Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with downloader trojan and something that blocks anti-virus apps


  • This topic is locked This topic is locked
52 replies to this topic

#1 mitas

mitas

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 06 July 2009 - 08:55 PM

i have installed many anti-virus apps but they get disabled the next time i try to run them.
i think i have the virtumonde virus, browser hijacker, cool search virus, skynet virus, password stealer, and a downloader.
most of these are from a trail stopzilla and malwarebytes and kapersky found a Trojan that started with a h .
task manager regedit and registry editing are disabled and when i try to repair the become disabled in a few seconds.
i installed unlocker and 7-zip later the .exe were missing

DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 20:40:34.71 on Mon 07/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1388 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
uRun: [Double Desktop Switcher] c:\progra~1\double~1\DOUBLE~1.EXE
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: DisallowRun = 0 (0x0)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\gyohfnl2.default\
FF - prefs.js: browser.startup.homepage - www.scour.com
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\gyohfnl2.default\extensions\firefox@kidzui.com\platform\winnt_x86-msvc\components\WinKiosk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLM32.DLL
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-28 28544]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-6-28 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-6-28 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-6-28 29776]
R1 sasdifsv;SASDIFSV;c:\documents and settings\hp_administrator\desktop\virus removal\superantispyware\SASDIFSV.SYS [2009-3-25 9968]
R1 saskutil;SASKUTIL;c:\documents and settings\hp_administrator\desktop\virus removal\superantispyware\SASKUTIL.SYS [2009-3-25 55024]
R2 kqemu;kqemu driver;c:\windows\system32\drivers\kqemu.sys [2007-2-6 123939]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S1 219a8ec0;219a8ec0;c:\windows\system32\drivers\219a8ec0.sys --> c:\windows\system32\drivers\219a8ec0.sys [?]
S1 b5c42ea;b5c42ea;c:\windows\system32\drivers\b5c42ea.sys --> c:\windows\system32\drivers\b5c42ea.sys [?]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 sasenum;SASENUM;c:\documents and settings\hp_administrator\desktop\virus removal\superantispyware\SASENUM.SYS [2009-3-25 7408]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-6-28 717320]
S4 JC;JC;c:\docume~1\hp_adm~1\locals~1\temp\jc.exe --> c:\docume~1\hp_adm~1\locals~1\temp\JC.exe [?]
S4 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-6-28 361160]
S4 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-6-28 3049160]
UnknownUnknown abp470n5;abp470n5; [x]

=============== Created Last 30 ================

2009-07-06 17:51 23 a--sh--- c:\windows\system32\bebadf9_g.dll
2009-07-06 17:51 23 a------- c:\windows\system32\dfadb_g.ocx
2009-07-06 17:51 <DIR> --d----- c:\program files\RegSupreme
2009-07-06 17:00 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-06 16:45 161,792 a------- c:\windows\SWREG.exe
2009-07-06 16:45 155,136 a------- c:\windows\PEV.exe
2009-07-06 16:45 98,816 a------- c:\windows\sed.exe
2009-07-06 14:01 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-07-06 14:01 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-07-06 14:00 49,184 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-07-06 14:00 1,248 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-07-06 14:00 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-06 14:00 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-06 14:00 <DIR> --d----- c:\program files\Kaspersky Lab
2009-07-06 14:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-07-06 13:13 <DIR> --d----- c:\program files\GiPo@Utilities
2009-07-06 13:13 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-07-05 18:46 <DIR> --d----- c:\program files\Unlocker
2009-07-05 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-06-30 12:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-30 12:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 12:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 11:25 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-06-30 11:20 12,800 a------- c:\windows\system32\bootdelete.exe
2009-06-30 11:20 9,588 a------- c:\windows\system32\bootdelete.lst
2009-06-30 10:58 <DIR> --dsh--- C:\found.000
2009-06-30 10:48 1,874 a------- c:\windows\system32\.crusader
2009-06-30 10:39 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-30 10:39 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-06-30 10:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-06-29 21:45 <DIR> --d----- c:\documents and settings\hp_administrator\Logs
2009-06-29 12:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-28 21:15 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\OnlineArmor
2009-06-28 21:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-06-28 21:15 196,688 a------- c:\windows\system32\drivers\OADriver.sys
2009-06-28 21:15 31,824 a------- c:\windows\system32\drivers\OAmon.sys
2009-06-28 21:15 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-06-28 21:15 <DIR> --d----- c:\program files\Tall Emu
2009-06-28 21:14 <DIR> --d----- c:\program files\a-squared Free
2009-06-28 21:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-06-28 21:09 <DIR> --d----- c:\program files\STOPzilla!
2009-06-28 21:09 <DIR> --d----- c:\program files\common files\iS3
2009-06-28 21:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-06-28 13:57 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-28 13:57 <DIR> --d----- c:\program files\Panda Security
2009-06-28 13:03 <DIR> --d----- c:\program files\Lavasoft
2009-06-28 13:00 3,153,920 a------- c:\windows\system32\secsetup.sdb
2009-06-24 21:36 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\KeePass
2009-06-24 21:35 64 a------- C:\pwsafe.key
2009-06-24 16:53 90,112 a------- c:\windows\DUMP3cab.tmp
2009-06-24 16:53 90,112 a------- c:\windows\DUMP3c2e.tmp
2009-06-24 16:53 90,112 a------- c:\windows\DUMP275e.tmp

==================== Find3M ====================

2009-06-02 23:26 117,434 a------- c:\windows\hpqins00.dat
2009-05-28 14:16 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-05-28 14:15 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-05-28 14:14 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-05-15 07:26 190 a------- C:\43214354.bat
2009-05-12 14:13 61,328 a------- c:\windows\system32\drivers\SZKG.sys
2009-04-18 23:37 1,409,571 a--sh--- c:\windows\system32\adupuhow.tmp
2009-02-28 19:08 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2009-02-25 22:16 67,576 a------- c:\docume~1\hp_adm~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:40:52.73 ===============

Attached Files


Edited by mitas, 06 July 2009 - 09:07 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 09 July 2009 - 01:41 AM

Hello, my name is fenzodahl512 and welcome to Bleeping Computer.. Please do the following....



Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GAMERS result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 09 July 2009 - 11:25 AM

malwarebytes log
these have been removed before but now they have come back

Malwarebytes' Anti-Malware 1.38
Database version: 2383
Windows 5.1.2600 Service Pack 2

7/9/2009 10:59:23 AM
mbam-log-2009-07-09 (10-59-23).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 214201
Time elapsed: 37 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\hp_administrator\local settings\temp\winuwkj.exe (Trojan.Downloader) -> Delete on reboot.
c:\documents and settings\hp_administrator\local settings\temp\wsseys.exe (Password.Stealer) -> Delete on reboot.

Edited by mitas, 09 July 2009 - 11:29 AM.


