Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32TrojanTDSS and Win32/Cryptor Cannot be removed


  • Please log in to reply
40 replies to this topic

#1 Cherps

Cherps

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 09:57 PM

Hi All,

For 4 days running, In VAIN have been the attempts to remove these trojans. The Win32TrojanTDSS reinstalls itself after every reboot. The other one cannot be removed with AVG.

Malwarebytes and SuperAntispyware cannot install and run. If I rename them...they might install, but will NOT run. SAS has a 'error msg' and Malwarebytes just freezes the computer so that I have to do a hard reboot. The only programs I've been able to run are Ad Aware...which doesn't help any as you have to reboot to clean the virus...but the trojan installs every reboot....and I've been able to run Root Repeal. However, *everytime* I run Root Repeal and *try* to scan the drivers the computer *restarts automatically* and I cannot do the scan for the drivers....but can for all the others.

I have logs from AVG, AD-Aware, and Root Repeal....and OTListIt3: as follows:

From Ad Aware:
Logfile created: 6/29/2009 19:9:27
Lavasoft Ad-Aware version: 8.0.6
Extended engine version: 8.1
User performing scan: owner

*********************** Definitions database information ***********************
Lavasoft definition file: 148.58
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 73142
Objects detected: 1


Type Detected
==========================
Processes.......: 1
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Quarantined items:
Description: \\?\globalroot\systemroot\system32\uacqacriwevpqbfhwe.dll Family Name: Win32.Trojan.TDSS Clean status: Reboot required Item ID: 888510 Family ID: 5401

Scan and cleaning complete: Finished correctly after 383 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: scanrootkits, enabled:1, value: true
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Wed Jun 24 21:58:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Jun 24 21:58:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: HASTINGSPC
Processor name: Pentium® Dual-Core CPU E5200 @ 2.50GHz
Processor identifier: x86 Family 6 Model 23 Stepping 6
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 5894, number of processors 2
Physical memory available: 2651758592 bytes
Physical memory total: 3352801280 bytes
Virtual memory available: 2009485312 bytes
Virtual memory total: 2147352576 bytes
Memory load: 20%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 820 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 904 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 928 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 976 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 996 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1160 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1244 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1312 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1428 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1504 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1560 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1708 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1796 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1840 name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1880 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1916 name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1968 name: C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2016 name: C:\PROGRA~1\AVG\AVG8\avgrsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2044 name: C:\WINDOWS\system32\nvsvc32.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2036 name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 236 name: C:\WINDOWS\system32\java.exe owner: SYSTEM domain: NT AUTHORITY
PID: 276 name: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe owner: SYSTEM domain: NT AUTHORITY
PID: 440 name: C:\WINDOWS\system32\wdfmgr.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 588 name: C:\WINDOWS\system32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2096 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2128 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2376 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3232 name: C:\WINDOWS\Explorer.EXE owner: Stacy Nice domain: HASTINGSPC
PID: 3504 name: C:\WINDOWS\system32\RUNDLL32.EXE owner: Stacy Nice domain: HASTINGSPC
PID: 3512 name: C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe owner: Stacy Nice domain: HASTINGSPC
PID: 3540 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: Stacy Nice domain: HASTINGSPC
PID: 3544 name: C:\WINDOWS\system32\ctfmon.exe owner: Stacy Nice domain: HASTINGSPC
PID: 3608 name: C:\PROGRA~1\AVG\AVG8\avgtray.exe owner: Stacy Nice domain: HASTINGSPC
PID: 3644 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Stacy Nice domain: HASTINGSPC
PID: 3740 name: C:\Program Files\Windows Desktop Search\WindowsSearch.exe owner: Stacy Nice domain: HASTINGSPC
PID: 1632 name: C:\Program Files\Avira\AntiVir Desktop\avguard.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2560 name: C:\Program Files\Avira\AntiVir Desktop\sched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2420 name: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe owner: Stacy Nice domain: HASTINGSPC
PID: 1668 name: C:\Documents and Settings\Stacy Nice\Application Data\U3\000015672B61B4A9\LaunchPad.exe owner: Stacy Nice domain: HASTINGSPC
PID: 3340 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Stacy Nice domain: HASTINGSPC
PID: 800 name: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe owner: Stacy Nice domain: HASTINGSPC
PID: 2976 name: C:\WINDOWS\system32\SearchProtocolHost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2032 name: C:\WINDOWS\system32\SearchFilterHost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

