Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm sick and tired of this.


  • This topic is locked This topic is locked
12 replies to this topic

#1 hoju.needshelp

hoju.needshelp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 25 May 2009 - 10:10 PM

Hello all, I've been infected with a plethora of viruses the past 3 days. It all started at around 9.11 AM on sunday, May 23. Long story short, I was careless and installed something without scanning. So the past 3 days I have spent most of my time troubleshooting my computer, I have fixed many of the problems, but the main one is still there. I'm guessing it's the 'win32.delf.uc' trojan.

What first happened was I got a popup and was sent this this website '82.114.141.207/meds' it then prompted me to buy some drugs or something, I've actually fixed that problem my computer doesnt popup to anywebsites anymore. I quickly turned off my computer knowing it was a virus and i was being stupid letting it get on there. 3 hours into the troubleshooting, I lost the use of my keyboard, which I then spent another day trying to get it to work again (which it now does). I then system restored to a minute before the program was installed, everything was working fine, I then tried to turn on Itunes (which still does not work, neither does windows media player) but it didnt work, so I decided to restart, after restarting I lost the use of my keyboard once again. I've gone into safe mode several times trying to remove the many different problems I had but the trojan is still there.

Here's a list of things I've already done:
Used:
Malwarebytes
Super Antispyware (which by the way crashes whenever it is not used in safe mode)
Spyware Doctor
Spybot search & destroy
Adaware
I deleted all the files that were within my Temp folder (inside the windows folder C:\windows\temp)
I also deleted all files that were created on and after 9:11AM that were within my windows folder, system32 as well

So, I thought I might as well save myself sometime and ask for some help :thumbup2:. (currently using another computer)

Forgot to say Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:24 PM, on 25/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\kzavbx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Machine] kzavbx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...365/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cffmnt - cffmnt.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.1\US30Service.exe
O23 - Service: plasservice (ZeppelinService) - Marvell - (no file)

--
End of file - 6215 bytes


DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 22:52:08.57 on 25/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2049 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\kzavbx.exe
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = google.com/
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = local.,
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {1578A65D-4400-4BC1-8EF6-0B903DF72EF7} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunServices: [Microsoft Update Machine] kzavbx.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
dPolicies-explorer: StartMenuLogOff = 1 (0x1)
IE: &Grabber Image
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5365/mcfscan.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: cffmnt - cffmnt.dll
SEH: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - SABShellExecuteHook Class

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\8svcvfv0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\progra~1\mozill~1\plugins\np32dsw.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npbittorrent.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npmozax.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\nppl3260.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\mozill~1\plugins\nprjplug.dll
FF - plugin: c:\progra~1\mozill~1\plugins\nprpjplug.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-23 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-24 130936]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 avast!Antivirus;avast!Antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-8-25 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-8-25 1095560]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-4-18 1373480]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2005-8-7 1287296]
R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-3-20 1452032]
S2 Ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 34816]
S2 ZeppelinService;plasservice; [x]
S3 PWIPENUM;PWIPENUM;\??\c:\program files\panicware\pop-up stopper anti-spyware\pwipenum.sys --> c:\program files\panicware\pop-up stopper anti-spyware\PWIPENUM.SYS [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S3 US30Kbd;US30Kbd;c:\windows\system32\drivers\us30kbd2k.sys --> c:\windows\system32\drivers\US30Kbd2K.sys [?]

=============== Created Last 30 ================

2009-05-25 20:48 <DIR> --d----- C:\WTablet
2009-05-25 19:00 143 a------- c:\windows\wininit.ini
2009-05-25 11:44 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-25 11:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-05-25 10:39 32,768 a------- c:\windows\system32\avast!Antivirus.exe
2009-05-25 10:37 1,409 a------- c:\windows\QTFont.for
2009-05-24 21:29 <DIR> --d----- c:\windows\dhcp
2009-05-24 18:52 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-24 18:52 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-24 18:52 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-24 18:52 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-24 18:52 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-24 18:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-24 14:48 24,576 a------- c:\windows\system32\drivers\Copy of kbdclass.sys
2009-05-24 10:44 52,736 a------- c:\windows\system32\drivers\Copy of i8042prt.sys
2009-05-23 20:00 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-23 19:13 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-23 19:13 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 17:46 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-23 17:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-23 17:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 14:15 54,156 a---h--- c:\windows\QTFont.qfn
2009-05-23 13:03 20 a--sh--- C:\ArcDeviceInfo
2009-05-23 10:50 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-05-23 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-23 10:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-23 10:48 <DIR> --d----- c:\program files\SpywareBlaster
2009-05-23 10:12 <DIR> --d----- c:\windows\ERUNT
2009-05-07 09:01 87 ----hr-- C:\AutoRun.inf
2009-04-29 12:44 428,998 a------- c:\windows\system32\rn.tmp

==================== Find3M ====================

2009-05-23 10:22 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-03-25 00:29 1,190 a------- c:\docume~1\user\applic~1\wklnhst.dat
2008-11-24 12:17 13,195 a------- c:\documents and settings\user\zguicfg.dat
2007-10-03 19:48 0 a------- c:\documents and settings\user\flasm.exe
2007-03-20 15:51 784 a------- c:\docume~1\user\applic~1\mpauth.dat
2005-11-14 19:41 947 a------- c:\program files\setup.bat
2005-10-28 02:30 61,718 a------- c:\program files\RegSetup.exe
2005-10-17 22:57 4,198 a------- c:\program files\nuconfig.txt
2005-08-11 18:15 268,226 a------- c:\program files\setuplog.txt
2005-07-08 16:06 10,889 a------- c:\program files\EULA.txt
2005-06-20 18:01 339,456 a------- c:\program files\binkw32.dll
2004-03-11 13:27 61,440 a------- c:\program files\Uninstall_CDS.exe
2006-03-26 14:20 2 a--shrot c:\windows\winstart.bat
2008-09-03 21:11 8 ---shr-- c:\windows\system32\EE27F69B6D.sys
2008-09-03 21:11 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2004-08-04 00:56 475,188 ---shr-- c:\windows\system32\kzavbx.exe
2004-08-04 00:56 475,188 ---shr-- c:\windows\system32\ltaihe.exe

============= FINISH: 22:53:02.82 ===============

Edited by hoju.needshelp, 25 May 2009 - 10:39 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:32 AM

Posted 26 May 2009 - 11:50 AM

Hello hoju.needshelp :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)





When completed please post both both logs fromRSIT as well as the one from Kaspersky.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 hoju.needshelp

hoju.needshelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 26 May 2009 - 01:50 PM

Hi there and thanks for the reply

There is one thing I actually forgot to mention, and that is that I am not able to access certain websites, antivirus websites and such, on my computer. I have however gotten the RSIT log, I also had to download it from another computer.

