----A---- C:\WINDOWS\wcx_ftp.ini
2009-05-26 13:03:24 ----D---- C:\Program Files\Mozilla Firefox
2009-05-21 08:27:38 ----RD---- C:\Program Files
2009-05-19 08:10:38 ----D---- C:\WINDOWS\system32\wbem
2009-05-15 13:39:44 ----D---- C:\Planet9
2009-05-12 20:16:30 ----SHD---- C:\WINDOWS\Installer
2009-05-07 09:36:53 ----A---- C:\WINDOWS\amebis.ini
2009-05-07 09:28:45 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-07 09:16:29 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-05 09:46:39 ----HD---- C:\WINDOWS\inf
2009-05-05 07:28:39 ----D---- C:\Downloads
2009-05-05 03:00:53 ----A---- C:\WINDOWS\imsins.BAK
2009-05-05 03:00:49 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-04 17:01:13 ----D---- C:\WINDOWS\Microsoft.NET
2009-05-04 17:01:10 ----RSD---- C:\WINDOWS\assembly
2009-05-04 15:28:04 ----D---- C:\WINDOWS\WinSxS
2009-05-04 15:27:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-05-04 15:25:36 ----RSD---- C:\WINDOWS\Fonts
2009-05-04 15:25:23 ----D---- C:\WINDOWS\system32\spool
2009-05-04 15:24:04 ----D---- C:\Program Files\Internet Explorer
2009-05-04 15:11:24 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-04 14:43:14 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-04 11:56:58 ----D---- C:\Program Files\utils
2009-05-04 11:55:22 ----A---- C:\WINDOWS\OEWABLog.txt
2009-05-04 11:54:09 ----A---- C:\WINDOWS\setuplog.txt
2009-05-04 11:53:07 ----D---- C:\WINDOWS\system32\Setup
2009-05-04 11:24:30 ----D---- C:\Program Files\Messenger
2009-05-04 11:22:58 ----D---- C:\WINDOWS\security
2009-05-04 11:20:44 ----D---- C:\Program Files\Windows Media Player
2009-05-04 11:20:32 ----D---- C:\WINDOWS\system32\inetsrv
2009-05-04 11:20:32 ----D---- C:\WINDOWS\ime
2009-05-04 11:20:32 ----D---- C:\WINDOWS\Help
2009-05-04 11:20:26 ----D---- C:\WINDOWS\system32\usmt
2009-05-04 11:20:20 ----D---- C:\WINDOWS\PeerNet
2009-05-04 11:20:20 ----D---- C:\Program Files\Movie Maker
2009-05-04 11:18:31 ----D---- C:\WINDOWS\system32\Restore
2009-05-04 11:18:31 ----D---- C:\WINDOWS\system32\npp
2009-05-04 11:18:31 ----D---- C:\WINDOWS\mui
2009-05-04 11:18:30 ----D---- C:\WINDOWS\msagent
2009-05-04 11:18:29 ----D---- C:\WINDOWS\srchasst
2009-05-04 11:18:29 ----D---- C:\Program Files\NetMeeting
2009-05-04 11:18:28 ----D---- C:\WINDOWS\system32\Com
2009-05-04 11:18:26 ----D---- C:\Program Files\Windows NT
2009-05-04 11:18:26 ----D---- C:\Program Files\Outlook Express
2009-05-04 11:18:25 ----D---- C:\Program Files\Common Files\System
2009-05-04 11:18:12 ----D---- C:\WINDOWS\system32\oobe
2009-05-04 11:18:10 ----D---- C:\WINDOWS\system
2009-05-04 11:14:18 ----D---- C:\WINDOWS\ehome
2009-05-04 10:37:17 ----D---- C:\WINDOWS\system32\config
2009-05-04 10:37:10 ----D---- C:\WINDOWS\Media

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-04-09 94360]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-04-09 113960]
R2 WIBUKEY;WIBU-KEY Kernel Driver; C:\WINDOWS\SYSTEM32\DRIVERS\WibuKey.sys [2006-11-22 72704]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 38656]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-02-26 2863616]
R3 AtiHdmiService;ATI Function Driver for HDMI Service; C:\WINDOWS\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-26 4395008]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-02-29 20240]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-02-29 28944]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
R3 Wibukey2;Wibukey2; C:\WINDOWS\system32\drivers\wibukey2.sys [2006-11-09 16384]
S1 AEC671X;AEC671X; C:\WINDOWS\System32\drivers\AEC671X.SYS [2008-04-11 12128]
S1 DMX3191;DMX3191; C:\WINDOWS\System32\drivers\DMX3191.SYS [2008-04-11 17700]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-14 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-14 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-14 18944]
S3 catchme;catchme; \??\d:\TEMPOR~1\catchme.sys []
S3 HidBth;Microsoft Bluetooth HID Miniport; C:\WINDOWS\system32\DRIVERS\hidbth.sys [2008-04-14 25600]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-17 25505]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-14 59136]
S3 scsiscan;SCSI Scanner Driver; C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2008-04-14 11520]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-02-26 520192]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 USBDLM;USBDLM; c:\Program Files\USBDLM\USBDLM.exe [2008-04-20 156672]
R3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-04-03 72704]
S2 AdobeAlerter;Adobe LM Service AdobeAlerter; C:\WINDOWS\system32\wpv051239875029.exe run []
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-02-25 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-04-09 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 G;G; d:\TEMPOR~1\G.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2009-05-29 10:16:54

