Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, unable to identify. Moved from Infected Forum.


  • This topic is locked This topic is locked
48 replies to this topic

#1 kevin73

kevin73

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 18 May 2009 - 05:14 AM

Hi, Rigel has been trying to help me, but has now suggested I post here instead. Unfortunately, he was unable to help me.

http://www.bleepingcomputer.com/forums/t/222246/infected-please-help/


Log created by WinPatrol version 15.5.2008.0:15.5.2008.0
Scan saved at 10:58:02 AM, on 5/18/2009
Platform: Windows Vista SP1 Home Edition Service Pack 1 (Build 6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\PROGRAM FILES\WINDOWS DEFENDER\MSASCui.exe
C:\PROGRAM FILES\SIS VGA UTILITIES\SiSTray.exe
C:\Windows\RtHDVCpl.exe
C:\PROGRAM FILES\SPARE MESSAGING\MESSAGINGAPP.EXE
C:\Windows\V0380Mon.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\PROGRAM FILES\Creative\SHARED FILES\CTSched.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmpnscfg.exe
C:\PROGRAM FILES\INTERNET EXPLORER\ieuser.exe
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\Windows\System32\Macromed\Flash\FLASHUTIL9F.EXE
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\msnmsgr.exe
C:\PROGRAM FILES\WINDOWS LIVE\Contacts\wlcomm.exe
C:\PROGRAM FILES\COMMON FILES\Adobe\Updater5\ADOBEUPDATER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thetechguys.com/welcome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: - {5C255C8A-E604-49b4-9D64-90988571CECB} -
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender]%ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SiSTray]%ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [RtHDVCpl]RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel]Skytel.exe
O4 - HKLM\..\Run: [SpareMessaging]C:\Program Files\Spare Messaging\MessagingApp.exe
O4 - HKLM\..\Run: [AVG8_TRAY]C:\Program Files\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [V0380Mon.exe]C:\Windows\V0380Mon.exe
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateP2GShortCut]C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe C:\Program Files\CyberLink\Power2Go update SOFTWARE\CyberLink\Power2Go\5.0
O4 - HKCU\..\Run: [Reminder_MUI]C:\Applications\OEM\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [ehTray.exe]C:\Windows\ehome\ehtray.exe
O4 - HKCU\..\Run: [CreativeTaskScheduler]C:\Program Files\Creative\Shared Files\CTSched.exe /logon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O11 - Options group: [] -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-gb.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Creative Camera VF0380 APO service application - - C:\Windows\System32\V0380Aps.exe
O23 - Service: AVG Free8 E-mail Scanner - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 7.00.6000.16386
MSIE: Internet Explorer (7.00.6000.16386)
Firefox 3.0.8 installed in C:\Program Files\Mozilla Firefox.
79 IE Cookies in Folder: C:\Users\Laptop\AppData\Roaming\Microsoft\Windows\Cookies\
0 Mozilla Cookies in Folder: C:\Users\Laptop\AppData\Roaming\Mozilla\FireFox\Profiles\x0oo1iun.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\Windows\system32\cmd.exe

WP03 - Windows Automatic Update = 3:Download updates for me, but let me choose whether to install them.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://


WP16 - ActiveX: {21C4E4B2-40F7-4E77-BF19-8BED7187BB55} [BitTorrent Control] C:\PROGRAM FILES\BITTORRENT\BITTORRENTIE.2.DLL 1.0.0.1
WP16 - ActiveX: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} [ActiveScan 2.0 Installer Class] C:\Windows\DOWNLOADED PROGRAM FILES\AS2STUBIE.DLL 1, 1, 0, 0
WP16 - ActiveX: {41524153-46FB-488C-8E53-7624AB83C46F} [ActiveScan 2.0 AV Class] C:\PROGRAM FILES\PANDA SECURITY\ACTIVESCAN 2.0\as2guiie.dll 1, 3, 0, 0
WP16 - ActiveX: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} [OnlineScanner Control] C:\Windows\System32\OnlineScanner.ocx 1.0.0.635
WP16 - ActiveX: {8AD9C840-044E-11D1-B3E9-00805F499D93} [Java Plug-in 1.6.0_13] C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll
WP16 - ActiveX: {9D39223E-AE8E-11D4-8FD3-00D0B7730277} [Yahoo! Webcam Viewer] C:\PROGRAM FILES\Yahoo!\MESSENGER\ywcvwr.dll 2, 0, 1, 9
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} [RealPlayer G2 Control] C:\Windows\System32\rmoc3260.dll 6.0.10.72
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\Windows\System32\Macromed\Flash\Flash9f.ocx 9,0,124,0
WP16 - ActiveX: {D5184A39-CBDF-4A4F-AC1A-7A45A852C883} [Yahoo! VersionInfo] C:\PROGRAM FILES\Yahoo!\Common\YVerInfo.dll 2, 0, 1, 1
WP16 - ActiveX: {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} [MessengerChecker Class] C:\PROGRAM FILES\Yahoo!\MESSENGER\YPAGERCHECKER.DLL 1, 1, 0, 1
WP16 - ActiveX: {DCE2F8B1-A520-11D4-8FD0-00D0B7730277} [Yahoo! Webcam Upload] C:\PROGRAM FILES\Yahoo!\MESSENGER\ywcupl.dll 2, 0, 1, 7
WP16 - ActiveX: {E6BB2089-163F-466B-812A-748096614DFD} [CAScanner Control] C:\Windows\Downloaded Program Files\caScanner.ocx Version 1.8.0.0
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA} [RealPlayer G2 Control] C:\Windows\System32\rmoc3260.dll 6.0.10.72
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\Windows\System32\Macromed\Flash\Flash9f.ocx 9,0,124,0