Logfile of random's system information tool 1.06 (written by random/random)
Run by User at 2009-05-26 14:48:36
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (9%) free of 50 GB
Total RAM: 2559 MB (79% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:43 PM, on 26/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Universal Shield 4.1\US30Service.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-682003330-1637723038-839522115-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator')
O4 - HKUS\S-1-5-21-682003330-1637723038-839522115-500\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...365/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cffmnt - C:\WINDOWS\SYSTEM32\cffmnt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.1\US30Service.exe
O23 - Service: plasservice (ZeppelinService) - Marvell - (no file)

--
End of file - 6705 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\A9C5166E93768A3E.job
C:\WINDOWS\tasks\ParetoLogic Registration.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpy.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 184423]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar3.dll [2007-01-20 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar3.dll [2007-01-20 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"=C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [2005-10-31 77824]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-10-07 13574144]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-10-07 86016]
"SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe [2005-01-24 102400]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-04-02 409600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-09-01 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Somefox]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 57455]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-05-26 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3
"SPTISRV"=3
"PACSPTISVR"=3
"MSCSPTISRV"=3
"mi-raysat_3dsmax8"=2
"IDriverT"=3
"aawservice"=2
"6to4"=2
"ProtexisLicensing"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cffmnt]
C:\WINDOWS\system32\cffmnt.dll [2009-05-26 16896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
"NoDrives"=0
"StartMenuLogOff"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\BitTorrent++\BT++.exe"="C:\Program Files\BitTorrent++\BT++.exe:*:Enabled:BT++"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Autodesk\backburner\monitor.exe"="C:\Program Files\Autodesk\backburner\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\Program Files\Autodesk\backburner\manager.exe"="C:\Program Files\Autodesk\backburner\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\Program Files\Autodesk\backburner\server.exe"="C:\Program Files\Autodesk\backburner\server.exe:*:Enabled:backburner 2.3 server"
"C:\Program Files\Free Music Zilla\FMZilla.exe"="C:\Program Files\Free Music Zilla\FMZilla.exe:*:Enabled:FMZilla Module"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:礣orrent"
"C:\Downloads\Left 4 Dead\left4dead.exe"="C:\Downloads\Left 4 Dead\left4dead.exe:*:Enabled:left4dead"
"C:\Documents and Settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe"="C:\Documents and Settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\Documents and Settings\User\My Documents\Roms\Vba link.exe"="C:\Documents and Settings\User\My Documents\Roms\Vba link.exe:*:Enabled:VisualBoyAdvance emulator"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\Left 4 Dead\left4dead.exe"="F:\Left 4 Dead\left4dead.exe:*:Enabled:left4dead"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dab795d-dc99-11dc-8d99-0013d4235b6d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cca87e6-d32f-11dc-8d81-0013d4235b6d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3f630f8-d766-11dd-8f89-0013d4235b6d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddfe115b-fb0c-11db-8b88-0013d4235b6d}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe


======File associations======

.ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-05-26 14:48:36 ----D---- C:\rsit
2009-05-26 14:44:39 ----A---- C:\WINDOWS\system32\cffmnt.dll
2009-05-25 22:28:50 ----D---- C:\Program Files\RegCure
2009-05-25 22:01:08 ----D---- C:\WINDOWS\TEMP
2009-05-25 20:48:01 ----D---- C:\WTablet
2009-05-25 19:00:21 ----A---- C:\WINDOWS\wininit.ini
2009-05-25 11:44:14 ----D---- C:\Program Files\Common Files\ParetoLogic
2009-05-25 11:44:14 ----D---- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2009-05-25 10:39:43 ----A---- C:\WINDOWS\system32\avast!Antivirus.exe
2009-05-24 21:29:46 ----D---- C:\WINDOWS\dhcp
2009-05-24 18:52:27 ----D---- C:\Program Files\Common Files\PC Tools
2009-05-24 18:52:19 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-05-23 20:00:53 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-05-23 19:13:13 ----HDC---- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 17:46:25 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-23 10:50:14 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2009-05-23 10:50:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-23 10:50:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-23 10:48:59 ----D---- C:\Program Files\SpywareBlaster
2009-05-23 10:12:37 ----D---- C:\WINDOWS\ERUNT
2009-04-29 12:44:44 ----A---- C:\WINDOWS\system32\rn.tmp