#4 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 09 July 2009 - 11:31 AM

log

Logfile of random's system information tool 1.06 (written by random/random)
Run by HP_Administrator at 2009-07-09 11:17:23
Microsoft Windows XP Professional Service Pack 2
System drive C: has 178 GB (78%) free of 229 GB
Total RAM: 1982 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:29 AM, on 7/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DOUBLE~1\DOUBLE~1.EXE
C:\PROGRA~1\DOUBLE~1\DDE.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gcxil.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winepoec.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w5edb3.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winbmlquh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\HP_Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [Double Desktop Switcher] C:\PROGRA~1\DOUBLE~1\DOUBLE~1.EXE
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5162 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1827766B-9F49-4854-8034-F6EE26FCB1EC}]
ZILLAbar Browser Helper Object - C:\Program Files\STOPzilla!\SZSG.dll [2009-06-01 259520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll [2008-11-11 62728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3215F20-3212-11D6-9F8B-00D0B743919D}]
STOPzilla Browser Helper Object - C:\Program Files\STOPzilla!\SZIEBHO.dll [2009-06-01 222656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
Locked
{98828DED-A591-462F-83BA-D2F62A68B8B8} - STOPzilla - C:\Program Files\STOPzilla!\SZSG.dll [2009-06-01 259520]
SITEguard

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [2005-09-27 169984]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2009-07-06 206088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Double Desktop Switcher"=C:\PROGRA~1\DOUBLE~1\DOUBLE~1.EXE [2002-11-22 1266688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@OnlineArmor GUI]
C:\Program Files\Tall Emu\Online Armor\oaui.exe [2009-04-16 2044104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
C:\WINDOWS\ARPWRMSG.EXE [2005-08-03 77312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drive]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe [2005-09-30 67584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
ftutil2.dll,SetWriteCacheMode []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe [2009-06-30 4482296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LittleShoot]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2006-05-09 7311360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2006-05-09 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pp]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
C:\Program Files\RocketDock\RocketDock.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2006-06-13 16239616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DoubleDesktop.lnk]
C:\PROGRA~1\DOUBLE~2\dd.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2
"NSCService"=3
"NMIndexingService"=3
"Nero BackItUp Scheduler 3"=2
"LiveUpdate Notice Service"=2
"LiveUpdate"=3
"LightScribeService"=2
"JavaQuickStarterService"=2
"iPod Service"=3
"IDriverT"=3
"comHost"=3
"ccSetMgr"=2
"ccProxy"=2
"ccISPwdSvc"=3
"ccEvtMgr"=2
"Bonjour Service"=2
"Automatic LiveUpdate Scheduler"=2
"Apple Mobile Device"=2
"BITS"=2
"JC"=3
"sdCoreService"=2
"sdAuxService"=2
"szserver"=2
"SvcOnlineArmor"=2
"OAcat"=2
"Lavasoft Ad-Aware Service"=2
"a2free"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll [2008-11-11 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-08-24 133120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"=C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2009-04-16 335048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\DISC\DiscStreamHub.exe"="C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\Program Files\DISC\myFTP.exe"="C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:ipsec"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\Tall Emu\Online Armor\OAhlp.exe"="C:\Program Files\Tall Emu\Online Armor\OAhlp.exe:*:Enabled:ipsec"
"C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe"="C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe:*:Enabled:ipsec"
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:ipsec"
"C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe:*:Enabled:ipsec"
"C:\HP\KBD\KBD.EXE"="C:\HP\KBD\KBD.EXE:*:Enabled:ipsec"
"C:\WINDOWS\system32\taskmgr.exe"="C:\WINDOWS\system32\taskmgr.exe:*:Enabled:ipsec"
"c:\windows\system\hpsysdrv.exe"="c:\windows\system\hpsysdrv.exe:*:Enabled:ipsec"
"C:\Program Files\Mozilla Firefox\uninstall\helper.exe"="C:\Program Files\Mozilla Firefox\uninstall\helper.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\djhm.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\djhm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wincsyghc.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wincsyghc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\avhyhu.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\avhyhu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windhdq.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windhdq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\aombg.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\aombg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winfkygp.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winfkygp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windcrq.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windcrq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w3f7164.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w3f7164.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winksqsek.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winksqsek.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\qawvy.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\qawvy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winuekm.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winuekm.exe:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winrxcd.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winrxcd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winqyskls.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winqyskls.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cwwy.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cwwy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winarbrb.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winarbrb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w47924.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w47924.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ebdm.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ebdm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winkqomf.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winkqomf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winapdwt.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winapdwt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winoowgy.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winoowgy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winhritd.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winhritd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\risl.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\risl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wingipwiw.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wingipwiw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winkyoo.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winkyoo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w59dce.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w59dce.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlctln.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlctln.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winakkuuy.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winakkuuy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\jdpl.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\jdpl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winoxykk.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winoxykk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winglcoep.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winglcoep.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winvbltm.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winvbltm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\bekg.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\bekg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w46269e.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w46269e.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wingcyxyk.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wingcyxyk.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ejyxn.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ejyxn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winwxswlc.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winwxswlc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\iklxmp.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\iklxmp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w667723.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w667723.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cdys.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cdys.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winbeygbw.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winbeygbw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmhml.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmhml.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wingwbbpl.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wingwbbpl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w86b809.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w86b809.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winvgjuic.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winvgjuic.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\syacv.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\syacv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windplp.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windplp.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\qpfp.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\qpfp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\sxbro.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\sxbro.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winpkolr.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winpkolr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wincfhu.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wincfhu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w6d3cd.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w6d3cd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\tubc.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\tubc.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ijfdyg.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ijfdyg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winxvoow.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winxvoow.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windncx.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\windncx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winuwkj.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winuwkj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wsseys.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wsseys.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w360a3a.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w360a3a.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winoocwr.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winoocwr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmlnu.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmlnu.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winimlb.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winimlb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmolps.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmolps.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gcxil.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gcxil.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winepoec.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winepoec.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winbmlquh.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winbmlquh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w5edb3.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w5edb3.exe:*:Enabled:ipsec"
"C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hklm.exe"="C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hklm.exe:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP"