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 8.0 Professional Edition-->MsiExec.exe /I{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}
ACDSee 32-->C:\PROGRA~1\ACDSee32\UNWISE.EXE C:\PROGRA~1\ACDSee32\INSTALL.LOG
Adobe Acrobat 7.0 Professional - Hungarian, Slovenian-->msiexec /I {AC76BA86-1033-4700-7760-100000000002}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Attansic Ethernet Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9 -removeonly
Attansic L1 Gigabit Ethernet Driver-->rundll32.exe C:\WINDOWS\system32\Attansic\L1\atcInst.dll,AtcUninst C:\WINDOWS\system32\Attansic\L1 x86 1969 1048 L1
Canon S9000-->C:\WINDOWS\system32\CNMCP3i.exe "-PRINTERNAMECanon S9000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon S9000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon S9000 Installer\Inst2\cnmi0409.dll"
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Corel Applications-->C:\WINDOWS\Corel\Uninst32.exe
Corel Graphics Suite 11-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{07A540AB-D785-11D5-8E89-0090275862A0}
CorelDRAW Graphics Suite X4 - Capture-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF012}
CorelDRAW Graphics Suite X4 - Content-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF016}
CorelDRAW Graphics Suite X4 - Draw-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF013}
CorelDRAW Graphics Suite X4 - Filters-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF017}
CorelDRAW Graphics Suite X4 - FontNav-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF019}
CorelDRAW Graphics SUite X4 - ICA-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF010}
CorelDRAW Graphics Suite X4 - IPM-->MsiExec.exe /I{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}
CorelDRAW Graphics Suite X4 - Lang BR-->MsiExec.exe /I{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}
CorelDRAW Graphics Suite X4 - Lang DE-->MsiExec.exe /I{AEFBAC58-2DDD-4CEF-BDFD-52A5A5F432ED}
CorelDRAW Graphics Suite X4 - Lang EN-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF100}
CorelDRAW Graphics Suite X4 - Lang ES-->MsiExec.exe /I{D2827848-7D2A-4547-9AD1-C965FB3E6344}
CorelDRAW Graphics Suite X4 - Lang FR-->MsiExec.exe /I{9D306690-3173-42CD-94C6-9EF9318AF24B}
CorelDRAW Graphics Suite X4 - Lang IT-->MsiExec.exe /I{D0160DD3-6F62-4F1E-B999-6C68D3AE7390}
CorelDRAW Graphics Suite X4 - Lang NL-->MsiExec.exe /I{A6C27FFF-75EF-4B5B-A64E-F9E128994908}
CorelDRAW Graphics Suite X4 - PP-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF014}
CorelDRAW Graphics Suite X4 - VBA-->MsiExec.exe /I{BF439B41-0252-48DE-8B8B-0430CB26A181}
CorelDRAW Graphics Suite X4-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF000}
CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->c:\Program Files\Common Files\Corel\Shared\Shell Extension\Uninst.exe
CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->MsiExec.exe /X{CE2DA11A-917F-4CF5-AB55-755EC115DD10}
CorelDRAW® Graphics Suite X4-->C:\Program Files\Corel\CorelDRAW Graphics Suite X4\Setup\SetupARP.exe /arp
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
ffdshow [rev 1900] [2008-03-15]-->"C:\Program Files\ffdshow\unins000.exe"
FreeUndelete-->C:\Program Files\FreeUndelete\GLF687.exe /handle:fru
GalleryImages-->MsiExec.exe /I{3C3AB164-964F-419D-A688-810E728B9D7D}
GIF Construction Set Professional 3-->C:\WINDOWS\ALCHUNIN.EXE C:\Program Files\Alchemy Mindworks\GIF Construction Set Professional 3\INSTALLD.TXT
Google SketchUp 7-->MsiExec.exe /I{E5D52570-5EF1-4576-A434-6CCD92268F0F}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
hp LaserJet 5100 Uninstaller-->C:\Program Files\Hewlett-Packard\LJ5100\Uninstall\setup.exe ciuninst.ini
imagePROGRAF Device Setup Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3BDF1F4-0312-4307-811B-DE5E452A7AE6}\setup.exe" -l0x9
imagePROGRAF Status Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66392B7C-C522-450D-97B7-B3E41E170C3B}\setup.exe" -l0x9
iPF5000 Printer Driver Extra Kit-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5B8EE8B-C8C1-475D-8C46-B16B2FEAC4CB}\setup.exe" -l0x9
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
KODAK i1200 - Smart touch-->MsiExec.exe /I{E5E9E8C1-2BD6-4270-893B-1EDB5E276FA4}
KODAK i1210/i1220 Scanner-->C:\WINDOWS\twain_32\Kodak\KDS_I1~1\install\UNWISE.EXE C:\WINDOWS\twain_32\Kodak\KDS_I1~1\install\INSTALL.LOG
Kodak s1220 Photo Scanning System-->C:\PROGRA~1\Kodak\DOCUME~1\S1220P~1\UNWISE.EXE C:\PROGRA~1\Kodak\DOCUME~1\S1220P~1\INSTALL.LOG
Logitech MouseWare 9.79.1 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL
Logitech Registration-->MsiExec.exe /I{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}
Logitech SetPoint-->C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Macromedia Dreamweaver MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010424-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
Nero 7 Premium-->MsiExec.exe /I{38E0C491-5230-4373-B62E-F1A6E94B1060}
OpenOffice.org 2.4-->MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
QuarkXPress 6.52-->MsiExec.exe /I{FF0B0792-F6E7-4627-B820-EA50617E223B}
QuarkXPress 7.31-->MsiExec.exe /I{A38048C6-89D1-44EC-BC95-E95DD4A19B5E}
QuarkXPress Passport 5.01-->MsiExec.exe /I{A7BF5297-3E74-11D5-B00F-00104B398D77}
QuarkXPress-->MsiExec.exe /I{706EA4A8-97B5-4C29-A0F3-0B38C666F0C4}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x24 -removeonly
Registry Mechanic 6.0-->"C:\Program Files\Registry Mechanic\unins000.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WIBU-KEY Setup (WIBU-KEY Remove)-->C:\Program Files\WIBUKEY\Setup\Setup32.exe /R:{00060000-0000-1004-8002-0000C06B5161}
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xara3D6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3783869-5D14-4838-A042-910DF816D070}\setup.exe" -l0x9