======List of files/folders modified in the last 1 months======

2009-05-26 14:48:34 ----D---- C:\WINDOWS\Prefetch
2009-05-26 14:48:04 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-26 14:44:39 ----D---- C:\WINDOWS\system32
2009-05-26 14:43:30 ----D---- C:\Program Files\Mozilla Firefox
2009-05-26 14:40:38 ----D---- C:\WINDOWS\system32\drivers
2009-05-26 14:34:54 ----D---- C:\Documents and Settings\User\Application Data\WTablet
2009-05-26 14:33:15 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-25 22:28:55 ----SD---- C:\WINDOWS\Tasks
2009-05-25 22:28:50 ----RD---- C:\Program Files
2009-05-25 22:01:08 ----D---- C:\WINDOWS
2009-05-25 21:50:08 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-25 20:46:41 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-25 19:24:43 ----D---- C:\WINDOWS\system32\wbem
2009-05-25 18:50:03 ----D---- C:\WINDOWS\Minidump
2009-05-25 12:48:24 ----SHD---- C:\WINDOWS\Installer
2009-05-25 11:44:14 ----D---- C:\Program Files\Common Files
2009-05-24 21:29:26 ----D---- C:\Program Files\Spyware Doctor
2009-05-24 20:49:18 ----D---- C:\Program Files\Cheat Engine
2009-05-23 21:29:56 ----HD---- C:\WINDOWS\inf
2009-05-23 19:16:07 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-05-23 19:13:06 ----D---- C:\Program Files\Lavasoft
2009-05-23 19:13:00 ----D---- C:\WINDOWS\WinSxS
2009-05-23 19:12:55 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-23 17:46:25 ----D---- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2009-05-23 15:38:17 ----D---- C:\WINDOWS\system32\config
2009-05-23 15:36:54 ----D---- C:\WINDOWS\Registration
2009-05-23 15:35:57 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-23 15:35:56 ----D---- C:\Program Files\Windows Media Player
2009-05-23 15:28:33 ----D---- C:\Program Files\Internet Explorer
2009-05-23 15:28:22 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-23 15:26:40 ----D---- C:\Program Files\Opera
2009-05-23 15:08:42 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-23 13:30:27 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 08:32:06 ----D---- C:\Downloads
2009-05-22 23:05:08 ----A---- C:\WINDOWS\NeroDigital.ini
2009-05-21 10:33:40 ----D---- C:\Program Files\Free Music Zilla
2009-05-19 19:22:15 ----D---- C:\Documents and Settings\User\Application Data\uTorrent
2009-04-27 12:23:30 ----D---- C:\Documents and Settings\User\Application Data\Canon

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2006-11-06 30988]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2004-08-03 223616]
R2 STEC3;STEC3; \??\C:\WINDOWS\system32\STEC3.sys []
R3 cmudax;C-Media High Definition Audio Interface; C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-13 1287296]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2005-12-08 142336]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-04-26 135168]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-10-07 6133856]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2005-12-08 114688]
R3 P17;Sound Blaster Audigy; C:\WINDOWS\system32\drivers\P17.sys [2006-03-17 1163264]
R3 p17filt;p17filt; C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 1452032]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2004-08-04 12416]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 12848]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2004-10-27 223104]
S1 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys []
S1 US30Sys;US30Sys; C:\WINDOWS\System32\Drivers\US30XP.sys []
S3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2005-02-02 14408]
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2007-04-12 29184]
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2006-12-19 16224]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-03 40320]
S3 npkcrypt;npkcrypt; \??\C:\Documents and Settings\User\Desktop\Lineage\system\npkcrypt.sys []
S3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
S3 PWIPENUM;PWIPENUM; \??\C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\PWIPENUM.SYS []
S3 QCMerced;Logitech QuickCam Messenger; C:\WINDOWS\system32\DRIVERS\LVCM.sys [2003-06-26 472332]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ssm_bus.sys [2005-08-30 58320]
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys [2005-08-30 8336]
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 US30Kbd;US30Kbd; C:\WINDOWS\System32\Drivers\US30Kbd2K.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 vaxscsi;vaxscsi; C:\WINDOWS\System32\Drivers\vaxscsi.sys [2006-03-15 223128]
S3 WacomVKHid;Virtual Keyboard Driver; C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11440]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avast!Antivirus;avast!Antivirus; C:\WINDOWS\System32\avast!Antivirus.exe [2009-05-25 32768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-05-23 953168]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-10-07 184388]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R2 TabletServiceWacom;TabletServiceWacom; C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 1373480]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 59392]
R2 US30Service;US30Service; C:\Program Files\Universal Shield 4.1\US30Service.exe [2005-11-08 45056]
R3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2005-01-24 90112]
S2 Ias;Ias; C:\WINDOWS\System32\svchost.exe [2004-08-04 34816]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-08-11 93184]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 53248]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 138168]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 34816]
S4 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 34816]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 94208]
S4 iPodService;iPodService; C:\Program Files\iPod\bin\iPodService.exe [2005-09-03 344064]
S4 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2005-01-26 73817]
S4 MySql;MySql; C:/mysql/bin/mysqld-nt.exe []
S4 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-11-10 794624]
S4 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2005-01-26 73817]
S4 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2006-11-02 195136]
S4 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2005-01-26 90198]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2009-05-26 14:48:47