======List of files/folders created in the last 3 months======

2009-07-09 11:17:23 ----D---- C:\rsit
2009-07-09 11:17:23 ----D---- C:\Program Files\trend micro
2009-07-09 10:13:31 ----D---- C:\Program Files\ERUNT
2009-07-06 23:48:11 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-06 23:48:05 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-06 23:47:54 ----D---- C:\WINDOWS\ie8updates
2009-07-06 23:47:39 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-06 23:47:31 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-06 23:47:25 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-06 23:47:21 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-07-06 23:45:51 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-06 23:45:43 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-06 23:45:38 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-06 23:45:32 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-06 23:45:23 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-06 18:43:00 ----SHD---- C:\RECYCLER
2009-07-06 17:51:48 ----ASH---- C:\WINDOWS\system32\bebadf9_g.dll
2009-07-06 17:51:46 ----D---- C:\Program Files\RegSupreme
2009-07-06 17:03:13 ----A---- C:\ComboFix.txt
2009-07-06 16:45:43 ----A---- C:\WINDOWS\zip.exe
2009-07-06 16:45:43 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-06 16:45:43 ----A---- C:\WINDOWS\SWSC.exe
2009-07-06 16:45:43 ----A---- C:\WINDOWS\SWREG.exe
2009-07-06 16:45:43 ----A---- C:\WINDOWS\sed.exe
2009-07-06 16:45:43 ----A---- C:\WINDOWS\PEV.exe
2009-07-06 16:45:43 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-06 16:45:43 ----A---- C:\WINDOWS\grep.exe
2009-07-06 14:18:15 ----D---- C:\Program Files\7-Zip
2009-07-06 14:00:34 ----D---- C:\Program Files\Kaspersky Lab
2009-07-06 14:00:34 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-07-06 13:13:57 ----D---- C:\Program Files\GiPo@Utilities
2009-07-06 13:13:57 ----D---- C:\Program Files\Common Files\Gibinsoft Shared
2009-07-05 18:46:40 ----D---- C:\Program Files\Unlocker
2009-07-05 17:06:10 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-30 12:30:53 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-30 11:25:26 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-06-30 11:25:25 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-06-30 11:25:25 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-06-30 11:25:21 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-06-30 11:25:20 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-06-30 11:25:20 ----A---- C:\WINDOWS\system32\vsxml.dll
2009-06-30 11:24:35 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-06-30 11:20:24 ----A---- C:\WINDOWS\system32\bootdelete.exe
2009-06-30 10:58:29 ----SHD---- C:\found.000
2009-06-30 10:39:05 ----D---- C:\Program Files\Hitman Pro 3.5
2009-06-30 10:39:05 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2009-06-29 12:08:36 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-28 21:15:30 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\OnlineArmor
2009-06-28 21:15:30 ----D---- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2009-06-28 21:15:15 ----D---- C:\Program Files\Tall Emu
2009-06-28 21:14:00 ----D---- C:\Program Files\a-squared Free
2009-06-28 21:10:22 ----D---- C:\Documents and Settings\All Users\Application Data\SITEguard
2009-06-28 21:09:39 ----D---- C:\Program Files\STOPzilla!
2009-06-28 21:09:39 ----D---- C:\Program Files\Common Files\iS3
2009-06-28 21:09:39 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-06-28 20:29:46 ----HDC---- C:\WINDOWS\$NtUninstallKB943232$
2009-06-28 13:57:11 ----D---- C:\Program Files\Panda Security
2009-06-28 13:03:36 ----D---- C:\Program Files\Lavasoft
2009-06-28 13:03:36 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-06-24 21:36:28 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\KeePass
2009-06-24 16:53:54 ----A---- C:\WINDOWS\DUMP3cab.tmp
2009-06-24 16:53:54 ----A---- C:\WINDOWS\DUMP3c2e.tmp
2009-06-24 16:53:54 ----A---- C:\WINDOWS\DUMP275e.tmp
2009-06-19 16:47:19 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\CyberLink
2009-06-16 00:49:07 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\dvdcss
2009-06-12 15:36:34 ----D---- C:\Program Files\Microsoft Silverlight
2009-06-03 20:50:32 ----DC---- C:\Documents and Settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-28 14:16:24 ----RA---- C:\WINDOWS\system32\SZIO5.dll
2009-05-28 14:15:22 ----RA---- C:\WINDOWS\system32\SZBase5.dll
2009-05-28 14:14:56 ----RA---- C:\WINDOWS\system32\SZComp5.dll
2009-05-18 21:01:52 ----D---- C:\WINDOWS\WBEM
2009-05-18 21:00:32 ----HDC---- C:\WINDOWS\ie8
2009-05-18 21:00:32 ----D---- C:\WINDOWS\system32\en-US
2009-05-17 15:05:34 ----A---- C:\WINDOWS\system32\tmp.txt
2009-05-17 15:05:13 ----A---- C:\rapport.txt
2009-05-17 14:35:01 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\Nimi
2009-05-15 07:26:21 ----A---- C:\43214354.bat
2009-05-13 14:30:39 ----D---- C:\Documents and Settings\All Users\Application Data\Babylon
2009-05-06 19:18:25 ----HDC---- C:\WINDOWS\$NtUninstallKB932823-v3$
2009-05-05 17:38:51 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\vlc
2009-05-01 18:42:58 ----D---- C:\Program Files\FormatFactory
2009-05-01 18:35:12 ----A---- C:\Cucu_Video_log.txt
2009-04-27 19:30:05 ----D---- C:\Program Files\RocketDock
2009-04-26 16:34:07 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\WinRAR
2009-04-26 15:21:54 ----D---- C:\Program Files\Rainmeter
2009-04-26 11:36:47 ----A---- C:\EmergencyErrorLog.20090426.txt
2009-04-22 18:39:04 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-04-22 18:39:04 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-18 22:46:44 ----ASH---- C:\WINDOWS\system32\adupuhow.tmp

======List of files/folders modified in the last 3 months======

2009-07-09 11:17:29 ----D---- C:\WINDOWS\Prefetch
2009-07-09 11:17:23 ----D---- C:\Program Files
2009-07-09 11:16:33 ----D---- C:\Program Files\Mozilla Firefox
2009-07-09 11:08:26 ----D---- C:\WINDOWS\system32\drivers
2009-07-09 11:08:16 ----D---- C:\WINDOWS\ERDNT
2009-07-09 11:08:10 ----D---- C:\WINDOWS\Temp
2009-07-09 11:07:47 ----D---- C:\WINDOWS\Registration
2009-07-09 11:06:28 ----D---- C:\WINDOWS\system32\NtmsData
2009-07-09 11:06:25 ----D---- C:\WINDOWS
2009-07-09 10:59:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-08 10:36:52 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-07 08:39:23 ----D---- C:\WINDOWS\system32
2009-07-07 08:39:23 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-07 08:35:04 ----D---- C:\WINDOWS\system32\wbem
2009-07-07 08:35:04 ----D---- C:\WINDOWS\AppPatch
2009-07-06 23:48:14 ----HD---- C:\WINDOWS\inf
2009-07-06 23:48:13 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-07-06 23:48:09 ----A---- C:\WINDOWS\imsins.BAK
2009-07-06 23:48:00 ----D---- C:\Program Files\Internet Explorer
2009-07-06 23:47:52 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-06 18:50:27 ----A---- C:\WINDOWS\NeroDigital.ini
2009-07-06 18:45:35 ----RASH---- C:\boot.ini
2009-07-06 18:45:35 ----A---- C:\WINDOWS\win.ini
2009-07-06 18:45:35 ----A---- C:\WINDOWS\system.ini
2009-07-06 18:45:07 ----HD---- C:\Config.Msi
2009-07-06 17:38:05 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-06 17:36:37 ----SHD---- C:\WINDOWS\Installer
2009-07-06 17:08:05 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-07-06 17:03:16 ----D---- C:\Qoobox
2009-07-06 17:02:26 ----SD---- C:\WINDOWS\Tasks
2009-07-06 16:53:13 ----D---- C:\WINDOWS\system32\config
2009-07-06 16:50:00 ----D---- C:\Program Files\Common Files
2009-07-06 16:07:48 ----HD---- C:\Python22
2009-07-06 16:07:46 ----D---- C:\Program Files\Windows Media Player
2009-07-06 16:07:33 ----D---- C:\Program Files\Quicken
2009-07-06 16:07:29 ----D---- C:\Program Files\PC-Doctor 5 for Windows
2009-07-06 16:06:38 ----D---- C:\Program Files\Microsoft Works
2009-07-06 16:05:13 ----D---- C:\Program Files\DISC
2009-07-06 14:11:07 ----AD---- C:\Program Files\Common Files\LightScribe
2009-07-05 17:49:16 ----D---- C:\WINDOWS\security
2009-07-05 17:19:21 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-06-29 19:40:36 ----D---- C:\Program Files\Online Services
2009-06-29 13:19:15 ----A---- C:\WINDOWS\WININIT.INI
2009-06-28 20:38:39 ----D---- C:\WINDOWS\system32\Restore
2009-06-28 20:28:56 ----D---- C:\WINDOWS\WinSxS
2009-06-28 13:08:21 ----D---- C:\WINDOWS\Debug
2009-06-28 13:01:59 ----D---- C:\Documents and Settings
2009-06-28 12:41:49 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-28 12:31:16 ----D---- C:\WINDOWS\pss
2009-06-25 19:08:52 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-06-24 21:45:59 ----D---- C:\Srini
2009-06-15 23:56:24 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\U3
2009-05-18 21:04:35 ----D---- C:\WINDOWS\Help
2009-05-18 21:01:41 ----D---- C:\WINDOWS\Media
2009-05-13 00:15:55 ----A---- C:\WINDOWS\system32\wininet.dll
2009-05-13 00:15:55 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-05-07 10:44:00 ----N---- C:\WINDOWS\system32\localspl.dll
2009-04-30 16:22:33 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-04-30 16:22:32 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-04-30 16:22:32 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-04-30 16:22:32 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-04-30 16:22:31 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-04-30 06:21:08 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-04-26 15:25:27 ----RSD---- C:\WINDOWS\Fonts
2009-04-25 22:04:44 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-04-25 21:58:29 ----RSD---- C:\WINDOWS\assembly
2009-04-16 19:44:08 ----D---- C:\Documents and Settings\HP_Administrator\Application Data\HPAppData
2009-04-15 10:11:19 ----A---- C:\WINDOWS\system32\rpcrt4.dll
2009-04-15 04:24:05 ----A---- C:\WINDOWS\system32\xpsp3res.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2007-02-06 16512]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 OADevice;OADriver; \??\C:\WINDOWS\system32\drivers\OADriver.sys []
R1 OAmon;OAmon; \??\C:\WINDOWS\system32\drivers\OAmon.sys []
R1 OAnet;OAnet; \??\C:\WINDOWS\system32\drivers\OAnet.sys []
R1 sasdifsv;SASDIFSV; \??\C:\Documents and Settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASDIFSV.SYS []
R1 saskutil;SASKUTIL; \??\C:\Documents and Settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-09 12032]
R2 kqemu;kqemu driver; \??\C:\WINDOWS\system32\drivers\kqemu.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 szkg5;szkg; C:\WINDOWS\system32\DRIVERS\szkg.sys [2009-05-12 61328]
R3 aracpi;aracpi; C:\WINDOWS\system32\DRIVERS\aracpi.sys [2005-08-03 22784]
R3 arkbcfltr;Microsoft PS2 Keyboard Filter; C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys [2005-08-03 5376]
R3 armoucfltr;Microsoft PS2 Mouse Filter; C:\WINDOWS\system32\DRIVERS\armoucfltr.sys [2005-08-03 4992]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
R3 ARPolicy;ARPolicy; C:\WINDOWS\system32\DRIVERS\arpolicy.sys [2005-08-03 10112]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-08 138752]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-11-01 49920]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-11-01 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-11-01 21568]
R3 HSX_DP;HSX_DP; C:\WINDOWS\system32\DRIVERS\HSX_DP.sys [2005-12-06 936448]
R3 HSXHWBS2;HSXHWBS2; C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys [2005-12-06 241664]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-06-14 4299264]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-05-09 3535680]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2009-02-28 47360]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 USB_RNDIS;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver v2; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-09 12672]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-03-31 27008]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-09 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-09 26496]
R3 winachsx;winachsx; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-06 670208]
S1 219a8ec0;219a8ec0; C:\WINDOWS\System32\drivers\219a8ec0.sys []
S1 b5c42ea;b5c42ea; C:\WINDOWS\System32\drivers\b5c42ea.sys []
S1 ovfsthgdocjdskbbhxduyhvakyddcxjkltoyxc;ovfsthgdocjdskbbhxduyhvakyddcxjkltoyxc; C:\WINDOWS\system32\drivers\ovfsthlijmrykgtevflrnpttvupfaqmoefjfwm.sys []
S1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys []
S3 arhidfltr;MS Ar HID Filter Driver; C:\WINDOWS\system32\DRIVERS\arhidfltr.sys [2005-08-03 19200]
S3 catchme;catchme; \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys []
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
S3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sasenum;SASENUM; \??\C:\Documents and Settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASENUM.SYS []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-09 20480]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ARSVC;ARSVC; C:\WINDOWS\arservice.exe [2005-08-03 58880]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2004-08-09 14336]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-09 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-09 14336]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2004-08-09 14336]
S2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-09 267776]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-09 14336]
S4 a2free;a-squared Free Service; C:\Program Files\a-squared Free\a2service.exe [2009-05-10 717320]
S4 JC;JC; C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\JC.exe []
S4 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe /m C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll []
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-05-09 131139]
S4 OAcat;Online Armor Helper Service; C:\Program Files\Tall Emu\Online Armor\OAcat.exe [2009-04-16 361160]
S4 SvcOnlineArmor;Online Armor; C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2009-04-16 3049160]