Startup items:
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: NvCplDaemon
imagepath: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Name: nwiz
imagepath: nwiz.exe /install
Name: NvMediaCenter
imagepath: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Name: HDAudDeck
imagepath: C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1


From AVG:

Scan "Scan whole computer" was finished.
Infections;"6";"3";"3"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Monday, June 29, 2009, 7:31:14 PM"
Scan finished:;"Monday, June 29, 2009, 8:00:11 PM (28 minute(s) 57 second(s))"
Total object scanned:;"260274"
User who launched the scan:;"Stacy Nice"

Infections
File;"Infection";"Result"
\\?\globalroot\systemroot\system32\UACqacriwevpqbfhwe.dll;"Virus found Win32/Cryptor";"Moved to Virus Vault"
\\?\globalroot\systemroot\system32\UACqacriwevpqbfhwe.dll;"Virus found Win32/Cryptor";"Moved to Virus Vault"
\\?\globalroot\systemroot\system32\UACqacriwevpqbfhwe.dll;"Virus found Win32/Cryptor";"Moved to Virus Vault"
C:\Program Files\Internet Explorer\iexplore.exe (2204);"Virus found Win32/Cryptor";""
C:\Program Files\Internet Explorer\iexplore.exe (2512);"Virus found Win32/Cryptor";""
C:\WINDOWS\system32\svchost.exe (1304);"Virus found Win32/Cryptor";""


OTListIt3:

OTListIt logfile created on: 6/29/2009 7:13:43 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Stacy Nice\Desktop\Cleanup Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 462.37 Gb Total Space | 449.88 Gb Free Space | 97.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HASTINGSPC
Current User Name: Stacy Nice
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/06/24 21:58:21 | 01,003,344 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/06/24 21:54:21 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/04/01 14:49:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2005/09/22 23:01:54 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/01/15 10:28:20 | 00,204,800 | ---- | M] () -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
PRC - [2009/06/24 21:54:22 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2008/08/01 21:48:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/06/24 21:54:22 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/04/01 14:49:46 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2005/01/28 20:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2006/02/28 08:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/14 12:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/05/14 14:16:28 | 29,831,168 | R--- | M] (VIA Technologies, Inc.) -- C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
PRC - [2009/04/01 14:49:46 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/06/24 21:54:21 | 01,947,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/06/24 21:58:22 | 00,518,488 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2008/05/27 05:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2009/05/11 10:15:50 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/06/24 21:58:24 | 02,349,384 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
PRC - [2009/06/02 12:02:50 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stacy Nice\Desktop\Cleanup Programs\OTListIt2.exe
PRC - [2008/04/14 12:42:30 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/06/24 21:54:21 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/04/14 12:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/04/01 14:49:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/06/24 21:58:21 | 01,003,344 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2005/09/22 23:01:54 | 00,053,248 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2008/01/15 10:28:20 | 00,204,800 | ---- | M] () -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -- (LinksysUpdater [Auto | Running])
SRV - [2008/08/01 21:48:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 21:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Running])
SRV - [2005/01/28 20:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService [Auto | Running])
SRV - [2009/05/11 10:15:50 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/06/24 21:54:29 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/06/24 21:54:28 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/06/24 21:54:32 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2008/04/14 05:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2009/06/24 21:58:27 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2008/02/14 17:12:00 | 01,389,056 | R--- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt [On_Demand | Running])
DRV - [2004/08/12 11:00:00 | 00,005,810 | R--- | M] () -- C:\WINDOWS\system32\DRIVERS\ASACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2008/08/01 21:48:00 | 06,555,104 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2008/08/01 18:36:00 | 00,054,784 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
DRV - [2008/08/01 18:36:00 | 00,022,016 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
DRV - [2006/02/28 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/04/14 05:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/06/05 16:04:54 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Stopped])
DRV - [2009/06/05 16:04:49 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys -- (SymIM [On_Demand | Stopped])
DRV - [2009/06/05 16:04:49 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys -- (SymIMMP [On_Demand | Running])
DRV - [2008/05/09 00:23:22 | 00,238,080 | R--- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService [On_Demand | Running])
DRV - [2009/03/24 16:08:22 | 00,055,640 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\DRIVERS\avgntflt.sys -- (avgntflt [Auto | Running])
DRV - [2009/02/13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio [System | Running])
DRV - [2009/03/30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\DRIVERS\avipbb.sys -- (avipbb [System | Running])
DRV - [2009/05/11 10:12:24 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\S-1-5-21-2569489779-2086870234-148898848-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/01 14:49:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/06/24 21:54:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/06/25 00:12:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/06/25 00:12:33 | 00,000,000 | ---D | M]