======Uninstall list======

-->"C:\Program Files\Creative Installation Information\CREATIVE_MEDIASOURCE_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\CTCMSGO\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_NET_CONTENT_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_CDBURNER_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_MINIDISC_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_ONLINESTORE_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative Installation Information\MEDIASOURCE_PLAYER_SKINPACK_U\Setup.exe" /remove /l0x0009
-->"C:\Program Files\Creative\SBAudigy\Program\SETUP.EXE" /S /U /W
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2670895A-4E6C-4450-B868-7B7DB80A3357}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2670895A-4E6C-4450-B868-7B7DB80A3357}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
礣orrent-->"C:\Program Files\uTorrent\uninstall.exe"
AccessDiver v4.402-->"C:\Program Files\Accessdiver\unins000.exe"
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apophysis 2.0-->"C:\Program Files\Apophysis 2.0\uninstall.exe"
Apple Software Update-->MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
Applian FLV Player-->"C:\WINDOWS\Applian FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
Applian FLV Player-->"C:\WINDOWS\Applian FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
ArcSoft PhotoBase 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}\Setup.exe" -l0x9 -uninst
ArcSoft PhotoStudio 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03F1CC67-5BD8-4C36-8394-76311B2AE69A}\Setup.exe" -l0x9 -uninst
ArcSoft TotalMedia Backup & Record-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF6F70D0-C242-4047-946B-98EA8208481A}\Setup.exe" -l0x9
ASUS Probe V2.24.10-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Asus Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Asus Probe\probunis.dll"
Autodesk 3ds Max 8 Additional Maps and Materials-->MsiExec.exe /I{59D070F5-CCE6-418B-84A3-CCA63D75ED8A}
Autodesk 3ds Max 8 Architectural Materials-->MsiExec.exe /I{28FDF917-8750-4A54-9E05-D7798E699B47}
Autodesk 3ds Max 8 Reference Files-->MsiExec.exe /I{73C935A7-36C6-48B5-A32E-FD5BD96FD25C}
Autodesk 3ds Max 8-->MsiExec.exe /I{DBB313D6-4B13-4961-BD5F-673CDA1793CC}
Autodesk DWF Viewer-->C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
AVS DVD Player version 2.4-->"C:\Program Files\AVS4YOU\AVSDVDPlayer\unins000.exe"
AVS4YOU Software Navigator 1.2-->"C:\Program Files\AVS4YOU\AVSSoftwareNavigator\unins000.exe"
Backburner-->MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
BitTorrent++ 0.5.4-->"C:\Program Files\BitTorrent++\Uninstall.exe"
Canon CanoScan Toolbox 4.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\Setup.exe" -l0x9
Cheat Engine 5.4-->"C:\Program Files\Cheat Engine\unins000.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
CINEMA 4D Release 9 XL Bundle-->C:\WINDOWS\unvise32.exe C:\Program Files\MAXON\CINEMA 4D R9\uninstal_C4D.log
C-Media High Definition Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
Corel Painter X-->MsiExec.exe /I{05D60953-9012-44DF-A1A6-9DD97AD6580A}
Creative EAX Console-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9 /remove
Creative MediaSource 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}\SETUP.EXE" -l0x9 /remove
Creative Software AutoUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /remove
Custom Radio for GTA III-->C:\WINDOWS\iun6002.exe "C:\Documents and Settings\User\Desktop\GTA 3\irunin.ini"
DVD Solution-->"C:\Program Files\Uninstall_CDS.exe"
FLAC Installer 1.1.2a (remove only)-->C:\Program Files\FLAC\uninstall.exe
Flare 0.6 -->"C:\Program Files\Flare\uninst.exe"
Flash Memory Toolkit 1.20-->"C:\Program Files\Flash Memory Toolkit 1.20 PRO\unins000.exe"
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1108-->"C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\unins000.exe"
Free Music Zilla-->"C:\Program Files\Free Music Zilla\unins000.exe"
GeoControl Demo-->C:\WINDOWS\AKDeInstall.exe "/C:\Program Files\GeoControl\"
GOM Player-->"C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HeadStrong WebClicker v2.56-->"C:\Program Files\WebClicker\uninstall.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
iScrobbler-->C:\Program Files\iTunes\UninstalliScrobble.exe
iTunes-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{5A4AFC3E-4973-46A1-92D6-3A1C5E52948A} /l1033
J2SE Runtime Environment 5.0 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
K-Lite Codec Pack 4.1.7 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
LaserJet 1020 series-->C:\Program Files\Zenographics\{933C8FAB-4C55-40BA-850F-E499EE0C5844}\setup.exe -u "HPLJInstaller.dll=Hpl_1020.inf"
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\setup.exe" -l0x9 -removeonly
LG_MobileSync-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B7BA3EE-D7AC-494E-999D-DA58D6D01DAC}\setup.exe" -l0x9 -removeonly
LimeWire PRO 4.10.9-->"C:\Program Files\LimeWire\uninstall.exe"
Linksys EasyLink Advisor 1.5 (1010)-->rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
LIVE gaming on Windows Runtime Version 1.0.6027-->MsiExec.exe /X{839916F4-D8B5-4407-BE6D-6D4EB9D96AF4}
Logitech Print Service-->C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam-->MsiExec.exe /I{26AA53D5-1307-48F9-A80F-A4D25F5849D4}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft AppLocale-->MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7}
Microsoft Bootvis-->MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Application Compatibility Database-->C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb"
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MilkShape 3D 1.7.5-->"C:\Program Files\MilkShape 3D 1.7.5\uninstall.exe"
Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero 7-->MsiExec.exe /I{2D7D9D86-923A-41A8-919F-437332AB1033}
Norton Internet Security 2006 (Symantec Corporation)-->"C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe" /X
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenMG Limited Patch 4.1-05-13-31-01-->C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-13-31-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
Opera 9.60-->MsiExec.exe /X{D2F5287E-5F0E-447B-9157-B08AA4E2AC76}
OrderReminder HP LaserJet 1020-->"C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1020
ParetoLogic Anti-Virus PLUS-->MsiExec.exe /I{80B744FE-8712-4D44-A239-EBB7B8979F7E}
PCMesh Anonymous Web Surfing-->C:\Program Files\PCMesh\paws\uninst.exe
PictureRipper 3: Fast Media Downloader And Viewer-->"C:\Program Files\PictureRipper 3\unins000.exe"
Porrasturvat - Stair Dismount-->C:\Program Files\Porrasturvat - Stair Dismount\uninstall.exe
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
QuickTime-->MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.2.7-->C:\Program Files\RegCure\uninst.exe
Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
SAMSUNG CDMA Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 USB Driver Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893066)-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SonicStage 3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Sony ACID Pro 5.0-->MsiExec.exe /X{76902AF9-DA86-419D-B533-077643124722}
SopCast 3.0.3-->C:\Program Files\SopCast\uninst.exe
Sound Blaster Audigy-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B1DDAD2-C704-49F8-8FC2-18DAAD9A87C5}\SETUP.EXE" -l0x9 /remove
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Terragen-->MsiExec.exe /I{5CC86AA7-3D8F-4E40-AC37-ADBA0F4B5819}
Terragen-->MsiExec.exe /I{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}
Terranim v2.1.4b-->"C:\Program Files\Terragen\Terranim\uninstall.exe"
The Core Media Player 4.0-->"C:\Program Files\CoreCodec\The Core Media Player\uninstall-tcmp4.exe"
Truck Dismount (remove only)-->"C:\Program Files\Truck Dismount\uninst.exe"
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Universal Shield-->"C:\Program Files\Universal Shield 4.1\Uninstall.exe" "C:\Program Files\Universal Shield 4.1\install.log" -u
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Virtual DJ - Atomix Productions-->C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 0.9.4-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VOCALOID2 Editor V2.0.2.4J-->C:\Program Files\InstallShield Installation Information\{F1C1C21B-F56E-400B-B0B0-270D817889F3}\setup.exe -runfromtemp -l0x0009 -removeonly
VOCALOID2 Expression DB (Standard)-->C:\Program Files\InstallShield Installation Information\{B6588186-9657-486C-AEB1-F57D8E160F19}\setup.exe -runfromtemp -l0x0009 -removeonly
VOCALOID2 Voice DB (Miku)-->C:\Program Files\InstallShield Installation Information\{B4342A07-E2C7-4A8B-9145-CBDEE750BCE3}\setup.exe -runfromtemp -l0x0009 -removeonly
VOCALOID2 VSTi V2.0.2.0-->C:\Program Files\InstallShield Installation Information\{A95FF0B9-5CFB-497E-8872-3A5F41AD9D4F}\setup.exe -runfromtemp -l0x0009 -removeonly
Vodei Multimedia Processor 2.10-->C:\Program Files\Vodei\uninst.exe
Wacom Tablet-->C:\Program Files\Tablet\Wacom\Remove.exe /u
WebCam for MSN Messenger-->Rundll32.exe setupapi,InstallHinfSection DefaultUnInstall 128 C:\WINDOWS\INF\Athena.inf
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Photo Gallery-->MsiExec.exe /X{3C52E7DA-C431-4239-B66B-1BF703D5B194}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World Machine 1.0 Basic Edition (remove only)-->"C:\Program Files\World Machine\uninst.exe"
XoftSpy-->C:\Program Files\XoftSpy\uninstall.exe