WP32 - Hidden File: C:\bootmgr
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\sqmdata00.sqm
WP32 - Hidden File: C:\sqmdata01.sqm
WP32 - Hidden File: C:\sqmdata02.sqm
WP32 - Hidden File: C:\sqmdata03.sqm
WP32 - Hidden File: C:\sqmdata04.sqm
WP32 - Hidden File: C:\sqmnoopt00.sqm
WP32 - Hidden File: C:\sqmnoopt01.sqm
WP32 - Hidden File: C:\sqmnoopt02.sqm
WP32 - Hidden File: C:\sqmnoopt03.sqm
WP32 - Hidden File: C:\sqmnoopt04.sqm
WP32 - Hidden File: C:\Windows\WindowsShell.Manifest
WP32 - Hidden File: C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
WP32 - Hidden File: C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG1
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG2
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG1
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG2
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS{fade7554-04c0-8108-5475-defac0040881}.TM.blf
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS{fade7554-04c0-8108-5475-defac0040881}.TMContainer00000000000000000001.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS{fade7554-04c0-8108-5475-defac0040881}.TMContainer00000000000000000002.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG1
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG2
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT{00000000-0820-0000-0000-000000000000}.TM.blf
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT{00000000-0820-0000-0000-000000000000}.TMContainer00000000000000000001.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT{00000000-0820-0000-0000-000000000000}.TMContainer00000000000000000002.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SAM{00000001-8c96-0009-0000-000000000000}.TM.blf
WP32 - Hidden File: C:\Windows\System32\config\SAM{00000001-8c96-0009-0000-000000000000}.TMContainer00000000000000000001.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\SAM{00000001-8c96-0009-0000-000000000000}.TMContainer00000000000000000002.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SECURITY{00000001-8c96-0009-0000-000000000000}.TM.blf

WP33 - File Type .AVI: [Windows Media Player]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [Windows Batch File]%1 %*
WP33 - File Type .CAB: [Cabinet File]C:\Windows\Explorer.exe /idlist,%I,%L
WP33 - File Type .CAT: [Security Catalog]C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\Windows\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows Command Script]%1 %*
WP33 - File Type .DOC: [Microsoft Office Word 97 - 2003 Document]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .EML: [Windows Live Mail Mail Message]C:\Program Files\Windows Live\Mail\wlmail.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\Windows\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Format]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Windows host process (Rundll32)]rundll32.exe ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .XLS: [Microsoft Office Excel 97-2003 Worksheet]C:\Program Files\Microsoft Office\Office12\EXCEL.EXE /e

Memory currently in use: 88%
Physical Memory Free: 101,568 KB
Paging File Free: 794,992 KB
Virtual Memory Free: 2,025,456 KB


--
End of file

Edited by kevin73, 18 May 2009 - 05:22 AM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:01:45 PM

Posted 31 May 2009 - 02:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 kevin73

kevin73
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 31 May 2009 - 05:41 AM

Hi

Thanks for your reply. Downloading DDS was a step suggested by Rigel, with a number of others, which unfortunately didn't work due to the Malware/Virus I have blocking all of my attempts to download the suggested toolsl (please see http link, on first post, to view Rigels Thread). I have WinPatrol running which is the only log so far that I can use and have posted it below.

I hope this helps....

Log created by WinPatrol version 15.5.2008.0:15.5.2008.0
Scan saved at 11:29:12 AM, on 5/31/2009
Platform: Windows Vista SP1 Home Edition Service Pack 1 (Build 6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\PROGRAM FILES\WINDOWS DEFENDER\MSASCui.exe
C:\PROGRAM FILES\SIS VGA UTILITIES\SiSTray.exe
C:\Windows\RtHDVCpl.exe
C:\PROGRAM FILES\SPARE MESSAGING\MESSAGINGAPP.EXE
C:\Windows\V0380Mon.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\PROGRAM FILES\Creative\SHARED FILES\CTSched.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmpnscfg.exe
C:\PROGRAM FILES\INTERNET EXPLORER\ieuser.exe
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\msnmsgr.exe
C:\PROGRAM FILES\WINDOWS LIVE\Contacts\wlcomm.exe
C:\Windows\System32\wuauclt.exe
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe
C:\Windows\explorer.exe
C:\Windows\System32\SEARCHFILTERHOST.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thetechguys.com/welcome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: - {5C255C8A-E604-49b4-9D64-90988571CECB} -
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender]%ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SiSTray]%ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [RtHDVCpl]RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel]Skytel.exe
O4 - HKLM\..\Run: [SpareMessaging]C:\Program Files\Spare Messaging\MessagingApp.exe
O4 - HKLM\..\Run: [AVG8_TRAY]C:\Program Files\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [V0380Mon.exe]C:\Windows\V0380Mon.exe
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateP2GShortCut]C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe C:\Program Files\CyberLink\Power2Go update SOFTWARE\CyberLink\Power2Go\5.0
O4 - HKCU\..\Run: [Reminder_MUI]C:\Applications\OEM\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [ehTray.exe]C:\Windows\ehome\ehtray.exe
O4 - HKCU\..\Run: [CreativeTaskScheduler]C:\Program Files\Creative\Shared Files\CTSched.exe /logon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O11 - Options group: [] -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-gb.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Creative Camera VF0380 APO service application - - C:\Windows\System32\V0380Aps.exe
O23 - Service: AVG Free8 E-mail Scanner - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 7.00.6000.16386
MSIE: Internet Explorer (7.00.6000.16386)
Firefox 3.0.8 installed in C:\Program Files\Mozilla Firefox.
81 IE Cookies in Folder: C:\Users\Laptop\AppData\Roaming\Microsoft\Windows\Cookies\
0 Mozilla Cookies in Folder: C:\Users\Laptop\AppData\Roaming\Mozilla\FireFox\Profiles\x0oo1iun.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\Windows\system32\cmd.exe

WP03 - Windows Automatic Update = 3:Download updates for me, but let me choose whether to install them.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://