-----------------EOF-----------------


info

info.txt logfile of random's system information tool 1.06 2009-07-09 11:17:31

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
a-squared Free 4.5-->"C:\Program Files\a-squared Free\unins000.exe"
Customer Experience Enhancement-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Easy Internet Sign-up-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Enhanced Multimedia Keyboard Solution-->C:\HP\KBD\Install.exe /u
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
GiPo@MoveOnBoot 1.9.5-->MsiExec.exe /I{9F185C48-595B-401A-A1D6-AAB324890DC4}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB893357)-->"C:\WINDOWS\$NtUninstallKB893357$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB906569)-->"C:\WINDOWS\$NtUninstallKB906569$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB912024)-->"C:\WINDOWS\$NtUninstallKB912024$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB943232)-->"C:\WINDOWS\$NtUninstallKB943232$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Boot Optimizer-->MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP DigitalMedia Archive-->MsiExec.exe /X{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP DVD Play 2.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Photosmart for Media Center PC-->c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HP Web Helper-->regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java DB 10.4.1.3-->MsiExec.exe /X{998D6972-F58E-479D-9248-8F179E55AE38}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ SE Development Kit 6 Update 11-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160110}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.0 Hotfix (KB930494)-->"C:\WINDOWS\$NtUninstallKB930494$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{40280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MIT MathML Fonts 1.0-->MsiExec.exe /I{C6E52B1B-9905-469A-B8CD-399FDFA98873}
Mozilla Firefox (3.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
muvee autoProducer 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB4740B3-2530-452D-A825-F7AB246CA7DF}\setup.exe" -l0x9
muvee autoProducer unPlugged 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FDD0538-C67A-4F67-B3F8-09D1AAF04D99}\setup.exe" -l0x9
Nero 8-->MsiExec.exe /X{1E598659-6503-419E-8FB0-0C1EABF11033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Online Armor 3.5-->"C:\Program Files\Tall Emu\Online Armor\unins000.exe"
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Python 2.2 pywin32 extensions (build 203)-->"C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RegSupreme-->"C:\Program Files\RegSupreme\unins000.exe"
RocketDock 1.3.5-->"C:\Program Files\RocketDock\unins000.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Sonic Express Labeler-->MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus-->MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio-->MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
STOPzilla-->MsiExec.exe /X{2EB5618E-E9CB-436A-841E-E68767E63A01}
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB912945)-->"C:\WINDOWS\$NtUninstallKB912945$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Updates from HP (remove only)-->C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB892050-->"C:\WINDOWS\$NtUninstallKB892050$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246-->"C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067-->"C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: Kaspersky Anti-Virus (disabled) (outdated)
FW: Online Armor Firewall
FW: Norton Internet Worm Protection (disabled)

======System event log======

Computer Name: RAVELLA
Event Code: 7022
Message: The HP CUE DeviceDiscovery Service service hung on starting.

Record Number: 1887
Source Name: Service Control Manager
Time Written: 20090706225148.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 7024
Message: The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

Record Number: 1885
Source Name: Service Control Manager
Time Written: 20090706225026.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 3095
Message: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Record Number: 1884
Source Name: NETLOGON
Time Written: 20090706225025.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service iPod Service with arguments ""
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Record Number: 1876
Source Name: DCOM
Time Written: 20090706210051.000000-300
Event Type: error
User: RAVELLA\HP_Administrator

Computer Name: RAVELLA
Event Code: 7031
Message: The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Record Number: 1874
Source Name: Service Control Manager
Time Written: 20090706205252.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: RAVELLA
Event Code: 1000
Message: Faulting application hpqtra08.exe, version 100.0.170.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.

Record Number: 9431
Source Name: Application Error
Time Written: 20090526173940.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 1517
Message: Windows saved user RAVELLA\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 9420
Source Name: Userenv
Time Written: 20090526084419.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RAVELLA
Event Code: 1000
Message: Faulting application hpqtra08.exe, version 100.0.170.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.