=====HijackThis Backups=====

O1 - Hosts: 72.36.207.194 L2authd.lineage2.com [2008-08-22]
O20 - AppInit_DLLs: avgrsstx.dll [2008-08-22]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll [2008-08-22]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2008-08-22]
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) [2008-08-22]
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2008-08-22]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2008-08-22]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...365/mcfscan.cab [2008-08-22]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2008-08-22]
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) [2008-08-22]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) [2008-08-26]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2008-08-26]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-26]
O23 - Service: Windows - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\servers.exe [2009-05-05]
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) [2009-05-05]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2009-05-05]
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) [2009-05-23]
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ [2009-05-23]
O20 - Winlogon Notify: cffmnt - cffmnt.dll (file missing) [2009-05-23]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-23]
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe (file missing) [2009-05-23]
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\User\reader_s.exe (User 'Default user') [2009-05-23]
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\ [2009-05-23]
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\User\reader_s.exe [2009-05-23]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2009-05-25]
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe [2009-05-25]
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe [2009-05-25]
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2009-05-25]
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll [2009-05-25]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-25]
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (file missing) [2009-05-25]
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) [2009-05-25]
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) [2009-05-25]
O23 - Service: plasservice (ZeppelinService) - Unknown owner - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe (file missing) [2009-05-25]

======Hosts File======

127.0.0.1 jL.chura.pl
127.0.0.1 localhost

======System event log======

Computer Name: USER-PC
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 63715
Source Name: Tcpip
Time Written: 20090430232423.000000-240
Event Type: warning
User:

Computer Name: USER-PC
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 63714
Source Name: Tcpip
Time Written: 20090430223812.000000-240
Event Type: warning
User:

Computer Name: USER-PC
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service iPodService with arguments "-Service"
in order to run the server:
{7A7FB085-6068-4898-8CCA-480A9187277C}

Record Number: 63708
Source Name: DCOM
Time Written: 20090430095022.000000-240
Event Type: error
User: USER-PC\User

Computer Name: USER-PC
Event Code: 7034
Message: The Messenger Sharing Folders USN Journal Reader service service terminated unexpectedly. It has done this 1 time(s).

Record Number: 63707
Source Name: Service Control Manager
Time Written: 20090430094948.000000-240
Event Type: error
User:

Computer Name: USER-PC
Event Code: 7034
Message: The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).

Record Number: 63706
Source Name: Service Control Manager
Time Written: 20090430094946.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: USER-PC
Event Code: 1517
Message: Windows saved user USER-PC\User registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2622
Source Name: Userenv
Time Written: 20090202000038.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: USER-PC
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 2614
Source Name: usnjsvc
Time Written: 20090201094901.000000-300
Event Type:
User:

Computer Name: USER-PC
Event Code: 1000
Message: Faulting application coreplayer.exe, version 4.0.1.450, faulting module l3codecx.ax, version 1.9.0.311, fault address 0x00001eec.

Record Number: 2602
Source Name: Application Error
Time Written: 20090131204529.000000-300
Event Type: error
User:

Computer Name: USER-PC
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 2589
Source Name: usnjsvc
Time Written: 20090131184122.000000-300
Event Type:
User:

Computer Name: USER-PC
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 2582
Source Name: usnjsvc
Time Written: 20090131101154.000000-300
Event Type:
User:

======Environment variables======

"CLASSPATH"=.;C:\Program Files\Java\jdk1.5.0_05\bin;C:\Program Files\Java\jre1.5.0_05\bin;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Autodesk Shared;C:\Program Files\backburner 2;C:\Program Files\Bonjour;C:\Program Files\Autodesk\backburner;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Samsung\Samsung PC Studio 3
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0401
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:32 AM

Posted 26 May 2009 - 03:51 PM

We are going to try and run ComboFix. I am concerned we are dealing with a Virut infection here and if we are that's almost always really bad news. :thumbup2:




Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 hoju.needshelp

hoju.needshelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 27 May 2009 - 09:34 AM

Hello, during the time between our last conversation and now, I have gotten my other computer infected with some sort of virus, I can't seem to get past the login screen of windows, but we can deal with that after this... Anyway, I was not able to use Combofix on my computer, everytime I ran the program it closed down. In short, I found a way around it and I hope this is the log you're looking for.

edit: after looking around, this does not seem to be the log you're looking for.. I am unable to run combofix, when I do run it, it takes a second to load, and then I get a box saying ,'error' it then goes on to delete itself. I am also unable to install Recovery Console, whenever I attempt to install it, via cmd, it tells me, 'the batch file cannot be found' it then deletes the 'install-rc.cmd' file. Btw, all antivirus programs and such have been disabled.