WP16 - ActiveX: {21C4E4B2-40F7-4E77-BF19-8BED7187BB55} [BitTorrent Control] C:\PROGRAM FILES\BITTORRENT\BITTORRENTIE.2.DLL 1.0.0.1
WP16 - ActiveX: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} [ActiveScan 2.0 Installer Class] C:\Windows\DOWNLOADED PROGRAM FILES\AS2STUBIE.DLL 1, 1, 0, 0
WP16 - ActiveX: {41524153-46FB-488C-8E53-7624AB83C46F} [ActiveScan 2.0 AV Class] C:\PROGRAM FILES\PANDA SECURITY\ACTIVESCAN 2.0\as2guiie.dll 1, 3, 0, 0
WP16 - ActiveX: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} [OnlineScanner Control] C:\Windows\System32\OnlineScanner.ocx 1.0.0.635
WP16 - ActiveX: {5852F5ED-8BF4-11D4-A245-0080C6F74284} [isInstalled Class] C:\PROGRAM FILES\Java\jre6\bin\wsdetect.dll 6.0.130.3
WP16 - ActiveX: {8AD9C840-044E-11D1-B3E9-00805F499D93} [Java Plug-in 1.6.0_13] C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll
WP16 - ActiveX: {9D39223E-AE8E-11D4-8FD3-00D0B7730277} [Yahoo! Webcam Viewer] C:\PROGRAM FILES\Yahoo!\MESSENGER\ywcvwr.dll 2, 0, 1, 9
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} [RealPlayer G2 Control] C:\Windows\System32\rmoc3260.dll 6.0.10.72
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\Windows\System32\Macromed\Flash\Flash9f.ocx 9,0,124,0
WP16 - ActiveX: {D5184A39-CBDF-4A4F-AC1A-7A45A852C883} [Yahoo! VersionInfo] C:\PROGRAM FILES\Yahoo!\Common\YVerInfo.dll 2, 0, 1, 1
WP16 - ActiveX: {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} [MessengerChecker Class] C:\PROGRAM FILES\Yahoo!\MESSENGER\YPAGERCHECKER.DLL 1, 1, 0, 1
WP16 - ActiveX: {DCE2F8B1-A520-11D4-8FD0-00D0B7730277} [Yahoo! Webcam Upload] C:\PROGRAM FILES\Yahoo!\MESSENGER\ywcupl.dll 2, 0, 1, 7
WP16 - ActiveX: {E6BB2089-163F-466B-812A-748096614DFD} [CAScanner Control] C:\Windows\Downloaded Program Files\caScanner.ocx Version 1.8.0.0
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA} [RealPlayer G2 Control] C:\Windows\System32\rmoc3260.dll 6.0.10.72
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\Windows\System32\Macromed\Flash\Flash9f.ocx 9,0,124,0

WP32 - Hidden File: C:\bootmgr
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\sqmdata00.sqm
WP32 - Hidden File: C:\sqmdata01.sqm
WP32 - Hidden File: C:\sqmdata02.sqm
WP32 - Hidden File: C:\sqmdata03.sqm
WP32 - Hidden File: C:\sqmdata04.sqm
WP32 - Hidden File: C:\sqmnoopt00.sqm
WP32 - Hidden File: C:\sqmnoopt01.sqm
WP32 - Hidden File: C:\sqmnoopt02.sqm
WP32 - Hidden File: C:\sqmnoopt03.sqm
WP32 - Hidden File: C:\sqmnoopt04.sqm
WP32 - Hidden File: C:\Windows\WindowsShell.Manifest
WP32 - Hidden File: C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
WP32 - Hidden File: C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG1
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG2
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG1
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG2
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS{fade7554-04c0-8108-5475-defac0040881}.TM.blf
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS{fade7554-04c0-8108-5475-defac0040881}.TMContainer00000000000000000001.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS{fade7554-04c0-8108-5475-defac0040881}.TMContainer00000000000000000002.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG1
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG2
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT{00000000-0820-0000-0000-000000000000}.TM.blf
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT{00000000-0820-0000-0000-000000000000}.TMContainer00000000000000000001.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT{00000000-0820-0000-0000-000000000000}.TMContainer00000000000000000002.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SAM{00000001-8c96-0009-0000-000000000000}.TM.blf
WP32 - Hidden File: C:\Windows\System32\config\SAM{00000001-8c96-0009-0000-000000000000}.TMContainer00000000000000000001.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\SAM{00000001-8c96-0009-0000-000000000000}.TMContainer00000000000000000002.regtrans-ms
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SECURITY{00000001-8c96-0009-0000-000000000000}.TM.blf

WP33 - File Type .AVI: [Windows Media Player]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [Windows Batch File]%1 %*
WP33 - File Type .CAB: [Cabinet File]C:\Windows\Explorer.exe /idlist,%I,%L
WP33 - File Type .CAT: [Security Catalog]C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\Windows\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows Command Script]%1 %*
WP33 - File Type .DOC: [Microsoft Office Word 97 - 2003 Document]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .EML: [Windows Live Mail Mail Message]C:\Program Files\Windows Live\Mail\wlmail.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\Windows\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Format]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Windows host process (Rundll32)]rundll32.exe ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .XLS: [Microsoft Office Excel 97-2003 Worksheet]C:\Program Files\Microsoft Office\Office12\EXCEL.EXE /e

Memory currently in use: 79%
Physical Memory Free: 191,020 KB
Paging File Free: 442,840 KB
Virtual Memory Free: 2,024,468 KB
--
End of file

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:45 PM

Posted 31 May 2009 - 03:51 PM

Hi kevin73,

Download DDS, rename it to something.scr and try running it.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 kevin73

kevin73
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 01 June 2009 - 03:51 PM

Hi and thanks for replying...

I've tried renaming DDS (and the other tools suggested by Rigel) several times and several ways, but nothing I do will allow the Tools suggested to save to my desktop or anywhere else on my laptop!

I'm really getting desperate now.....

Kevin

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:45 PM

Posted 01 June 2009 - 03:54 PM

Hi Kevin,

Let's try this:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 kevin73

kevin73
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 01 June 2009 - 06:02 PM

Hi again... nope, it wont save to my desktop. I've tried renaming it but it still wont save. It appears to be downloading, but when it's finished, nothing is saved to desktop! I've tried running it from the link above, but that doesn't work wither. :thumbup2:

Kevin

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:45 PM

Posted 02 June 2009 - 11:07 AM

Hi again,

Download Combofix from any of the links below. You must rename it (to Kevin.exe) before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Kevin.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with DDS log (if able to create one) so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 kevin73

kevin73
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 03 June 2009 - 09:52 AM

Hi Blade81

Again, I'm having the same problems... nothing will save to my desktop and Combofix wont save anywhere else on my laptop. I've tried renaming it, with no effect? It appears to download, but will not save. I've tried to run it directly, again it seems to download, but nothing happens after complete?