Record Number: 9409
Source Name: Application Error
Time Written: 20090525222859.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 1517
Message: Windows saved user RAVELLA\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 9397
Source Name: Userenv
Time Written: 20090525195621.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RAVELLA
Event Code: 1517
Message: Windows saved user RAVELLA\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 9376
Source Name: Userenv
Time Written: 20090525001952.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;c:\Python22;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ESTsoft\ALZip
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"tvdumpflags"=8

-----------------EOF-----------------

#5 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 09 July 2009 - 11:34 AM

info

info.txt logfile of random's system information tool 1.06 2009-07-09 11:17:31

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
a-squared Free 4.5-->"C:\Program Files\a-squared Free\unins000.exe"
Customer Experience Enhancement-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Easy Internet Sign-up-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Enhanced Multimedia Keyboard Solution-->C:\HP\KBD\Install.exe /u
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
GiPo@MoveOnBoot 1.9.5-->MsiExec.exe /I{9F185C48-595B-401A-A1D6-AAB324890DC4}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB893357)-->"C:\WINDOWS\$NtUninstallKB893357$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB906569)-->"C:\WINDOWS\$NtUninstallKB906569$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB912024)-->"C:\WINDOWS\$NtUninstallKB912024$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB943232)-->"C:\WINDOWS\$NtUninstallKB943232$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Boot Optimizer-->MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP DigitalMedia Archive-->MsiExec.exe /X{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP DVD Play 2.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Photosmart for Media Center PC-->c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HP Web Helper-->regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java DB 10.4.1.3-->MsiExec.exe /X{998D6972-F58E-479D-9248-8F179E55AE38}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ SE Development Kit 6 Update 11-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160110}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.0 Hotfix (KB930494)-->"C:\WINDOWS\$NtUninstallKB930494$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{40280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MIT MathML Fonts 1.0-->MsiExec.exe /I{C6E52B1B-9905-469A-B8CD-399FDFA98873}
Mozilla Firefox (3.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
muvee autoProducer 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB4740B3-2530-452D-A825-F7AB246CA7DF}\setup.exe" -l0x9
muvee autoProducer unPlugged 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FDD0538-C67A-4F67-B3F8-09D1AAF04D99}\setup.exe" -l0x9
Nero 8-->MsiExec.exe /X{1E598659-6503-419E-8FB0-0C1EABF11033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Online Armor 3.5-->"C:\Program Files\Tall Emu\Online Armor\unins000.exe"
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Python 2.2 pywin32 extensions (build 203)-->"C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3-->C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RegSupreme-->"C:\Program Files\RegSupreme\unins000.exe"
RocketDock 1.3.5-->"C:\Program Files\RocketDock\unins000.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Sonic Express Labeler-->MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus-->MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio-->MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy-->MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data-->MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager-->MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
STOPzilla-->MsiExec.exe /X{2EB5618E-E9CB-436A-841E-E68767E63A01}
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB912945)-->"C:\WINDOWS\$NtUninstallKB912945$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Updates from HP (remove only)-->C:\WINDOWS\HPCPCUninstall-9972322\HPBWSetup.exe -appid 9972322 -uninstall
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885884-->C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB892050-->"C:\WINDOWS\$NtUninstallKB892050$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246-->"C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067-->"C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: Kaspersky Anti-Virus (disabled) (outdated)
FW: Online Armor Firewall
FW: Norton Internet Worm Protection (disabled)

======System event log======

Computer Name: RAVELLA
Event Code: 7022
Message: The HP CUE DeviceDiscovery Service service hung on starting.

Record Number: 1887
Source Name: Service Control Manager
Time Written: 20090706225148.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 7024
Message: The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

Record Number: 1885
Source Name: Service Control Manager
Time Written: 20090706225026.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 3095
Message: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Record Number: 1884
Source Name: NETLOGON
Time Written: 20090706225025.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service iPod Service with arguments ""
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Record Number: 1876
Source Name: DCOM
Time Written: 20090706210051.000000-300
Event Type: error
User: RAVELLA\HP_Administrator

Computer Name: RAVELLA
Event Code: 7031
Message: The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Record Number: 1874
Source Name: Service Control Manager
Time Written: 20090706205252.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: RAVELLA
Event Code: 1000
Message: Faulting application hpqtra08.exe, version 100.0.170.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.

Record Number: 9431
Source Name: Application Error
Time Written: 20090526173940.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 1517
Message: Windows saved user RAVELLA\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 9420
Source Name: Userenv
Time Written: 20090526084419.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RAVELLA
Event Code: 1000
Message: Faulting application hpqtra08.exe, version 100.0.170.0, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.

Record Number: 9409
Source Name: Application Error
Time Written: 20090525222859.000000-300
Event Type: error
User:

Computer Name: RAVELLA
Event Code: 1517
Message: Windows saved user RAVELLA\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 9397
Source Name: Userenv
Time Written: 20090525195621.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: RAVELLA
Event Code: 1517
Message: Windows saved user RAVELLA\HP_Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 9376
Source Name: Userenv
Time Written: 20090525001952.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;c:\Python22;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ESTsoft\ALZip
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"tvdumpflags"=8

-----------------EOF-----------------

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 09 July 2009 - 11:36 AM

Waiting for GMER report :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 09 July 2009 - 05:03 PM

weird proccese keep popping up
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 18:52:48
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xB6739320]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xB6739940]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xB6737E30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xB6746420]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateKey [0xB6744740]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xB6737AE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xB6734DB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xB6735180]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xB67348D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateThread [0xB6736260]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xB6736DC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteFile [0xB6746EB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteKey [0xB6744CF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDeleteValueKey [0xB6745640]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDuplicateObject [0xB6737800]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xB67463C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xB67463F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xB6738DF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadKey [0xB6745A90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xB6746AC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenKey [0xB6744F30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenProcess [0xB6735C70]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xB6734B40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenThread [0xB6736720]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xB67395D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryKey [0xB6746360]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryValueKey [0xB6746390]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xB6739AC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwReplaceKey [0xB6745E30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xB67389A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRestoreKey [0xB6746090]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xB67374B0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSaveKey [0xB6746340]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xB67381F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xB6736BE0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xB6736F40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetValueKey [0xB6744F50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xB6738CF0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xB6737660]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xB67372E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xB6737120]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateProcess [0xB6736020]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xB67369C0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xB6739010]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xB6739780]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C44 80503A18 12 Bytes [E0, 7A, 73, B6, B0, 4D, 73, ...] {LOOPNZ 0x7c; JAE 0xffffffffffffffba; MOV AL, 0x4d; JAE 0xffffffffffffffbe; ADC BYTE [ECX+0x73], 0xb6}
.text ntkrnlpa.exe!ZwCallbackReturn + 2F80 80503D54 12 Bytes [60, 76, 73, B6, E0, 72, 73, ...]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B9C2F300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9C2F360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B9C2F610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [BA109670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [BA109670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B9C2F650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B9C2F610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9C2F360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B9C2F300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B9C2F300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9C2F360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B9C2F650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B9C2F610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B9C2F610] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B9C2F650] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B9C2F300] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9C2F360] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Tall Emu Pty Ltd)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

---- EOF - GMER 1.0.15 ----

Edited by mitas, 09 July 2009 - 06:55 PM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 09 July 2009 - 10:42 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 09 July 2009 - 11:24 PM

combofix lost the logo on bootup just like 7-zip
ComboFix 09-07-09.06 - HP_Administrator 07/09/2009 22:55.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1316 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
/wow section - STAGE 6A