.
.

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\userinit.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck xmnt2002 /bat="C:\WINDOWS\TEMP\PQ_BATCH.PQB" /win="C:\WINDOWS" /dbg="C:\WINDOWS\TEMP\PQ_DEBUG.TXT" /ver=262144 /prd="PartitionMagic"\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"mi-raysat_3dsmax8"=2 (0x2)
"IDriverT"=3 (0x3)
"aawservice"=2 (0x2)
"6to4"=2 (0x2)
"ProtexisLicensing"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

--- ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avast!Antivirus
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - ctsfm2k
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - Ias
*Deregistered* - IntelIde
*Deregistered* - Ip6Fw
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - NPPTNT2
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - ossrv
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCTCore
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPWD
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - SCDEmu
*Deregistered* - Schedule
*Deregistered* - sdAuxService
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - SSScsiSV
*Deregistered* - STEC3
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TabletServiceWacom
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TDTCP
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - tunmp
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - US30Service
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - wacomvhid
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dab795d-dc99-11dc-8d99-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cca87e6-d32f-11dc-8d81-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3f630f8-d766-11dd-8f89-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddfe115b-fb0c-11db-8b88-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe
.
- - - - - - - -

SafeBoot-Lavasoft Ad-Aware Service


.
------- -------
.
uStart Page = google.com/
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = local.,
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Grabber Image
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8svcvfv0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
.

.
.

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\userinit.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck xmnt2002 /bat="C:\WINDOWS\TEMP\PQ_BATCH.PQB" /win="C:\WINDOWS" /dbg="C:\WINDOWS\TEMP\PQ_DEBUG.TXT" /ver=262144 /prd="PartitionMagic"\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"mi-raysat_3dsmax8"=2 (0x2)
"IDriverT"=3 (0x3)
"aawservice"=2 (0x2)
"6to4"=2 (0x2)
"ProtexisLicensing"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

--- ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avast!Antivirus
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - ctsfm2k
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - Ias
*Deregistered* - IntelIde
*Deregistered* - Ip6Fw
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - NPPTNT2
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - ossrv
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCTCore
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPWD
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - SCDEmu
*Deregistered* - Schedule
*Deregistered* - sdAuxService
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - SSScsiSV
*Deregistered* - STEC3
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TabletServiceWacom
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TDTCP
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - tunmp
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - US30Service
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - wacomvhid
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dab795d-dc99-11dc-8d99-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cca87e6-d32f-11dc-8d81-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3f630f8-d766-11dd-8f89-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddfe115b-fb0c-11db-8b88-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe
.
- - - - - - - -

SafeBoot-Lavasoft Ad-Aware Service
SafeBoot-Lavasoft Ad-Aware Service



.
.

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\userinit.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck xmnt2002 /bat="C:\WINDOWS\TEMP\PQ_BATCH.PQB" /win="C:\WINDOWS" /dbg="C:\WINDOWS\TEMP\PQ_DEBUG.TXT" /ver=262144 /prd="PartitionMagic"\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"mi-raysat_3dsmax8"=2 (0x2)
"IDriverT"=3 (0x3)
"aawservice"=2 (0x2)
"6to4"=2 (0x2)
"ProtexisLicensing"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

--- ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avast!Antivirus
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - ctsfm2k
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - Ias
*Deregistered* - IntelIde
*Deregistered* - Ip6Fw
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - Lbd
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - NPPTNT2
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - ossrv
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCTCore
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - RasAuto
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPWD
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - SCDEmu
*Deregistered* - Schedule
*Deregistered* - sdAuxService
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - SSScsiSV
*Deregistered* - STEC3
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TabletServiceWacom
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TDTCP
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - tunmp
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - US30Service
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - wacomvhid
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dab795d-dc99-11dc-8d99-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cca87e6-d32f-11dc-8d81-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3f630f8-d766-11dd-8f89-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddfe115b-fb0c-11db-8b88-0013d4235b6d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servers.exe
.
- - - - - - - -

SafeBoot-Lavasoft Ad-Aware Service
SafeBoot-Lavasoft Ad-Aware Service
SafeBoot-Lavasoft Ad-Aware Service

Edited by hoju.needshelp, 27 May 2009 - 09:56 AM.


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:32 AM

Posted 27 May 2009 - 10:39 AM

Let's try this:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image

    <INSERT ADDITIONAL INSTRUCTIONS HERE IF REQUIRED>
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 hoju.needshelp

hoju.needshelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 27 May 2009 - 01:28 PM

Here is the GMER log:




GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-27 14:27:40
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 8AA27500 pIofCallDriver