Seems this malware/virus is a real nasty one!

Kevin

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:45 PM

Posted 03 June 2009 - 11:49 AM

Hi

What happens if you transfer renamed ComboFix with usb drive to the root c: drive of infected system? Does it disappear in the same way?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 kevin73

kevin73
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 03 June 2009 - 03:51 PM

Hi

I'll try downloading combofix to a usb drive and saving it the root drive. When you say Root Drive.. ... is that C: (vista)? Sorry I'm not very technical.

Rigel suggested using a usb drive before, but again, it wouldn't save to the desktop. I did try to save it to documents folder without success. Even when renamed.

I do remember that when I tried to transfer it from the usb drive to desktop before, the icon quickly appeared then disappeared again from desktop. He also suggested trying RootRepeal, which saved to the desktop but would not open.

kevin

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:45 PM

Posted 04 June 2009 - 09:59 AM

Yes, that's the location I meant. Make sure ComboFix is renamed before you transfer it to USB drive. Let me know how that goes :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 kevin73

kevin73
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 04 June 2009 - 04:39 PM

:thumbup2: Good news... it's worked!

I now have Combofix, DDS and RSIT on my desktop ready to go! Only thing is when I try to use Combofix.. a warning is displayed saying the real-time scanners for AVG are running and to disable them? I've tried to look for these in task manager to stop them running, but I cant see them?

As the warning said not to proceed as it could damage my laptop, I cancelled Combofix for the time being.

I ran RSIT and have posted both the log and info below. I also posted the DDS log.



Logfile of random's system information tool 1.06 (written by random/random)
Run by Laptop at 2009-06-04 22:18:33
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 55 GB (53%) free of 103 GB
Total RAM: 892 MB (23% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-10 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SiSTray"=C:\Program Files\SiS VGA Utilities\SiSTray.exe [2007-08-24 552960]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-08-09 4702208]
"Skytel"=C:\Windows\Skytel.exe [2007-08-03 1826816]
""= []
"SpareMessaging"=C:\Program Files\Spare Messaging\MessagingApp.exe [2007-11-28 42824]
"V0380Mon.exe"=C:\Windows\V0380Mon.exe [2007-04-05 32768]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2008-07-04 333120]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"UpdateP2GShortCut"=C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [2007-07-26 202024]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Reminder_MUI"=C:\Applications\oem\Reminder\Reminder_MUI.exe [2008-01-10 1081344]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"CreativeTaskScheduler"=C:\Program Files\Creative\Shared Files\CTSched.exe [2006-11-17 53341]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{502b3dc3-99ca-11dd-9ccd-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{502b3dc5-99ca-11dd-9ccd-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{772ea876-d4d2-11dd-bb79-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7c3a77-cec3-11dd-808a-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7c3a79-cec3-11dd-808a-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afc1190b-66d4-11dd-ba76-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f03f85bb-64b8-11dd-994a-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f03f85cc-64b8-11dd-994a-00030d970bf8}]
shell\AutoRun\command - D:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f551fbf5-c571-11dd-944c-001060d180f1}]
shell\AutoRun\command - D:\AutoRun.exe


======List of files/folders created in the last 2 months======

2009-06-04 22:18:34 ----D---- C:\Program Files\trend micro
2009-06-04 22:18:33 ----D---- C:\rsit
2009-06-04 22:11:29 ----SD---- C:\kevinlink11
2009-06-04 22:11:29 ----D---- C:\Windows\ERDNT
2009-06-04 22:11:28 ----A---- C:\Windows\system32\CF31113.exe
2009-06-04 22:02:39 ----A---- C:\Windows\system32\swsc.exe
2009-06-04 21:54:35 ----D---- C:\Qoobox
2009-05-01 16:55:39 ----D---- C:\Program Files\Panda Security
2009-04-28 20:12:07 ----D---- C:\Program Files\GRISOFT
2009-04-25 18:11:21 ----D---- C:\Users\Laptop\AppData\Roaming\Twain
2009-04-25 17:17:31 ----D---- C:\ProgramData\Kaspersky SDK
2009-04-25 16:50:32 ----D---- C:\ProgramData\CheckPoint
2009-04-25 16:49:44 ----D---- C:\Windows\Internet Logs
2009-04-17 19:51:25 ----A---- C:\Windows\system32\rpcss.dll
2009-04-17 19:51:25 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-04-17 19:51:24 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-04-17 19:51:22 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-04-17 19:51:21 ----A---- C:\Windows\system32\sdohlp.dll
2009-04-17 19:51:21 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-04-17 19:51:21 ----A---- C:\Windows\system32\iasrecst.dll
2009-04-17 19:51:21 ----A---- C:\Windows\system32\iashost.exe
2009-04-17 19:51:21 ----A---- C:\Windows\system32\iasdatastore.dll
2009-04-17 19:51:21 ----A---- C:\Windows\system32\iasads.dll
2009-04-17 19:39:49 ----A---- C:\Windows\system32\winhttp.dll
2009-04-17 19:33:22 ----A---- C:\Windows\system32\msdtcprx.dll
2009-04-17 19:33:21 ----A---- C:\Windows\system32\xolehlp.dll
2009-04-17 19:30:50 ----A---- C:\Windows\system32\lsasrv.dll
2009-04-17 19:30:50 ----A---- C:\Windows\system32\kernel32.dll
2009-04-17 19:30:49 ----A---- C:\Windows\system32\secur32.dll
2009-04-17 19:30:48 ----A---- C:\Windows\system32\apilogen.dll
2009-04-17 19:30:48 ----A---- C:\Windows\system32\amxread.dll
2009-04-17 19:25:47 ----A---- C:\Windows\system32\mshtml.dll
2009-04-17 19:25:40 ----A---- C:\Windows\system32\ieframe.dll
2009-04-17 19:25:38 ----A---- C:\Windows\system32\urlmon.dll
2009-04-17 19:25:37 ----A---- C:\Windows\system32\msfeeds.dll
2009-04-17 19:25:37 ----A---- C:\Windows\system32\iertutil.dll
2009-04-17 19:25:37 ----A---- C:\Windows\system32\iedkcs32.dll
2009-04-17 19:25:36 ----A---- C:\Windows\system32\wininet.dll
2009-04-17 19:25:35 ----A---- C:\Windows\system32\occache.dll
2009-04-17 19:25:35 ----A---- C:\Windows\system32\ieUnatt.exe
2009-04-17 19:25:35 ----A---- C:\Windows\system32\ieaksie.dll
2009-04-17 19:25:34 ----A---- C:\Windows\system32\ieencode.dll
2009-04-17 19:25:33 ----A---- C:\Windows\system32\mstime.dll
2009-04-17 19:25:31 ----A---- C:\Windows\system32\jsproxy.dll