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\temp\IadHide5.dll
c:\windows\system32\bebadf9_g.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 19:37 . 2009-07-09 19:39 -------- d-----w- c:\program files\BYOND
2009-07-09 16:17 . 2009-07-09 16:18 -------- d-----w- C:\rsit
2009-07-09 16:17 . 2009-07-09 16:17 -------- d-----w- c:\program files\trend micro
2009-07-09 15:13 . 2009-07-09 15:13 -------- d-----w- c:\program files\ERUNT
2009-07-07 04:47 . 2009-07-07 04:47 -------- d-----w- c:\windows\ie8updates
2009-07-06 22:51 . 2009-07-06 22:51 -------- d-----w- c:\program files\RegSupreme
2009-07-06 22:13 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-06 22:13 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-07-06 22:13 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 22:12 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-07-06 19:36 . 2009-07-06 19:36 206088 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-06 19:36 . 2009-07-06 19:36 32784 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-07-06 19:36 . 2009-07-06 19:36 227344 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-07-06 19:25 . 2009-07-06 19:36 206088 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-06 19:25 . 2009-07-06 19:36 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-07-06 19:25 . 2009-07-06 19:36 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-07-06 19:18 . 2009-07-09 16:21 -------- d-----w- c:\program files\7-Zip
2009-07-06 19:01 . 2009-07-06 22:36 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-07-06 19:01 . 2009-07-06 22:36 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-07-06 19:00 . 2009-07-06 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-06 19:00 . 2009-07-06 19:05 49184 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-06 19:00 . 2009-07-06 19:05 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-06 19:00 . 2009-07-06 19:00 -------- d-----w- c:\program files\Kaspersky Lab
2009-07-06 18:13 . 2009-07-06 18:13 -------- d-----w- c:\program files\GiPo@Utilities
2009-07-06 18:13 . 2009-07-06 18:13 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-07-05 23:46 . 2009-07-07 00:32 -------- d-----w- c:\program files\Unlocker
2009-07-05 22:06 . 2009-07-05 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-30 17:31 . 2009-06-30 17:31 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-30 17:30 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 17:30 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 17:30 . 2009-07-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 16:25 . 2009-02-16 05:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-30 16:25 . 2009-02-16 05:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-30 16:25 . 2009-02-16 05:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-30 16:20 . 2009-06-30 16:20 12800 ----a-w- c:\windows\system32\bootdelete.exe
2009-06-30 15:58 . 2009-06-30 15:58 -------- d-sh--w- C:\found.000
2009-06-30 15:39 . 2009-06-30 16:14 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-30 15:39 . 2009-06-30 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-06-30 15:39 . 2009-06-30 15:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-06-30 02:45 . 2009-07-06 13:36 -------- d-----w- c:\documents and settings\HP_Administrator\Logs
2009-06-29 17:08 . 2009-07-06 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\OnlineArmor
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\program files\Tall Emu
2009-06-29 02:15 . 2009-04-16 11:35 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2009-06-29 02:15 . 2009-04-16 10:49 31824 ----a-w- c:\windows\system32\drivers\OAmon.sys
2009-06-29 02:15 . 2009-04-16 10:49 196688 ----a-w- c:\windows\system32\drivers\OADriver.sys
2009-06-29 02:14 . 2009-06-30 00:39 -------- d-----w- c:\program files\a-squared Free
2009-06-29 02:10 . 2009-06-29 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-06-29 02:09 . 2009-07-06 21:07 -------- d-----w- c:\program files\STOPzilla!
2009-06-29 02:09 . 2009-06-30 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-06-29 02:09 . 2009-06-29 02:09 -------- d-----w- c:\program files\Common Files\iS3
2009-06-28 18:57 . 2008-06-19 22:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-28 18:57 . 2009-06-28 18:57 -------- d-----w- c:\program files\Panda Security
2009-06-28 18:03 . 2009-07-05 22:19 -------- d-----w- c:\program files\Lavasoft
2009-06-28 18:03 . 2009-07-05 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-28 17:43 . 2009-07-06 21:04 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Runscanner.net
2009-06-25 02:36 . 2009-06-25 02:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\KeePass
2009-06-19 21:47 . 2009-06-19 21:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\CyberLink
2009-06-19 21:47 . 2009-06-19 22:37 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\DVDPlay
2009-06-16 05:49 . 2009-06-16 05:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\dvdcss
2009-06-12 20:36 . 2009-06-12 20:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-11 04:43 . 2009-04-10 03:26 86016 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gyohfnl2.default\extensions\firefox@kidzui.com\platform\WINNT_x86-msvc\components\WinKiosk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 21:25 . 2009-04-28 00:30 -------- d-----w- c:\program files\RocketDock
2009-07-06 21:07 . 2006-11-19 05:34 -------- d-----w- c:\program files\Quicken
2009-07-06 21:07 . 2006-11-19 05:42 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-07-06 21:06 . 2006-11-19 05:31 -------- d-----w- c:\program files\Microsoft Works
2009-07-06 21:05 . 2006-11-19 05:27 -------- d-----w- c:\program files\DISC
2009-07-06 19:11 . 2006-11-19 05:29 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-07-06 19:09 . 2009-05-18 11:43 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 19:05 . 2009-07-06 19:00 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-06 19:05 . 2009-07-06 19:00 1248 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-28 18:33 . 2006-11-19 05:28 68352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 17:41 . 2009-03-26 00:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-28 15:56 . 2009-06-24 21:53 90112 ----a-w- c:\windows\DUMP275e.tmp
2009-06-28 15:49 . 2009-06-24 21:53 90112 ----a-w- c:\windows\DUMP3c2e.tmp
2009-06-28 15:30 . 2009-06-24 21:53 90112 ----a-w- c:\windows\DUMP3cab.tmp
2009-06-26 00:08 . 2006-11-19 05:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-16 04:56 . 2008-12-30 20:15 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-06-04 01:50 . 2009-06-04 01:50 -------- dc----w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-06-03 04:26 . 2009-06-03 04:23 117434 ----a-w- c:\windows\hpqins00.dat
2009-05-28 19:16 . 2009-05-28 19:16 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-05-28 19:15 . 2009-05-28 19:15 294912 ----a-r- c:\windows\system32\SZBase5.dll
2009-05-28 19:14 . 2009-05-28 19:14 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-05-17 19:45 . 2009-05-17 19:35 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Nimi
2009-05-15 12:26 . 2009-05-15 12:26 190 ----a-w- C:\43214354.bat
2009-05-13 19:30 . 2009-05-13 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-05-13 05:15 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 19:13 . 2009-05-12 19:13 61328 ----a-w- c:\windows\system32\drivers\SZKG.sys
2009-05-07 15:44 . 2004-08-10 04:00 344064 ------w- c:\windows\system32\localspl.dll
2009-04-19 04:37 . 2009-04-19 03:46 1409571 --sha-w- c:\windows\system32\adupuhow.tmp
2009-04-17 09:58 . 2004-08-10 04:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-10 04:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2005-09-27 169984]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-16 335048]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DoubleDesktop.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DoubleDesktop.lnk
backup=c:\windows\pss\DoubleDesktop.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drive
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LittleShoot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"NSCService"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"BITS"=2 (0x2)
"JC"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"szserver"=2 (0x2)
"SvcOnlineArmor"=2 (0x2)
"OAcat"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"a2free"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Tall Emu\\Online Armor\\OAhlp.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\jucheck.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"=
"c:\\HP\\KBD\\KBD.EXE"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\windows\\system\\hpsysdrv.exe"=
"c:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\New Folder\\Kaiba Corp VDS 1.15\\KCVDS.exe"=
"c:\\PROGRA~1\\DOUBLE~1\\DDE.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\hksr.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\iknowq.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\winlthhd.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\w6a868.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1006:TCP"= 1006:TCP:KCVDS