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wdfmgr.exe[188] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\wdfmgr.exe[188] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\wdfmgr.exe[188] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\wdfmgr.exe[188] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\wdfmgr.exe[188] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\wdfmgr.exe[188] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\Program Files\Universal Shield 4.1\US30Service.exe[216] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\Program Files\Universal Shield 4.1\US30Service.exe[216] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\Program Files\Universal Shield 4.1\US30Service.exe[216] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\Program Files\Universal Shield 4.1\US30Service.exe[216] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\Program Files\Universal Shield 4.1\US30Service.exe[216] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\Program Files\Universal Shield 4.1\US30Service.exe[216] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe[492] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe[492] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe[492] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe[492] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe[492] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe[492] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\Wacom_Tablet.exe[548] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\Wacom_Tablet.exe[548] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\Wacom_Tablet.exe[548] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\Wacom_Tablet.exe[548] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\Wacom_Tablet.exe[548] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\Wacom_Tablet.exe[548] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF947A0
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF9482F
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF9483C
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF94AB6
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF94825
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9487D
.text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\svchost.exe[1024] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1024] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\System32\svchost.exe[1064] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1064] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\svchost.exe[1124] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1124] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\svchost.exe[1164] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1164] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\spoolsv.exe[1376] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\System32\alg.exe[1440] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\System32\alg.exe[1440] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\System32\alg.exe[1440] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\System32\alg.exe[1440] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\System32\alg.exe[1440] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\System32\alg.exe[1440] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[1488] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[1488] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[1488] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[1488] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[1488] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[1488] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\nvsvc32.exe[1540] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\nvsvc32.exe[1540] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\nvsvc32.exe[1540] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\nvsvc32.exe[1540] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\nvsvc32.exe[1540] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\nvsvc32.exe[1540] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\RUNDLL32.EXE[1604] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\RUNDLL32.EXE[1604] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\RUNDLL32.EXE[1604] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\RUNDLL32.EXE[1604] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\RUNDLL32.EXE[1604] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\RUNDLL32.EXE[1604] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
? C:\WINDOWS\System32\svchost.exe[1680] number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dll
.text C:\WINDOWS\System32\svchost.exe[1680] C:\WINDOWS\System32\svchost.exe section is writeable [0x13141000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1680] C:\WINDOWS\System32\svchost.exe section is executable [0x13145000, 0x5600, 0xE0000040]
.text C:\WINDOWS\System32\svchost.exe[1680] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\System32\svchost.exe[1680] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\System32\svchost.exe[1680] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\System32\svchost.exe[1680] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\System32\svchost.exe[1680] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\System32\svchost.exe[1680] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\ctfmon.exe[1724] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\ctfmon.exe[1724] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\ctfmon.exe[1724] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\ctfmon.exe[1724] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\ctfmon.exe[1724] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\ctfmon.exe[1724] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1864] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\svchost.exe[1864] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\system32\Wacom_Tablet.exe[1908] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\system32\Wacom_Tablet.exe[1908] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\system32\Wacom_Tablet.exe[1908] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\system32\Wacom_Tablet.exe[1908] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\system32\Wacom_Tablet.exe[1908] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\system32\Wacom_Tablet.exe[1908] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\Explorer.EXE[1988] Explorer.EXE 0101E26B 4 Bytes [FF, 15, 98, 10]
.text C:\WINDOWS\Explorer.EXE[1988] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44689, 0xE0000060]
.reloc C:\WINDOWS\Explorer.EXE[1988] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\Explorer.EXE[1988] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
? C:\WINDOWS\System32\svchost.exe[2296] number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dll
.text C:\WINDOWS\System32\svchost.exe[2296] C:\WINDOWS\System32\svchost.exe section is writeable [0x13141000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[2296] C:\WINDOWS\System32\svchost.exe section is executable [0x13145000, 0x5600, 0xE0000040]
.text C:\WINDOWS\System32\svchost.exe[2296] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\System32\svchost.exe[2296] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\System32\svchost.exe[2296] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\System32\svchost.exe[2296] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\System32\svchost.exe[2296] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\System32\svchost.exe[2296] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\Documents and Settings\User\Desktop\g82165fk.exe[2924] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\Documents and Settings\User\Desktop\g82165fk.exe[2924] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\Documents and Settings\User\Desktop\g82165fk.exe[2924] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\Documents and Settings\User\Desktop\g82165fk.exe[2924] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\Documents and Settings\User\Desktop\g82165fk.exe[2924] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\Documents and Settings\User\Desktop\g82165fk.exe[2924] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
.text C:\WINDOWS\System32\svchost.exe[3312] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[3312] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\System32\svchost.exe[3312] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\System32\svchost.exe[3312] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\System32\svchost.exe[3312] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\System32\svchost.exe[3312] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\System32\svchost.exe[3312] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\System32\svchost.exe[3312] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
? C:\WINDOWS\System32\svchost.exe[3680] number of sections mismatch; time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[3680] C:\WINDOWS\System32\svchost.exe section is writeable [0x00401000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[3680] C:\WINDOWS\System32\svchost.exe section is executable [0x00405000, 0x5600, 0xE0000040]
.text C:\WINDOWS\System32\svchost.exe[3680] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\System32\svchost.exe[3680] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\System32\svchost.exe[3680] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\System32\svchost.exe[3680] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\System32\svchost.exe[3680] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\System32\svchost.exe[3680] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D
? C:\WINDOWS\System32\svchost.exe[3692] number of sections mismatch; time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[3692] C:\WINDOWS\System32\svchost.exe section is writeable [0x00401000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[3692] C:\WINDOWS\System32\svchost.exe section is executable [0x00405000, 0x5600, 0xE0000040]
.text C:\WINDOWS\System32\svchost.exe[3692] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA47A0
.text C:\WINDOWS\System32\svchost.exe[3692] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA482F
.text C:\WINDOWS\System32\svchost.exe[3692] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA483C
.text C:\WINDOWS\System32\svchost.exe[3692] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA4AB6
.text C:\WINDOWS\System32\svchost.exe[3692] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA4825
.text C:\WINDOWS\System32\svchost.exe[3692] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA487D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DD6BF0] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DDEAF4] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DDEDE5] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DFC123] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DDEBE7] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DD7883] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [77DFC1B5] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [77DD761B] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] [77DFC8C1] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [77DDD7CC] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [77DD6FC8] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [77DD6A78] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 00000000
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [7C80A480] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C80D47E] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C809A81] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C809B14] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C812E03] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C80E00D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C801E16] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C81E82A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C812CA9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C810386] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C862B8A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C9109ED] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C809BF5] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C809750] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C80B529] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C80B859] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C812851] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C937A40] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] [7C80EB3F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] [7C802442] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [7C809B77] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7C80EC1B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [7C8092AC] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [7C80180E] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [7C810C8F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [7C801A24] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [7C910331] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [7C810F9F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [7C81114A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [7C81E5E9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] [7C80B8EC] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C810976] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] [7C838FB9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] [7C80C729] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [7C802530] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] [7C81486A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] [7C801625] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] [7C80A0C7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] [7C809A39] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] [7C809CAD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] [7C8221CF] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [7C81EE79] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [7C81EAE1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [7C80A859] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] [7C80A823] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [7C80B929] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] [7C9010ED] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] [7C901005] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] [7C809C28] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] [7C8097AD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] [7C8097C6] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] [7C81E4BD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] [7C81082F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [7C809C4C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] [7C812929] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] [7C9105D4] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] [7C9179FD] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [7C809EB3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] [7C91043D] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] [7C809737] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] [7C809F29] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DD6BF0] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DDEAF4] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DDEBE7] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DD7883] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DD761B] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DDD7CC] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [77DD6FC8] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [77DD6A78] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 00000000
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [7C80A480] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [7C838CB9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [7C80CEC4] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [7C832E2B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [7C80D47E] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C809943] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C812BE6] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C812E03] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C801E16] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C80B357] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C812CA9] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C809BF5] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C809750] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C80B529] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C80B859] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C812851] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C937A40] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C80EB3F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C802442] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C809B77] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C80EC1B] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] [7C8092AC] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] [7C80180E] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [7C810C8F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7C801A24] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [7C910331] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [7C810F9F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [7C80C6E0] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [7C810976] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [7C81114A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [7C802530] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [7C81486A] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [7C80A0C7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] [7C809A39] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C809CAD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] [7C80C729] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] [7C81EE79] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [7C81EAE1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] [7C80A859] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] [7C80A823] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] [7C80B929] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] [7C9010ED] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] [7C80B8EC] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] [7C901005] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [7C809C28] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [7C8097AD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [7C8097C6] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] [7C81E4BD] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [7C809FA1] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] [7C81082F] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] [7C809C4C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] [7C812929] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] [7C9105D4] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] [7C9179FD] C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] [7C809EB3] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] [7C809737] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [7C80995D] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] [7C825F62] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] [7C839019] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] [7C81E85C] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [7C813559] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] [7C80EFD7] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] [7C80B877] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[2296] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] [7C810311] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 3CE90043
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D0
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D02EE8
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D3ADE856
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01D8A9E8
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 021EF5E8
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] FDE8F075
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001CE
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] A7E8C68B
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C200021F
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] CB9006C7
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] BAE80043
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 90E95ECE
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] D2F9E856
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 9C01C700
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E90043CB
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 43CB9C06
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] CCE85607
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590001D2
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 436A7DB8
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 1E4CE800
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0001CEC7
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 43CB9006
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 021EF9E8
IAT C:\WINDOWS\System32\svchost.exe[3680] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] CB8401C7
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 3CE90043
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001D0
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043CB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01D02EE8
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] D3ADE856
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 5D10C483
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01D8A9E8
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 021EF5E8
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] FDE8F075
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001CE
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043CB
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001D70
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] A7E8C68B
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C200021F
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] CB9006C7
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] BAE80043
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000022
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 90E95ECE
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 830001CF
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] 72102479
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 10418B04
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 10418DC3
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] F18B56C3
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFFCDE8
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 07740108
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] D2F9E856
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 9C01C700
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] E90043CB
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] FFFFFFAE
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] C7F18B56
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 43CB9C06
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] FFA0E800
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 44F6FFFF
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 74010824
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] CCE85607
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 590001D2
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C25EC68B
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 046A0004
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 436A7DB8
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 1E4CE800
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F18B0002
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8BF07589
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 0001CEC7
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00FC6583
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 570CC783
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] C70C4E8D
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 43CB9006
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 1CC2E800
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C68B0000
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 021EF9E8
IAT C:\WINDOWS\System32\svchost.exe[3692] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0004C200