[2009/06/24 21:53:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stacy Nice\Application Data\mozilla\Extensions
[2009/06/24 21:53:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stacy Nice\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/24 21:53:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stacy Nice\Application Data\mozilla\Firefox\Profiles\u7l3hn0x.default\extensions
[2009/06/25 00:12:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/25 00:12:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/02 23:00:58 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/02 23:00:59 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/06/02 19:18:22 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/06/02 19:18:22 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/06/02 19:18:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/06/02 19:18:22 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/06/02 19:18:22 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/06/02 19:18:22 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/06/02 19:18:22 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min (Avira GmbH)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 (VIA Technologies, Inc.)
O4 - HKLM..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume (Microsoft Corp.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NIS] "C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\2454B0AB\16.0.0.125\InstStub.exe" /RELAUNCH /RUNONCE /MEDIA "D:\SETUP.EXE" /NOPROMPT File not found
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install File not found
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-21-2569489779-2086870234-148898848-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1238540097968 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://linksyssupport.webex.com/client/T26...ort/ieatgpc.cab (GpcContainer Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/22 20:55:27 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b2cbaaca-612a-11de-9745-002215d853ca}\Shell - "" = AutoRun
O33 - MountPoints2\{b2cbaaca-612a-11de-9745-002215d853ca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b2cbaaca-612a-11de-9745-002215d853ca}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (/p) - File not found
O34 - HKLM BootExecute: (\??\C:) - C: [2009/06/29 19:12:50 | 00,000,000 | ---D | M]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/29 19:12:50 | 00,000,000 | ---D | M]
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/06/29 18:59:37 | 00,000,120 | -H-- | C] () -- C:\aaw7boot.cmd
[2009/06/29 18:38:22 | 00,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/06/29 18:38:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/06/29 18:38:13 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/06/29 18:38:13 | 00,055,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/06/29 18:38:13 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/06/29 18:38:13 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/06/29 18:38:13 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/06/29 18:38:13 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/06/29 18:38:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/06/29 18:36:55 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/29 18:36:53 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/06/29 18:36:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy Nice\Application Data\SUPERAntiSpyware.com
[2009/06/29 18:36:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/06/29 18:33:35 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/29 18:33:33 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/29 18:33:32 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/29 18:33:32 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/29 18:33:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/06/29 18:30:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy Nice\Desktop\Cleanup Programs
[2009/06/29 18:24:06 | 00,033,280 | ---- | C] () -- C:\WINDOWS\System32\drivers\.sys
[2009/06/29 18:20:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/06/25 00:40:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/06/25 00:21:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy Nice\Application Data\Windows Search
[2009/06/25 00:12:33 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/06/25 00:12:32 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/06/24 22:30:21 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/06/24 22:30:00 | 00,001,475 | ---- | C] () -- C:\Documents and Settings\Stacy Nice\Desktop\Windows Explorer.lnk
[2009/06/24 22:23:57 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/06/24 21:58:50 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/06/24 21:58:45 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/06/24 21:58:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/06/24 21:56:36 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/06/24 21:56:36 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/06/24 21:56:34 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/06/24 21:56:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/06/24 21:54:33 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/06/24 21:54:33 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/06/24 21:54:32 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/06/24 21:54:29 | 00,325,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/06/24 21:54:28 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/06/24 21:54:26 | 37,424,158 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/06/24 21:54:26 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/06/24 21:54:26 | 00,434,673 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/06/24 21:54:26 | 00,095,914 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/06/24 21:54:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/06/24 21:54:21 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/06/24 21:54:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/06/24 21:54:18 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/06/24 21:54:18 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/06/24 21:53:03 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/06/24 21:53:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy Nice\Application Data\Mozilla
[2009/06/05 16:04:58 | 00,035,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/06/05 16:04:54 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/06/05 16:04:54 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/06/05 16:04:54 | 00,010,635 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/06/05 16:04:54 | 00,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/06/05 16:04:54 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/06/05 16:04:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2009/06/05 10:18:09 | 02,908,976 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Stacy Nice\Desktop\Norton_Removal_Tool.exe
[2009/03/11 16:26:57 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/10/22 22:50:27 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/10/22 22:07:47 | 00,000,470 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/10/22 21:41:32 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/10/22 21:41:25 | 00,024,892 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/10/22 21:41:25 | 00,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/08/01 21:48:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/08/01 21:48:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/08/01 21:48:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/08/01 21:48:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/08/01 21:48:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/09/27 17:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 17:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 17:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/02/28 15:00:00 | 00,000,552 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 15:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/06/29 19:07:08 | 00,000,120 | -H-- | M] () -- C:\aaw7boot.cmd
[2009/06/29 19:05:18 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\svchost.exe
[2009/06/29 19:05:18 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe
[2009/06/29 18:38:22 | 00,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/06/29 18:36:55 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/06/29 18:33:35 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/06/29 18:27:19 | 00,188,791 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/06/29 18:27:16 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/29 18:27:15 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Stacy Nice\Local Settings\desktop.ini
[2009/06/29 18:25:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/29 18:25:12 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/29 18:24:07 | 00,033,280 | ---- | M] () -- C:\WINDOWS\System32\drivers\.sys
[2009/06/25 00:36:08 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/06/25 00:12:33 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/06/24 22:30:06 | 00,001,475 | ---- | M] () -- C:\Documents and Settings\Stacy Nice\Desktop\Windows Explorer.lnk
[2009/06/24 22:21:31 | 00,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/24 21:58:50 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/06/24 21:58:39 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/06/24 21:58:27 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/06/24 21:56:36 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/06/24 21:55:38 | 37,424,158 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/06/24 21:55:27 | 00,095,914 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/06/24 21:54:33 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/06/24 21:54:33 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/06/24 21:54:32 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/06/24 21:54:29 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/06/24 21:54:28 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/06/24 21:54:26 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/06/24 21:54:26 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/06/24 21:53:03 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/05 16:04:54 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/06/05 16:04:54 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/06/05 16:04:54 | 00,010,635 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/06/05 16:04:54 | 00,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/06/05 16:04:49 | 00,035,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/06/05 10:18:18 | 02,908,976 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Stacy Nice\Desktop\Norton_Removal_Tool.exe
[2009/06/04 16:05:34 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/06/01 12:51:12 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\system32\svchost.exe:SummaryInformation
< End of report >