======List of files/folders modified in the last 2 months======

2009-06-04 22:18:34 ----RD---- C:\Program Files
2009-06-04 22:18:21 ----D---- C:\Windows\Temp
2009-06-04 22:11:30 ----D---- C:\Windows\System32
2009-06-04 22:11:29 ----D---- C:\Windows
2009-06-04 22:11:28 ----D---- C:\Windows\system32\en-US
2009-06-04 22:11:27 ----D---- C:\Windows\system32\drivers
2009-06-04 22:10:32 ----D---- C:\Windows\Prefetch
2009-06-04 22:09:54 ----D---- C:\Windows\inf
2009-06-04 22:09:54 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-05-31 19:42:02 ----SHD---- C:\System Volume Information
2009-05-23 17:13:22 ----SD---- C:\Users\Laptop\AppData\Roaming\Microsoft
2009-05-23 11:48:18 ----D---- C:\Windows\system32\catroot2
2009-05-18 14:20:21 ----SHD---- C:\Windows\Installer
2009-05-18 10:59:16 ----D---- C:\Program Files\Mozilla Firefox
2009-05-17 10:32:46 ----D---- C:\Windows\system32\catroot
2009-05-17 10:32:43 ----D---- C:\Windows\winsxs
2009-05-17 01:40:37 ----A---- C:\Windows\ntbtlog.txt
2009-05-02 08:38:02 ----SD---- C:\Windows\Downloaded Program Files
2009-05-01 19:29:57 ----HD---- C:\ProgramData
2009-05-01 19:29:57 ----D---- C:\ProgramData\avg8
2009-05-01 07:50:53 ----D---- C:\ProgramData\Microsoft Help
2009-04-25 23:13:49 ----D---- C:\Users\Laptop\AppData\Roaming\BitTorrent
2009-04-25 21:37:44 ----D---- C:\Windows\system32\wbem
2009-04-25 21:37:43 ----D---- C:\Windows\system32\Msdtc
2009-04-25 21:36:53 ----D---- C:\Windows\system32\config
2009-04-25 21:36:18 ----D---- C:\Windows\Tasks
2009-04-25 21:36:18 ----D---- C:\Windows\system32\spool
2009-04-25 21:36:18 ----D---- C:\Program Files\Internet Explorer
2009-04-25 21:36:17 ----D---- C:\Windows\system32\CodeIntegrity
2009-04-25 21:36:03 ----D---- C:\Windows\registration
2009-04-25 19:52:20 ----SD---- C:\ProgramData\Microsoft
2009-04-25 18:30:47 ----D---- C:\Windows\system32\WDI
2009-04-18 10:12:22 ----D---- C:\Program Files\Windows Mail
2009-04-18 10:12:20 ----D---- C:\Windows\system32\manifeststore
2009-04-18 10:12:20 ----D---- C:\Windows\AppPatch
2009-04-07 18:24:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-06 15:57:24 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\Windows\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-02-10 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-02-10 27656]
R1 AvgTdiX;AVG8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-02-10 107272]
R1 Tosrfcom;Bluetooth RFCOMM; C:\Windows\System32\Drivers\tosrfcom.sys [2005-08-01 64896]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-08-10 1941848]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual; C:\Windows\system32\DRIVERS\livecamv.sys [2007-01-15 31616]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\Windows\System32\Drivers\RootMdm.sys [2008-01-19 8192]
R3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2008-06-23 62464]
R3 SiS6350;SiS6350; C:\Windows\system32\DRIVERS\SISGRKMD.sys [2007-08-24 452096]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver; C:\Windows\system32\DRIVERS\SiSGB6.sys [2007-01-22 46592]
R3 tosporte;Bluetooth COM Port; C:\Windows\system32\DRIVERS\tosporte.sys [2006-10-10 41600]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-11-02 983552]
S3 BthEnum;Bluetooth Request Block Driver; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-08-08 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-08-08 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-08-08 29184]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys []
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 1781760]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
S3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 44544]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter; C:\Windows\system32\DRIVERS\RTL8187B.sys [2007-08-07 283136]
S3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2006-11-02 1010560]
S3 tosrfbd;Bluetooth RFBUS; C:\Windows\system32\DRIVERS\tosrfbd.sys [2006-11-30 113792]
S3 tosrfbnp;Bluetooth RFBNEP; C:\Windows\System32\Drivers\tosrfbnp.sys [2006-11-20 36480]
S3 Tosrfhid;Bluetooth RFHID; C:\Windows\system32\DRIVERS\Tosrfhid.sys [2006-10-05 73600]
S3 tosrfnds;Bluetooth Personal Area Network; C:\Windows\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612]
S3 TosRfSnd;Bluetooth Audio; C:\Windows\system32\drivers\tosrfsnd.sys [2006-11-02 53504]
S3 Tosrfusb;Bluetooth USB Controller; C:\Windows\system32\DRIVERS\tosrfusb.sys [2006-10-28 40960]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-19 73088]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
S3 V0380Dev;Creative Camera VF0380 Driver; C:\Windows\system32\DRIVERS\V0380Vid.sys [2007-07-03 273152]
S3 V0380Vfx;Creative Camera VF0380 Video VFX Driver; C:\Windows\system32\DRIVERS\V0380Vfx.sys [2006-12-05 7168]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2007-11-15 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service; C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-10-31 77824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 AEV0380;Creative Camera VF0380 APO service application; C:\Windows\system32\V0380Aps.exe [2007-05-30 73728]
S4 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-02-10 903960]
S4 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-02-10 298264]