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/28/2009 1:57 PM 28544]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/28/2009 9:15 PM 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/28/2009 9:15 PM 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/28/2009 9:15 PM 29776]
R1 sasdifsv;SASDIFSV;c:\documents and settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASDIFSV.SYS [3/25/2009 9:55 PM 9968]
R1 saskutil;SASKUTIL;c:\documents and settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASKUTIL.SYS [3/25/2009 9:55 PM 55024]
R2 kqemu;kqemu driver;c:\windows\system32\drivers\kqemu.sys [2/6/2007 4:02 PM 123939]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S1 219a8ec0;219a8ec0;c:\windows\system32\drivers\219a8ec0.sys --> c:\windows\system32\drivers\219a8ec0.sys [?]
S1 b5c42ea;b5c42ea;c:\windows\system32\drivers\b5c42ea.sys --> c:\windows\system32\drivers\b5c42ea.sys [?]
S3 sasenum;SASENUM;c:\documents and settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASENUM.SYS [3/25/2009 9:55 PM 7408]
S4 JC;JC;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\JC.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\JC.exe [?]
S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/28/2009 9:15 PM 361160]
S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/28/2009 9:15 PM 3049160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gyohfnl2.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.scour.com
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gyohfnl2.default\extensions\firefox@kidzui.com\platform\WINNT_x86-msvc\components\WinKiosk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLM32.DLL
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 23:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Double Desktop Switcher = c:\progra~1\DOUBLE~1\DOUBLE~1.EXE??|d???????|????;E?d????=E?p?K?\?????????E?????M?????K?\???$?E?G?E?$?K?O?E?M?????K?8?????????????????E?8?????F?????p?K?p?K???????????E?????????????????$?E?G?E?$?K?<???l?I?????X???x~??????,???X?F??w????F???K?X?F??w??#?I??w??7??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4258320490-3815108193-478931012-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(996)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

- - - - - - - > 'explorer.exe'(2240)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\dllhost.exe
c:\progra~1\DOUBLE~1\DOUBLE~1.EXE
c:\progra~1\DOUBLE~1\DDE.exe
c:\program files\Updates from HP\9972322\Program\Updates from HP.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\hksr.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\iknowq.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\winlthhd.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\w6a868.exe
.
**************************************************************************
.
Completion time: 2009-07-10 23:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 04:21
ComboFix2.txt 2009-07-06 22:03

Pre-Run: 186,228,920,320 bytes free
Post-Run: 186,078,797,824 bytes free

352 --- E O F --- 2009-07-07 04:48

Edited by mitas, 09 July 2009 - 11:27 PM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 09 July 2009 - 11:42 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
219a8ec0
b5c42ea
JC

Rootkit::
c:\windows\system32\drivers\219a8ec0.sys
c:\windows\system32\drivers\b5c42ea.sys
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\JC.exe

File::
c:\windows\system32\drivers\b5c42ea.sys
C:\43214354.bat
c:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hksr.exe
c:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\iknowq.exe
c:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlthhd.exe
c:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\w6a868.exe
c:\windows\system32\drivers\219a8ec0.sys
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\JC.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\hksr.exe"=-
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\iknowq.exe"=-
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\winlthhd.exe"=-
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\w6a868.exe"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 09 July 2009 - 11:43 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 10 July 2009 - 11:12 AM

i thing the viruses comeback by system restore because the problems have not gone away
combo-fix is disabled on boot up after the report is made

ComboFix 09-07-09.08 - HP_Administrator 07/10/2009 10:52.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1508 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point

FILE ::
"C:\43214354.bat"
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\hksr.exe"
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\iknowq.exe"
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\JC.exe"
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\w6a868.exe"
"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\winlthhd.exe"
"c:\windows\system32\drivers\219a8ec0.sys"
"c:\windows\system32\drivers\b5c42ea.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\43214354.bat

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JC
-------\Service_219a8ec0
-------\Service_b5c42ea
-------\Service_JC


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 19:37 . 2009-07-09 19:39 -------- d-----w- c:\program files\BYOND
2009-07-09 16:17 . 2009-07-09 16:18 -------- d-----w- C:\rsit
2009-07-09 16:17 . 2009-07-09 16:17 -------- d-----w- c:\program files\trend micro
2009-07-09 15:13 . 2009-07-09 15:13 -------- d-----w- c:\program files\ERUNT
2009-07-07 04:47 . 2009-07-07 04:47 -------- d-----w- c:\windows\ie8updates
2009-07-06 22:51 . 2009-07-06 22:51 -------- d-----w- c:\program files\RegSupreme
2009-07-06 22:13 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-06 22:13 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-07-06 22:13 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 22:12 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-07-06 19:36 . 2009-07-06 19:36 206088 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-06 19:36 . 2009-07-06 19:36 32784 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-07-06 19:36 . 2009-07-06 19:36 227344 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\update\rollback\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-07-06 19:25 . 2009-07-06 19:36 206088 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-06 19:25 . 2009-07-06 19:36 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-07-06 19:25 . 2009-07-06 19:36 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-07-06 19:18 . 2009-07-09 16:21 -------- d-----w- c:\program files\7-Zip
2009-07-06 19:01 . 2009-07-06 22:36 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-07-06 19:01 . 2009-07-06 22:36 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-07-06 19:00 . 2009-07-06 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-06 19:00 . 2009-07-06 19:05 49184 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-06 19:00 . 2009-07-06 19:05 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-06 19:00 . 2009-07-06 19:00 -------- d-----w- c:\program files\Kaspersky Lab
2009-07-06 18:13 . 2009-07-06 18:13 -------- d-----w- c:\program files\GiPo@Utilities
2009-07-06 18:13 . 2009-07-06 18:13 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-07-05 23:46 . 2009-07-07 00:32 -------- d-----w- c:\program files\Unlocker
2009-07-05 22:06 . 2009-07-05 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-30 17:31 . 2009-06-30 17:31 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-30 17:30 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 17:30 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 17:30 . 2009-07-06 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 16:25 . 2009-02-16 05:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-30 16:25 . 2009-02-16 05:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-30 16:25 . 2009-02-16 05:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-30 16:20 . 2009-06-30 16:20 12800 ----a-w- c:\windows\system32\bootdelete.exe
2009-06-30 15:58 . 2009-06-30 15:58 -------- d-sh--w- C:\found.000
2009-06-30 15:39 . 2009-06-30 16:14 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-30 15:39 . 2009-06-30 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-06-30 15:39 . 2009-06-30 15:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-06-30 02:45 . 2009-07-06 13:36 -------- d-----w- c:\documents and settings\HP_Administrator\Logs
2009-06-29 17:08 . 2009-07-06 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\OnlineArmor
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-----w- c:\program files\Tall Emu
2009-06-29 02:15 . 2009-04-16 11:35 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2009-06-29 02:15 . 2009-04-16 10:49 31824 ----a-w- c:\windows\system32\drivers\OAmon.sys
2009-06-29 02:15 . 2009-04-16 10:49 196688 ----a-w- c:\windows\system32\drivers\OADriver.sys
2009-06-29 02:14 . 2009-06-30 00:39 -------- d-----w- c:\program files\a-squared Free
2009-06-29 02:10 . 2009-06-29 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-06-29 02:09 . 2009-07-06 21:07 -------- d-----w- c:\program files\STOPzilla!
2009-06-29 02:09 . 2009-06-30 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-06-29 02:09 . 2009-06-29 02:09 -------- d-----w- c:\program files\Common Files\iS3
2009-06-28 18:57 . 2008-06-19 22:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-28 18:57 . 2009-06-28 18:57 -------- d-----w- c:\program files\Panda Security
2009-06-28 18:03 . 2009-07-05 22:19 -------- d-----w- c:\program files\Lavasoft
2009-06-28 18:03 . 2009-07-05 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-28 17:43 . 2009-07-06 21:04 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Runscanner.net
2009-06-25 02:36 . 2009-06-25 02:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\KeePass
2009-06-19 21:47 . 2009-06-19 21:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\CyberLink
2009-06-19 21:47 . 2009-06-19 22:37 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\DVDPlay
2009-06-16 05:49 . 2009-06-16 05:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\dvdcss
2009-06-12 20:36 . 2009-06-12 20:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-11 04:43 . 2009-04-10 03:26 86016 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gyohfnl2.default\extensions\firefox@kidzui.com\platform\WINNT_x86-msvc\components\WinKiosk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 21:25 . 2009-04-28 00:30 -------- d-----w- c:\program files\RocketDock
2009-07-06 21:07 . 2006-11-19 05:34 -------- d-----w- c:\program files\Quicken
2009-07-06 21:07 . 2006-11-19 05:42 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-07-06 21:06 . 2006-11-19 05:31 -------- d-----w- c:\program files\Microsoft Works
2009-07-06 21:05 . 2006-11-19 05:27 -------- d-----w- c:\program files\DISC
2009-07-06 19:11 . 2006-11-19 05:29 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-07-06 19:09 . 2009-05-18 11:43 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 19:05 . 2009-07-06 19:00 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-06 19:05 . 2009-07-06 19:00 1248 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-28 18:33 . 2006-11-19 05:28 68352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 17:41 . 2009-03-26 00:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-28 15:56 . 2009-06-24 21:53 90112 ----a-w- c:\windows\DUMP275e.tmp
2009-06-28 15:49 . 2009-06-24 21:53 90112 ----a-w- c:\windows\DUMP3c2e.tmp
2009-06-28 15:30 . 2009-06-24 21:53 90112 ----a-w- c:\windows\DUMP3cab.tmp
2009-06-26 00:08 . 2006-11-19 05:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-16 04:56 . 2008-12-30 20:15 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-06-04 01:50 . 2009-06-04 01:50 -------- dc----w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-06-03 04:26 . 2009-06-03 04:23 117434 ----a-w- c:\windows\hpqins00.dat
2009-05-28 19:16 . 2009-05-28 19:16 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-05-28 19:15 . 2009-05-28 19:15 294912 ----a-r- c:\windows\system32\SZBase5.dll
2009-05-28 19:14 . 2009-05-28 19:14 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-05-17 19:45 . 2009-05-17 19:35 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Nimi
2009-05-13 19:30 . 2009-05-13 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-05-13 05:15 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 19:13 . 2009-05-12 19:13 61328 ----a-w- c:\windows\system32\drivers\SZKG.sys
2009-05-07 15:44 . 2004-08-10 04:00 344064 ------w- c:\windows\system32\localspl.dll
2009-04-19 04:37 . 2009-04-19 03:46 1409571 --sha-w- c:\windows\system32\adupuhow.tmp
2009-04-17 09:58 . 2004-08-10 04:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-10 04:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_04.14.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 15:57 . 2009-07-10 15:57 16384 c:\windows\Temp\Perflib_Perfdata_b14.dat
+ 2009-07-10 15:57 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-10-2009\ERDNT.EXE
+ 2009-07-10 15:57 . 2009-07-10 15:57 3330048 c:\windows\ERDNT\AutoBackup\7-10-2009\Users\00000002\UsrClass.dat
+ 2009-07-10 15:57 . 2009-07-10 15:57 8122368 c:\windows\ERDNT\AutoBackup\7-10-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2005-09-27 169984]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-16 335048]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DoubleDesktop.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DoubleDesktop.lnk
backup=c:\windows\pss\DoubleDesktop.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"NSCService"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"BITS"=2 (0x2)
"JC"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"szserver"=2 (0x2)
"SvcOnlineArmor"=2 (0x2)
"OAcat"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"a2free"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Tall Emu\\Online Armor\\OAhlp.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\jucheck.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"=
"c:\\HP\\KBD\\KBD.EXE"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\windows\\system\\hpsysdrv.exe"=
"c:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\New Folder\\Kaiba Corp VDS 1.15\\KCVDS.exe"=
"c:\\PROGRA~1\\DOUBLE~1\\DDE.exe"=
"c:\\WINDOWS\\system32\\CF529.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\windjvc.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\adbg.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\winewna.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\w4b5a0.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1006:TCP"= 1006:TCP:KCVDS