FROM ROOT REPEAL:report for FILES

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/29 20:08
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACbpxxoboejpwiesm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACciesrqphgmufjqq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACcqqiovnmsnvpwmy.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACepweqidwpireecc.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqacriwevpqbfhwe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuxyvbnybltruxde.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvsxrkgavvymeyxm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxwhpmkostifknny.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACc870.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACpbpfmimxewxlltp.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Shelby Hastings\Local Settings\Temp\UAC826.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\f7457c9e-5392-4e06-aba4-af99264e5ade
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacqacriwevpqbfhwe.dll.8f64756049a5187f0355adf45677239.aawqff
Status: Invisible to the Windows API!


Hidden Services:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/29 20:13
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACpbpfmimxewxlltp.sys


Processes:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/29 20:12
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 124 Status: -

Path: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 184 Status: -

Path: C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
PID: 248 Status: -

Path: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 296 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 304 Status: -

Path: C:\WINDOWS\system32\nvsvc32.exe
PID: 396 Status: -

Path: C:\Program Files\AVG\AVG8\avgcsrvx.exe
PID: 512 Status: -

Path: C:\WINDOWS\system32\java.exe
PID: 520 Status: -

Path: C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PID: 552 Status: -

Path: C:\WINDOWS\system32\wdfmgr.exe
PID: 692 Status: -

Path: C:\WINDOWS\system32\searchindexer.exe
PID: 776 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 824 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 892 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 916 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 964 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 984 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 1056 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1164 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1248 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PID: 1296 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1304 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1424 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1504 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1568 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1700 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\sched.exe
PID: 1764 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PID: 1780 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1820 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 2008 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 2056 Status: -

Path: C:\WINDOWS\system32\rundll32.exe
PID: 2284 Status: -

Path: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 2292 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2316 Status: -

Path: C:\Documents and Settings\Stacy Nice\Desktop\Cleanup Programs\RootRepeal\RootRepeal.exe
PID: 2408 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 2432 Status: -

Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2564 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 2704 Status: -