=====HijackThis Backups=====

O23 - Service: Adobe LM Service AdobeAlerter (AdobeAlerter) - Unknown owner - C:\WINDOWS\system32\wpv051239875029.exe (file missing) [2009-04-17]
O23 - Service: Windows Management Instrumentation Driver Extensions WmiIDriverT (WmiIDriverT) - Unknown owner - C:\WINDOWS\system32\adsnwd.exe [2009-04-17]
O23 - Service: Windows Management Instrumentation Driver Extensions WmiIDriverT (WmiIDriverT) - Unknown owner - C:\WINDOWS\system32\adsnwd.exe [2009-04-17]
O23 - Service: Adobe LM Service AdobeAlerter (AdobeAlerter) - Unknown owner - C:\WINDOWS\system32\wpv051239875029.exe (file missing) [2009-04-17]

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: ESET NOD32 Antivirus 4.0

======System event log======

Computer Name: user
Event Code: 2021
Message: The server was unable to allocate a work item 1 times in the last 60 seconds.

Record Number: 13260
Source Name: Srv
Time Written: 20090325131849.000000+060
Event Type: warning
User:

Computer Name: user
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 13256
Source Name: Tcpip
Time Written: 20090325112104.000000+060
Event Type: warning
User:

Computer Name: user
Event Code: 7
Message: Printer HP LaserJet 5100 PS was resumed.

Record Number: 13253
Source Name: Print
Time Written: 20090325091032.000000+060
Event Type: warning
User: user\user

Computer Name: user
Event Code: 6
Message: Printer HP LaserJet 5100 PS was paused.

Record Number: 13252
Source Name: Print
Time Written: 20090325091030.000000+060
Event Type: warning
User: user\user

Computer Name: user
Event Code: 7
Message: Printer HP LaserJet 5100 PS was resumed.

Record Number: 13251
Source Name: Print
Time Written: 20090325091013.000000+060
Event Type: warning
User: user\user

=====Application event log=====

Computer Name: user
Event Code: 1000
Message: Faulting application winword.exe, version 9.0.0.2823, faulting module winword.exe, version 9.0.0.2823, fault address 0x00232fbf.

Record Number: 1108
Source Name: Application Error
Time Written: 20080909151627.000000+120
Event Type: error
User:

Computer Name: user
Event Code: 1517
Message: Windows saved user user\user registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1105
Source Name: Userenv
Time Written: 20080908162509.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: user
Event Code: 12001
Message:
Record Number: 1096
Source Name: usnjsvc
Time Written: 20080905140313.000000+120
Event Type:
User:

Computer Name: user
Event Code: 1517
Message: Windows saved user user\user registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1093
Source Name: Userenv
Time Written: 20080904141612.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: user
Event Code: 1517
Message: Windows saved user user\user registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1086
Source Name: Userenv
Time Written: 20080902161128.000000+120
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=4
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Adobe\AGL
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 7, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=1707
"TEMP"=D:\temporary
"TMP"=D:\temporary
"windir"=%SystemRoot%

-----------------EOF-----------------

#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:54 AM

Posted 30 May 2009 - 05:30 PM

Hi!

Glad to be of help. I'm currently working on a fix for you, and I'll post one up as soon as possible :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users