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/28/2009 1:57 PM 28544]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/28/2009 9:15 PM 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/28/2009 9:15 PM 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/28/2009 9:15 PM 29776]
R1 sasdifsv;SASDIFSV;c:\documents and settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASDIFSV.SYS [3/25/2009 9:55 PM 9968]
R1 saskutil;SASKUTIL;c:\documents and settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASKUTIL.SYS [3/25/2009 9:55 PM 55024]
R2 kqemu;kqemu driver;c:\windows\system32\drivers\kqemu.sys [2/6/2007 4:02 PM 123939]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S3 sasenum;SASENUM;c:\documents and settings\HP_Administrator\Desktop\Virus Removal\SuperAntiSpyware\SASENUM.SYS [3/25/2009 9:55 PM 7408]
S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/28/2009 9:15 PM 361160]
S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/28/2009 9:15 PM 3049160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gyohfnl2.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.scour.com
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gyohfnl2.default\extensions\firefox@kidzui.com\platform\WINNT_x86-msvc\components\WinKiosk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLM32.DLL
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Double Desktop Switcher = c:\progra~1\DOUBLE~1\DOUBLE~1.EXE??|d???????|????;E?d????=E?p?K?\?????????E?????M?????K?\???$?E?G?E?$?K?O?E?M?????K?8?????????????????E?8?????F?????p?K?p?K????? ?????E?????????????????$?E?G?E?$?K?<???l?I?????X????~??$???,???X?F??w????F???K?X?F??w??#?I??w??7??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4258320490-3815108193-478931012-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1012)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

- - - - - - - > 'explorer.exe'(1676)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\DOUBLE~1\DOUBLE~1.EXE
c:\progra~1\DOUBLE~1\DDE.exe
c:\program files\Updates from HP\9972322\Program\Updates from HP.exe
c:\windows\system32\dllhost.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\windjvc.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\adbg.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\winewna.exe
c:\docume~1\HP_ADM~1\LOCALS~1\temp\w4b5a0.exe
.
**************************************************************************
.
Completion time: 2009-07-10 11:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 16:04
ComboFix2.txt 2009-07-10 04:21
ComboFix3.txt 2009-07-06 22:03

Pre-Run: 186,402,103,296 bytes free
Post-Run: 186,092,138,496 bytes free

376 --- E O F --- 2009-07-07 04:48

#12 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 10 July 2009 - 11:15 AM

there is a picture of my procceses but i deleted the one that had weird names and wincualt.exe comes bach after a few seconds and the others return witn in minutes. windows firewall get disabled on bootup and reverts back in a few minutes.
combo-fix error after reboot: only part of readprocessmemmory or writeprocessmemory request was completed
where do you download hijackthis
ihad to redownload combofix to get that log

Attached Files


Edited by mitas, 10 July 2009 - 11:20 AM.


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 10 July 2009 - 11:26 AM

I have a feeling that your computer is infected with Sality.. I will need you to go to other clean computer and download Dr.Web LiveCD and burn it into a CD.. Then using that CD to clean the infected computer.. All information about Dr.Web LiveCD is below..

http://www.freedrweb.com/livecd/

The download location is below..

ftp://ftp.drweb.com/pub/drweb/livecd/minD...iveCD-5.0.0.iso

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 mitas

mitas
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 10 July 2009 - 11:33 PM

i think this is sality because most antivirus don't work i can not boot into safe mode and some files get corrupted
i used avira recovery cd and said these files contain traces of sality
my first kapersky scan said i hac a heuri.general virus a.k.a heurisc
dr.web accidentally froze but i will redo that but the files that i had avira rename said are infected with the traces 17 virus
i do not know what to do with these files and do you have anything to block a sality keylogger

p.s i tracked the downloader part to the windows system32 temp file and these weird procceses come from there

Attached Files


Edited by mitas, 10 July 2009 - 11:35 PM.


#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 11 July 2009 - 12:11 AM

Since you mentioned its Sality, here's some general info I can tell you about it... Sality is a polymorphic virus that will infect each and every .exe and .scr files in the computer in each and every partitions... I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.pif/.asp/.php/.iso files...

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well...

Lets do the Dr.Web LiveCD step first as its the best tool I know to combat Sality.. Otherwise you might have to wipe the machine clean...

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users