Path: C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
PID: 2844 Status: -

Path: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 2888 Status: -

Path: C:\Program Files\AVG\AVG8\avgui.exe
PID: 3076 Status: -

Path: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PID: 3212 Status: -

Path: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
PID: 3352 Status: -



SSDT:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/29 20:12
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked


STEALTH OBJECTS:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/29 20:13
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: winlogon.exe (PID: 916) Address: 0x006a0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: winlogon.exe (PID: 916) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: services.exe (PID: 964) Address: 0x00660000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: services.exe (PID: 964) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: lsass.exe (PID: 984) Address: 0x00760000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: lsass.exe (PID: 984) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACqacriwevpqbfhwe.dll]
Process: svchost.exe (PID: 1164) Address: 0x00a10000 Size: 200704

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: svchost.exe (PID: 1164) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACuxyvbnybltruxde.dll]
Process: svchost.exe (PID: 1164) Address: 0x00b40000 Size: 69632

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: svchost.exe (PID: 1164) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: svchost.exe (PID: 1248) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: svchost.exe (PID: 1248) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: svchost.exe (PID: 1304) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: svchost.exe (PID: 1304) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: svchost.exe (PID: 1424) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: svchost.exe (PID: 1424) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: svchost.exe (PID: 1504) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: svchost.exe (PID: 1504) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: AAWService.exe (PID: 1568) Address: 0x00a10000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: AAWService.exe (PID: 1568) Address: 0x00de0000 Size: 49152

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: spoolsv.exe (PID: 1700) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: spoolsv.exe (PID: 1700) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: sched.exe (PID: 1764) Address: 0x009f0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: sched.exe (PID: 1764) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avguard.exe (PID: 1780) Address: 0x009d0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avguard.exe (PID: 1780) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: svchost.exe (PID: 1820) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: svchost.exe (PID: 1820) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avgwdsvc.exe (PID: 2008) Address: 0x00720000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avgwdsvc.exe (PID: 2008) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: jqs.exe (PID: 124) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: jqs.exe (PID: 124) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: LSSrvc.exe (PID: 184) Address: 0x006d0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: LSSrvc.exe (PID: 184) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: LinksysUpdater.exe (PID: 248) Address: 0x009c0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: LinksysUpdater.exe (PID: 248) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avgrsx.exe (PID: 296) Address: 0x00750000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avgrsx.exe (PID: 296) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avgnsx.exe (PID: 304) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avgnsx.exe (PID: 304) Address: 0x007b0000 Size: 49152

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: nvsvc32.exe (PID: 396) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: nvsvc32.exe (PID: 396) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: java.exe (PID: 520) Address: 0x003b0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: java.exe (PID: 520) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: SeaPort.exe (PID: 552) Address: 0x008f0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: SeaPort.exe (PID: 552) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: wdfmgr.exe (PID: 692) Address: 0x005f0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: wdfmgr.exe (PID: 692) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: SearchIndexer.exe (PID: 776) Address: 0x00cb0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: SearchIndexer.exe (PID: 776) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: unsecapp.exe (PID: 2292) Address: 0x00b50000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: unsecapp.exe (PID: 2292) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: alg.exe (PID: 2316) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: alg.exe (PID: 2316) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: wmiprvse.exe (PID: 2564) Address: 0x00860000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: wmiprvse.exe (PID: 2564) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: Explorer.EXE (PID: 2056) Address: 0x00c20000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: Explorer.EXE (PID: 2056) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: ctfmon.exe (PID: 2704) Address: 0x009a0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: ctfmon.exe (PID: 2704) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: RUNDLL32.EXE (PID: 2284) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: RUNDLL32.EXE (PID: 2284) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: HDeck.exe (PID: 2844) Address: 0x026d0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: HDeck.exe (PID: 2844) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: jusched.exe (PID: 2888) Address: 0x00be0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: jusched.exe (PID: 2888) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avgtray.exe (PID: 2432) Address: 0x00bf0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avgtray.exe (PID: 2432) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: AAWTray.exe (PID: 1056) Address: 0x00a20000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: AAWTray.exe (PID: 1056) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avgnt.exe (PID: 1296) Address: 0x00ab0000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avgnt.exe (PID: 1296) Address: 0x00b70000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: WindowsSearch.exe (PID: 3212) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: WindowsSearch.exe (PID: 3212) Address: 0x008d0000 Size: 49152