-----------------EOF-----------------





info.txt logfile of random's system information tool 1.06 2009-06-04 22:18:36

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EDB7E6-D292-44BD-8CA6-A3E33C9D7750}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5549DC52-211C-44BE-8347-0C22812DEB31}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9814AC8C-FDA8-431F-A6EB-D7294E2D362E}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.4-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Advanced Audio FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9 /remove
Advanced Video FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9 /remove
AVG Anti-Rootkit Free-->C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
AVS Video Converter 6-->"C:\Program Files\AVS4YOU\AVSVideoConverter6\unins000.exe"
AVS4YOU Software Navigator 1.2-->"C:\Program Files\AVS4YOU\AVSSoftwareNavigator\unins000.exe"
Bluetooth Stack for Windows by Toshiba-->MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative Live! Cam Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9 /remove
Creative Live! Cam Doodling-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5549DC52-211C-44BE-8347-0C22812DEB31}\setup.exe" -l0x9 /remove
Creative Live! Cam FX Creator-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9814AC8C-FDA8-431F-A6EB-D7294E2D362E}\setup.exe" -l0x9 /remove
Creative Live! Cam Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9 /remove
Creative Live! Cam Optia Pro Driver (1.00.06.0000)-->C:\Windows\CtDrvIns.exe -uninstall -script VF0380.uns -plugin V0380Pin.dll -pluginres CtCamPin.crl
Creative Live! Cam User's Guide-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EDB7E6-D292-44BD-8CA6-A3E33C9D7750}\setup.exe" -l0x9 /remove
Creative Photo Calendar-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9 /remove
Creative Photo Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9 /remove
Creative Software AutoUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
Live! Cam Avatar v1.0-->C:\Program Files\InstallShield Installation Information\{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}\setup.exe -runfromtemp -l0x0009 -removeonly /remove
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works-->MsiExec.exe /I{67E03279-F703-408F-B4BF-46B5FC8D70CD}
Mozilla Firefox (3.0.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
muveeNow 2.0 - Creative-->C:\Program Files\InstallShield Installation Information\{B0F64C44-DC77-497D-9A27-C0F5BAB12493}\setup.exe -runfromtemp -l0x0009 -removeonly
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Power2Go-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
Ralink Wireless LAN-->C:\Program Files\InstallShield Installation Information\{E91E8912-769D-42F0-8408-0E329443BABC}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
REALTEK RTL8187B Wireless LAN Driver-->C:\Program Files\InstallShield Installation Information\{895722FE-25FE-4854-95AC-B0C42F9DBEDA}\Install.exe -uninst -l0x9
Realtek USB 2.0 Card Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC24971E-1946-445D-8A82-CE685433FA7D}\setup.exe" -l0x9 -removeonly
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB960003)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F04F8702-18D0-458D-921E-146FB7CD38CF}
Security Update for Microsoft Office Excel 2007 (KB959997)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {9EAC3AEC-5C81-4856-A05B-DE9DC236D740}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
SiS VGA Utilities-->C:\Program Files\SiS VGA Utilities\Setup.exe -u
Spare Messaging-->MsiExec.exe /X{C939F015-83C6-432C-B67B-0816AA0B4C17}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Vista Codec Package-->MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Photo Gallery-->MsiExec.exe /X{3C52E7DA-C431-4239-B66B-1BF703D5B194}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Sync-->MsiExec.exe /X{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}
WinPatrol 2008-->C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: AVG Anti-Virus Free
AS: AVG Anti-Virus Free (disabled)
AS: Windows Defender

======System event log======

Computer Name: Laptop-PC
Event Code: 1003
Message:
Record Number: 90761
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090603203424.000000-000
Event Type: Warning
User:

Computer Name: Laptop-PC
Event Code: 1002
Message: The IP address lease 192.168.0.16 for the Network Card with network address 001644C06D91 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
Record Number: 90762
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090603203424.000000-000
Event Type: Error
User:

Computer Name: Laptop-PC
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 90821
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20090604210355.661875-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Laptop-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 90833
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20090604210528.100495-000
Event Type: Error
User:

Computer Name: Laptop-PC
Event Code: 7000
Message: The Parallel port driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Record Number: 90869
Source Name: Service Control Manager
Time Written: 20090604210621.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: Laptop-PC
Event Code: 33
Message: Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksCal.exe". Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 19826
Source Name: SideBySide
Time Written: 20090604210627.000000-000
Event Type: Error
User:

Computer Name: Laptop-PC
Event Code: 33
Message: Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe". Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 19827
Source Name: SideBySide
Time Written: 20090604210627.000000-000
Event Type: Error
User:

Computer Name: Laptop-PC
Event Code: 33
Message: Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe". Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 19828
Source Name: SideBySide
Time Written: 20090604210628.000000-000
Event Type: Error
User:

Computer Name: Laptop-PC
Event Code: 33
Message: Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe". Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 19829
Source Name: SideBySide
Time Written: 20090604210628.000000-000
Event Type: Error
User:

Computer Name: Laptop-PC
Event Code: 1000
Message: Faulting application Explorer.EXE, version 6.0.6001.18164, time stamp 0x4907e242, faulting module SHELL32.dll, version 6.0.6001.18167, time stamp 0x4912ecfb, exception code 0xc0000005, fault offset 0x002ce577, process id 0x9b8, application start time 0x01c9e55848d81fcf.
Record Number: 19831
Source Name: Application Error
Time Written: 20090604210746.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Laptop-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: LAPTOP-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x294
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 33437
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090604211508.006848-000
Event Type: Audit Success
User:

Computer Name: Laptop-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 33438
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090604211508.006848-000
Event Type: Audit Success
User:

Computer Name: Laptop-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: LAPTOP-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x294
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 33439
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090604211509.147473-000
Event Type: Audit Success
User:

