Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 Bcfcmeerkat

Bcfcmeerkat

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 29 August 2009 - 07:47 AM

Could someone please have a look at my hijack this log as i think i have an infection when i start up my pc i keep getting a virus warning. All so i can not update my anti virus or spyware programs and microsoft updates. All so i can not access most spyware homepages in my browser.

Thank you.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45:22, on 29/08/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DABA23E-0262-44A2-943C-9DD34EB5133F}: NameServer = 82.132.136.102 82.132.136.103
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca0c7974fda502) (gupdate1ca0c7974fda502) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

--
End of file - 5198 bytes

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:18 PM

Posted 29 August 2009 - 09:49 AM

Hello and welcome to the BleepingComputer.com! :(

I will be helping you today. :(

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please give me some time to analyse your logs, I will be back shortly.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:18 PM

Posted 30 August 2009 - 08:33 AM

Hello, Bcfcmeerkat and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Step 1
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<




Step 2

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.







Please post back with:
  • Both RSIT-Logfiles
  • Gmer-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 Bcfcmeerkat

Bcfcmeerkat
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 31 August 2009 - 08:31 AM

Here is a coppy of the two scans that you asked for thank you.



info.txt logfile of random's system information tool 1.06 2009-08-31 13:47:28

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Acer Crystal Eye Webcam 2.0.8-->C:\Program Files\InstallShield Installation Information\{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer Crystal Eye webcam Ver:1.1.59.528-->C:\Program Files\InstallShield Installation Information\{D0ACE89D-EC7F-470F-80BE-4C98ED366B32}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer Crystal Eye Webcam-->C:\Program Files\InstallShield Installation Information\{DD1DED37-2486-4F56-8F89-56AA814003F5}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer eDataSecurity Management-->C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSnstHelper.exe -Operation UNINSTALL
Acer Empowering Technology-->"C:\Program Files\InstallShield Installation Information\{8F1B6239-FEA0-450A-A950-B05276CE177C}\setup.exe" -runfromtemp -l0x0009 -removeonly
Acer ePower Management-->"C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -runfromtemp -l0x0009 -removeonly
Acer eSettings Management-->"C:\Program Files\InstallShield Installation Information\{13D85C14-2B85-419F-AC41-C7F21E68B25D}\setup.exe" -runfromtemp -l0x0009 -removeonly
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe"
Agere Systems HDA Modem-->agrsmdel
Any Video Converter 2.7.6-->"C:\Program Files\Any Video Converter\unins000.exe"
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BobCAD-CAM V23-->"C:\Program Files\InstallShield Installation Information\{66A00BD2-21AE-4712-9D88-6B0F45BEAE76}\setup.exe" -runfromtemp -l0x0009 -removeonly
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MP220 series User Registration-->C:\Program Files\Canon\IJEREG\MP220 series\UNINST.EXE
Canon MP220 series-->"C:\Windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP220_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP220_series /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Driver Genius Professional Edition-->"C:\Program Files\Driver-Soft\DriverGenius\unins000.exe"
DriverMax 5-->"C:\Program Files\Innovative Solutions\DriverMax\unins000.exe"
FileHippo.com Update Checker-->"C:\Program Files\FileHippo.com\uninstall.exe"
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel PROSet Wireless-->Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel® Processor ID Utility-->MsiExec.exe /X{A92A4DB0-CD37-42D1-BE1D-603D53C24328}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011F0}
Java™ 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
JMicron JMB38X Flash Media Controller-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{26604C7E-A313-4D12-867F-7C6E7820BE4C}\setup.exe" -l0x9 -removeonly
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
Launch Manager-->C:\Windows\UnInst32.exe QtZgAcer.UNI
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
ME Consultant Standard v1.41 Trial-->"C:\Program Files\ME Consultant Trial\unins000.exe"
Medal of Honor Pacific Assault™ Patch2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{824539D7-D27E-4CC3-B36F-6404B5EB726B}\setup.exe" -l0x9 -removeonly
Medal of Honor Pacific Assault™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56CFA833-F44F-4199-8C58-7F8B38F2BC7B}\setup.exe" -l0x9 -removeonly
MediaMonkey 3.1-->"C:\Program Files\MediaMonkey\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB929729)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
O2 Connection Manager-->MsiExec.exe /X{CE562EB7-1EF6-428D-9092-13296236C2DF}
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
Paint.NET v3.36-->MsiExec.exe /X{43602F34-1AA3-44FB-AEB2-D08C2C73743F}
PIXMA Extended Survey Program-->C:\Program Files\Canon\IJPLM\SETUP.EXE -R
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
ScanSoft OmniPage SE 4-->MsiExec.exe /X{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shareaza 2.4.0.0-->"C:\Program Files\Shareaza\Uninstall\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Winbond CIR Device Drivers-->MsiExec.exe /I{10F498FF-5392-4DF3-8F73-FE172A9F3800}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Photo Gallery-->MsiExec.exe /X{3C52E7DA-C431-4239-B66B-1BF703D5B194}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}