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avgui.exe (PID: 3076) Address: 0x00da0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avgui.exe (PID: 3076) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: avgcsrvx.exe (PID: 512) Address: 0x00a00000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: avgcsrvx.exe (PID: 512) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: Ad-Aware.exe (PID: 3352) Address: 0x00d50000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: Ad-Aware.exe (PID: 3352) Address: 0x00e20000 Size: 49152

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: RootRepeal.exe (PID: 2408) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: RootRepeal.exe (PID: 2408) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: SearchProtocolHost.exe (PID: 2632) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: SearchProtocolHost.exe (PID: 2632) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACvsxrkgavvymeyxm.dll]
Process: SearchFilterHost.exe (PID: 1080) Address: 0x009e0000 Size: 49152

Object: Hidden Module [Name: UACciesrqphgmufjqq.dll]
Process: SearchFilterHost.exe (PID: 1080) Address: 0x10000000 Size: 45056





Sorry for the INFO OVERLOAD.....just hoping for some help with INFO already before you.
This is not my pc....I'm just the lucky one who gets to work on it through word of mouth by friends! ARGH!!
ANY HELP with deciphering these logs and what's safe to remove would be of tremendous help for me. I'm not schooled
in any of these programs....this is my first time using OTListIt, and Root Repeal.

Please Please help
Thank you
Cherps

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 29 June 2009 - 10:03 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UACpbpfmimxewxlltp.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 10:10 PM

Budapest....THANK YOU for responding so quickly.

Hoping deleting/wiping the above file will enable me to run Malwarebytes....as that's been impossible so far.

Will be back soon with the results.

Again...THANK YOU!!! So MUCH!
Cherps

#4 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 10:32 PM

Good News..on reboot Avira popped up with a notice of all the THREATS...and I chose to remove them.
Then I went to Malwarebytes...had to reinstall it, but this time it loaded. Went to perform the scan, and got an *immediate* error msg~ " Runtime error '5' . Invalid procedure call or argument."

Now what?

Will anxiously await your reply and suggestions.

Thank you so much.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 29 June 2009 - 10:36 PM

Did you uninstall Malwarebytes before you reinstalled it? If not, please try that.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 10:47 PM

Budapest.... I uninstalled it again....rebooted...reinstalled....and get the same msg. Could it be because I don't have that PC hooked up to the internet? Suppose I could rearrange my house to get it near a connection. I've been using my pc to download needed programs and transferring them to the sick pc.

Will do some rearranging....and get back to you asap.

I'll get pc online and see if that's the problem.

Hope you're still around to help!

#7 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 11:27 PM

ok...I'm on the sick pc...online. I couldn't run Malwarebytes....same error msg "Run-time error '5'..." So I ran SAS, and here's the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/30/2009 at 00:14 AM

Application Version : 4.26.1006

Core Rules Database Version : 3962
Trace Rules Database Version: 1903

Scan type : Quick Scan
Total Scan Time : 00:05:47

Memory items scanned : 467
Memory threats detected : 0
Registry items scanned : 414
Registry threats detected : 99
File items scanned : 5000
File threats detected : 52

Adware.Vundo Variant
HKU\S-1-5-21-2569489779-2086870234-148898848-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39FC2065-C9C7-49CD-8942-44CC2DEDC844}

Adware.Tracking Cookie
C:\Documents and Settings\Stacy Nice\Cookies\stacy_nice@ad.yieldmanager[1].txt
C:\Documents and Settings\Stacy Nice\Cookies\stacy_nice@atdmt[1].txt
C:\Documents and Settings\Stacy Nice\Cookies\stacy_nice@imrworldwide[2].txt
C:\Documents and Settings\Stacy Nice\Cookies\stacy_nice@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@flagcounter[1].txt
C:\Documents and Settings\LocalService\Cookies\system@socialmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@interclick[2].txt
C:\Documents and Settings\LocalService\Cookies\system@specificmedia[2].txt
C:\Documents and Settings\LocalService\Cookies\system@www.blogtoplist[1].txt
C:\Documents and Settings\LocalService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\LocalService\Cookies\system@a1.interclick[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@richmedia.yahoo[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@dc.tremormedia[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@www.3d-sexgames[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@visit-counters1[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@socialmedia[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@ads.lucidmedia[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@interclick[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@ads.adhostingsolutions[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@chitika[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@invitemedia[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@specificmedia[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@ads.bluelithium[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@media6degrees[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@eyewonder[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@serw.clicksor[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@mysexgames[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@ads.thesimsonstage.ea[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@media.photobucket[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@websponsors[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@petfinder[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@myroitracking[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@visitorcounterstds[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@www.onlinexxxgames[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@bannersource[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@www.burstbeacon[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@ads.brainmass[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@3d-sexgames[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@www.burstnet[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@www.tltrack[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@server.cpmstar[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@eas.apm.emediate[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@more-banners[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@a1.interclick[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@banners.battleon[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@collective-media[1].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@imrworldwide[2].txt
C:\Documents and Settings\Shelby Hastings\Cookies\shelby__hastings@media.mtvnservices[1].txt