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [8AA01982] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF2 0xA3 0xAF 0x56 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x16 0x42 0xFD 0xED ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x16 0x00 0xA6 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE3 0x29 0xC4 0xC8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF2 0xA3 0xAF 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x16 0x42 0xFD 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x16 0x00 0xA6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE3 0x29 0xC4 0xC8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF2 0xA3 0xAF 0x56 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x16 0x42 0xFD 0xED ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x16 0x00 0xA6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE3 0x29 0xC4 0xC8 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DDFF229F-C0C9-9E00-10CF-334273854FA1}

---- EOF - GMER 1.0.15 ----

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:32 AM

Posted 27 May 2009 - 04:48 PM

I'm sorry to inform you but we are just spinning our wheels here. :thumbup2: You have Virut infection and there is no way I can clean it up. The damage this does is just too extensive. Keep in mind that these Trojans and others you have also steal information and thus none of your passwords or security codes are safe.

Although you fixed these entries with HJT that does not delete the files or help with the damage which is done.


O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\User\reader_s.exe (User 'Default user') [2009-05-23]

O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\User\reader_s.exe [2009-05-23]

Here


O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll [2009-05-25]

Here





Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Edited by thewall, 27 May 2009 - 04:48 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 hoju.needshelp

hoju.needshelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 27 May 2009 - 07:34 PM

hmm, is there nothing more I can do? I would like to try to get rid of as much of the infectin as I possibly can before I give up.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:32 AM

Posted 27 May 2009 - 09:14 PM

I really wish there were and I really hate to give people that kind of news but all we would be doing is to go around in circles. However if you are set on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.




Was your other computer hooked to this one or have you shared any external devices like CDs or Pen Drives? If so you could be facing the same problem with it as this one but I sincerly hope not.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 hoju.needshelp

hoju.needshelp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 28 May 2009 - 02:14 PM

The other computer is no where near as important as my current one. Thank you for all your help, if I happen to stumble across a cure, I'll be sure to let you know. I already have a few ideas floating around that I wanna try out. And yes, I was using a usb stick to transfer files back and forth. Also, I would like to ask, if I am to back up my files, what is the safest way to do so? Seeing as my other computer got infected while transferring files. My friend recommended using a different OS, like Linux to transfer them.

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:32 AM

Posted 28 May 2009 - 03:54 PM

If you are talking about backing up the current files on the computer which is infected keep mind that files with the following extensions should not be backed up for reinstalling once the machine is cleaned up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php


Anything else you should be able to back up on a clean USB stick.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:32 AM

Posted 02 June 2009 - 11:07 AM

This topic will now be closed. If you are the original poster and need it reopened please PM me with the link. Anyone else please start a new topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users