Computer Name: Laptop-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: LAPTOP-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x294
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 33440
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090604211509.147473-000
Event Type: Audit Success
User:

Computer Name: Laptop-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 33441
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090604211509.147473-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2

-----------------EOF-----------------





DDS (Ver_09-05-14.01) - NTFSx86
Run by Laptop at 22:35:11.88 on 04/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.892.117 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Windows\V0380Mon.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\servicing\TrustedInstaller.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Laptop\Desktop\ddssdd.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.co.uk/
mDefault_Page_URL = hxxp://www.thetechguys.com/welcome
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Reminder_MUI] c:\applications\oem\reminder\Reminder_MUI.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [<NO NAME>]
mRun: [SpareMessaging] "c:\program files\spare messaging\MessagingApp.exe"
mRun: [V0380Mon.exe] c:\windows\V0380Mon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UpdateP2GShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" update "software\cyberlink\power2go\5.0"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: right-result.co.uk
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\laptop\appdata\roaming\mozilla\firefox\profiles\x0oo1iun.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.co.uk/
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\laptop\program files\dna\plugins\npbtdna.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-1 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-10 107272]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-8-11 31616]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-2-27 283136]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2008-2-27 452096]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-2-27 46592]
S3 V0380Dev;Creative Camera VF0380 Driver;c:\windows\system32\drivers\V0380Vid.sys [2008-8-11 273152]
S3 V0380Vfx;Creative Camera VF0380 Video VFX Driver;c:\windows\system32\drivers\V0380Vfx.sys [2008-8-11 7168]
S4 AEV0380;Creative Camera VF0380 APO service application;c:\windows\system32\V0380Aps.exe [2008-8-11 73728]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-9 903960]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-9 298264]

=============== Created Last 30 ================

2009-06-04 22:18 <DIR> --d----- c:\program files\trend micro
2009-06-04 22:11 <DIR> --ds---- C:\kevinlink11
2009-06-04 22:11 318,976 a------- c:\windows\system32\CF31113.exe

==================== Find3M ====================

2009-04-13 13:31 1,080 a------- c:\users\laptop\appdata\roaming\wklnhst.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-22 02:59 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-03 23:57 51,200 a------- c:\windows\inf\infpub.dat
2008-10-10 20:48 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-10 20:48 86,016 a------- c:\windows\inf\infstor.dat
2008-08-11 00:06 174 a--sh--- c:\program files\desktop.ini
2008-08-10 23:50 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-02-22 16:48 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-02-22 16:48 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-02-22 16:48 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-02-15 18:38 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 22:36:59.96 ===============

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:45 PM

Posted 05 June 2009 - 10:27 AM

Great to hear that :thumbup2:

If you can't disable AVG then please ignore the warning.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 kevin73

kevin73
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:45 PM

Posted 05 June 2009 - 03:08 PM

Hi.. I do not have any antivirus running at present, AVG was uninstalled/disabled and I cant load it or any other Antivirus due to the malware/virus present. Perhaps you can also help me with this.


combofix log below as well as DDS log.

ComboFix 09-06-03.04 - Laptop 05/06/2009 20:26.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.892.234 [GMT 1:00]
Running from: c:\users\Laptop\Desktop\kevinlink11.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\bestwiner.stt
c:\users\Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