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-2569489779-2086870234-148898848-1005\Control Panel\don't load#wscui.cpl [ No ]

Rogue.WinPCAntiVirus
HKU\S-1-5-21-2569489779-2086870234-148898848-1005\Software\WinPC Antivirus

Rootkit.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACd
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACc
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacsr
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uaclog
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacmask
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacserf
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#UACproc
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacurls
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacerrors
HKLM\SYSTEM\CurrentControlSet\Services\uacd.sys\modules#uacbbr
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#EPROCESS_LEOffset
HKLM\SOFTWARE\UAC#EPROCESS_NameOffset
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#915b3008
HKLM\SOFTWARE\UAC\connections#fe8cd514
HKLM\SOFTWARE\UAC\connections#20d04c0a
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\connections#f2065612
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\connections#7d72e91c
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#0ab500fa
HKLM\SOFTWARE\UAC\mask#a3d50932
HKLM\SOFTWARE\UAC\mask#f5d692d5
HKLM\SOFTWARE\UAC\mask#30910b28
HKLM\SOFTWARE\UAC\mask#dd118673
HKLM\SOFTWARE\UAC\mask#6aed4b25
HKLM\SOFTWARE\UAC\mask#e0ae8144
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Rootkit.Agent/Gen-UACFake
C:\WINDOWS\SYSTEM32\UACBPXXOBOEJPWIESM.DLL
C:\WINDOWS\SYSTEM32\UACUXYVBNYBLTRUXDE.DLL
C:\WINDOWS\SYSTEM32\UACXWHPMKOSTIFKNNY.DLL

Uncategorized.Unknown Origin
C:\WINDOWS\SYSTEM32\UACINIT.DLL


Looks like we're making some headway here. Thank you so much for your help.


What shall we do next? I want to make sure we're winning the battle...and come out with a clean machine.

Will stay tuned for your advice.
Thanks a million for your help and endurance.
Cherps

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 29 June 2009 - 11:30 PM

Reboot your computer into Safe Mode, run another scan with SUPERAntiSpyware, reboot back to normal mode and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 11:49 PM

Well..can't do that. This pc doesn't have Safe Mode with the F8 key. Therefore I don't know how to get into safe mode. With F8 I get a screen that says something about Hard Drive or I dunno...something else ..but no Safe Mode options that I'm accustomed to seeing.

Currently, I'm rescanning the pc with SAS. Do you know any reason why I'm getting the Runtime error with Malwarebytes?

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 29 June 2009 - 11:52 PM

I'm not sure why Malwarebytes won't run.

When you get that boot menu, select Hard Drive and then immediately start hitting F8 again. Hopefully you'll then get to the Safe Mode menu.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 11:54 PM

Back on my pc....

The SAS didn't find anything with the last scan. I tried running the Root Repeal again...clicked on the driver scan...and bam! The pc rebooted.

I want to run Root Repeal more to see what's there again...if anything.
Should I rerun OTListIt again too?

#12 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 29 June 2009 - 11:56 PM

Woo-hoo....that worked...what you said to do to get into safe mode.

will do the scan and post asap!

Budapest....you're amazing!!!

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 30 June 2009 - 12:03 AM

Just do the Root Repeal "Files" scan.

Don't bother with the OTL log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 Cherps

Cherps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:48 AM

Posted 30 June 2009 - 12:12 AM

ok...ran SAS from safe mode and it didn't find anything.
Tried running Malwarebytes from safe mode...that's a no go...same error msg.

What should I do next?

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 30 June 2009 - 12:17 AM

Try renaming the Malwarebytes executable file, then double-click it to see if it will run.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users