.
((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 19:30 . 2009-06-05 19:31 -------- d-----w- c:\users\Laptop\AppData\Local\temp
2009-06-04 21:18 . 2009-06-04 21:18 -------- d-----w- c:\program files\trend micro
2009-06-04 21:18 . 2009-06-04 21:18 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 06:52 . 2008-10-10 19:48 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-04 22:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-01 18:29 . 2008-08-09 22:47 -------- d-----w- c:\programdata\avg8
2009-05-01 15:55 . 2009-05-01 15:55 -------- d-----w- c:\program files\Panda Security
2009-05-01 06:50 . 2008-03-03 04:13 -------- d-----w- c:\programdata\Microsoft Help
2009-04-30 21:08 . 2009-04-25 19:31 680 ----a-w- c:\users\Laptop\AppData\Local\d3d9caps.dat
2009-04-25 22:13 . 2008-08-17 10:09 -------- d-----w- c:\users\Laptop\AppData\Roaming\BitTorrent
2009-04-25 17:13 . 2009-04-25 17:11 -------- d-----w- c:\users\Laptop\AppData\Roaming\Twain
2009-04-25 16:17 . 2009-04-25 16:17 -------- d-----w- c:\programdata\Kaspersky SDK
2009-04-25 15:50 . 2009-04-25 15:50 -------- d-----w- c:\programdata\CheckPoint
2009-04-13 12:31 . 2008-08-09 20:57 1080 ----a-w- c:\users\Laptop\AppData\Roaming\wklnhst.dat
2009-04-07 17:24 . 2008-11-11 14:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-04-07 17:23 . 2008-12-15 22:33 2967799 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 14:32 . 2008-11-11 14:01 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-11-11 14:01 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-22 01:59 . 2009-03-22 01:59 67584 ----a-w- c:\windows\system32\ff_vfw.dll
2009-03-17 03:38 . 2009-04-17 18:30 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 18:30 24064 ----a-w- c:\windows\system32\amxread.dll
2009-03-09 04:19 . 2008-12-17 22:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2008-02-15 17:38 . 2007-03-07 12:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder_MUI"="c:\applications\oem\Reminder\Reminder_MUI.exe" [2008-01-10 1081344]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSTray"="c:\program files\SiS VGA Utilities\SiSTray.exe" [2007-08-24 552960]
"SpareMessaging"="c:\program files\Spare Messaging\MessagingApp.exe" [2007-11-28 42824]
"V0380Mon.exe"="c:\windows\V0380Mon.exe" [2007-04-05 32768]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UpdateP2GShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2007-07-26 202024]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-09 4702208]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-08-03 1826816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BAB8DC93-84B2-4967-8992-A35D3441D73C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0FB0593D-5092-45DC-AF09-4AD7FE995E00}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{97EB6544-78B1-483C-B468-DC0F2DDA3BE7}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= UDP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"UDP Query User{A203888C-DDF5-4E0F-B97F-F053C3B18E67}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= TCP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"{B33B719E-832D-4445-ACA7-547FBD14A788}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{E3589E6B-1953-42DD-A275-6EB4B28072A5}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{99845385-83D4-4D87-9612-4E8F06AF1E1D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8C148914-A803-4D6B-AE7B-6E305211D938}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{CA565BA4-B6B2-4710-A38E-B0223FAC1019}"= UDP:8000:gaydar chat
"{094CF954-6564-421A-B402-FE7783B30C89}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E18D03B1-D157-4415-AB17-FAE95F503546}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8893FDFB-9984-425D-9D5E-139F86D31124}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F7DB2783-E750-4AA9-9C54-B139DC649C74}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{D62AFF52-4C98-4ABB-B88D-13C5F426095C}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{FC2389A9-3988-453E-9757-7E22F57736D5}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{01E5A982-7E23-4970-B25A-AC975F2C8997}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"UDP Query User{D7AD6E75-CA47-4D02-8E42-A5D1B2DE0F4B}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"{7C1448A4-4EFD-4522-95A7-134FF2C79F83}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{C84AAA91-A130-4369-8986-558EC832A197}"= TCP:c:\program files\DNA\btdna.exe:DNA
"TCP Query User{96BD0277-FB4C-4D64-BE26-BB658DA77476}c:\\program files\\secondlife\\slvoice.exe"= UDP:c:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{02D74C37-C5FF-46A0-AD05-AEF4D3732526}c:\\program files\\secondlife\\slvoice.exe"= TCP:c:\program files\secondlife\slvoice.exe:SLVoice
"TCP Query User{F4629E3F-0476-4E0E-BF36-32BD5C89C9C1}c:\\users\\laptop\\program files\\dna\\btdna.exe"= UDP:c:\users\laptop\program files\dna\btdna.exe:btdna.exe
"UDP Query User{653F970C-6221-4C1E-AE38-D8F74F50A67E}c:\\users\\laptop\\program files\\dna\\btdna.exe"= TCP:c:\users\laptop\program files\dna\btdna.exe:btdna.exe
"TCP Query User{4F1FE6E2-C49F-4807-8EC8-8BFE70B94283}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{E92A1DDF-364E-4CFB-BFC3-525F03A9C5BA}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"{57F1CB5B-A123-4B76-A91E-8AC84EC79504}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{49F508A2-C232-436D-9359-21758360F535}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{73A96ED3-2D0C-459F-B6D0-71B8C03FD617}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [01/05/2009 16:55 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [09/08/2008 23:47 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/02/2009 21:44 107272]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\System32\drivers\livecamv.sys [11/08/2008 22:15 31616]
R3 SiS6350;SiS6350;c:\windows\System32\drivers\SISGRKMD.sys [27/02/2008 12:32 452096]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [27/02/2008 12:32 46592]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187B.sys [27/02/2008 12:55 283136]
S3 V0380Dev;Creative Camera VF0380 Driver;c:\windows\System32\drivers\V0380Vid.sys [11/08/2008 22:25 273152]
S3 V0380Vfx;Creative Camera VF0380 Video VFX Driver;c:\windows\System32\drivers\V0380Vfx.sys [11/08/2008 22:25 7168]
S4 AEV0380;Creative Camera VF0380 APO service application;c:\windows\System32\V0380Aps.exe [11/08/2008 22:26 73728]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/08/2008 23:47 903960]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/08/2008 23:47 298264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: right-result.co.uk
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\users\Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\x0oo1iun.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.co.uk/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Laptop\Program Files\DNA\plugins\npbtdna.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 20:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-05 20:32
ComboFix-quarantined-files.txt 2009-06-05 19:32

Pre-Run: 57,875,763,200 bytes free
Post-Run: 58,740,924,416 bytes free

156 --- E O F --- 2009-06-04 22:56




DDS (Ver_09-05-14.01) - NTFSx86
Run by Laptop at 20:36:33.11 on 05/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.892.156 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Messaging\MessagingApp.exe
C:\Windows\V0380Mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Laptop\Desktop\ddssdd.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Reminder_MUI] c:\applications\oem\reminder\Reminder_MUI.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
mRun: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [SpareMessaging] "c:\program files\spare messaging\MessagingApp.exe"
mRun: [V0380Mon.exe] c:\windows\V0380Mon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UpdateP2GShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" update "software\cyberlink\power2go\5.0"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: right-result.co.uk
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\laptop\appdata\roaming\mozilla\firefox\profiles\x0oo1iun.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.co.uk/

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-1 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-9 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-10 107272]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-8-11 31616]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-2-27 283136]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2008-2-27 452096]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-2-27 46592]
S3 V0380Dev;Creative Camera VF0380 Driver;c:\windows\system32\drivers\V0380Vid.sys [2008-8-11 273152]
S3 V0380Vfx;Creative Camera VF0380 Video VFX Driver;c:\windows\system32\drivers\V0380Vfx.sys [2008-8-11 7168]
S4 AEV0380;Creative Camera VF0380 APO service application;c:\windows\system32\V0380Aps.exe [2008-8-11 73728]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-9 903960]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-9 298264]

=============== Created Last 30 ================

2009-06-05 20:33 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-06-05 20:24 161,792 a------- c:\windows\SWREG.exe
2009-06-05 20:24 154,624 a------- c:\windows\PEV.exe
2009-06-05 20:24 98,816 a------- c:\windows\sed.exe
2009-06-04 22:18 <DIR> --d----- c:\program files\trend micro

==================== Find3M ====================

2009-04-13 13:31 1,080 a------- c:\users\laptop\appdata\roaming\wklnhst.dat
2009-03-22 02:59 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-03 23:57 51,200 a------- c:\windows\inf\infpub.dat
2008-10-10 20:48 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-10 20:48 86,016 a------- c:\windows\inf\infstor.dat
2008-08-11 00:06 174 a--sh--- c:\program files\desktop.ini
2008-08-10 23:50 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-02-22 16:48 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-02-22 16:48 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-02-22 16:48 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-02-15 18:38 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:36:53.54 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users