=====HijackThis Backups=====

O1 - Hosts: 91.121.97.18 thepiratebay.org [2009-08-28]
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab [2009-08-28]
O1 - Hosts: 91.121.97.18 www.thepiratebay.org [2009-08-28]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab [2009-08-28]
O17 - HKLM\System\CCS\Services\Tcpip\..\{99B85B05-02D1-4AA3-AA31-15832076CFF2}: NameServer = 158.43.192.1 158.43.128.1 [2009-08-28]
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DABA23E-0262-44A2-943C-9DD34EB5133F}: NameServer = 82.132.136.102 82.132.136.103 [2009-08-28]
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab [2009-08-28]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-08-28]
O1 - Hosts: ::1 localhost [2009-08-28]

======Hosts File======

127.0.0.1 jL.chura.pl

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090723-0]
AS: Windows Defender (disabled)
AS: SUPERAntiSpyware
AS: avast! antivirus 4.8.1335 [VPS 090723-0]

======System event log======

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-13_neutral_PACKAGE from package KB959772(Update) into Install Requested(Install Requested) state
Record Number: 10162
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135904.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB959772(Update) into Install Requested(Install Requested) state
Record Number: 10161
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135904.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-8_neutral_GDR from package KB959772(Update) into Staging(Staging) state
Record Number: 10156
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135842.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-7_neutral_LDR from package KB959772(Update) into Staging(Staging) state
Record Number: 10155
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135842.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-9_neutral_PACKAGE from package KB959772(Update) into Staging(Staging) state
Record Number: 10154
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135842.000000-000
Event Type: Warning
User: Paul-PC\Paul

=====Application event log=====

Computer Name: Paul-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-916642685-2622426454-320001438-1000:
Process 472 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-916642685-2622426454-320001438-1000

Record Number: 75
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090722145043.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Paul-PC
Event Code: 1008
Message: Acquisition of Secure Processor Certificate failed. hr=0x80072EE7
Record Number: 67
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090722124013.000000-000
Event Type: Error
User:

Computer Name: Paul-PC
Event Code: 8200
Message: License acquisition failure details.
hr=0x80072EE7
Record Number: 66
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090722124013.000000-000
Event Type: Error
User:

Computer Name: Paul-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 26
Source Name: Microsoft-Windows-Search
Time Written: 20090722115755.000000-000
Event Type: Warning
User:

Computer Name: 26L2233B2-12
Event Code: 1036
Message: InitializePrintProvider failed for provider inetpp.dll. This can occur because of system instability or a lack of system resources.
Record Number: 13
Source Name: Microsoft-Windows-SpoolerSpoolss
Time Written: 20090722115235.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: 26L2233B2-12
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: 26L2233B2-12$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x208
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115131.910547-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4902
Message: The Per-user audit policy table was created.

Number of Elements: 0
Policy ID: 0x4ab46
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115128.930928-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x4
Process Name:

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115127.636120-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4608
Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115127.636120-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4647
Message: User initiated logoff:

Subject:
Security ID: S-1-5-21-2365545147-1999384947-2466353664-500
Account Name: Administrator
Account Domain: 26L2233B2-12
Logon ID: 0x836ab

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20061102130829.896800-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Acer\Empowering Technology\eDataSecurity\;C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86;C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Paul at 2009-08-31 13:47:24
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 125 GB (82%) free of 153 GB
Total RAM: 2936 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47:27, on 31/08/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Users\Paul\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Paul.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca0c7974fda502) (gupdate1ca0c7974fda502) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

--
End of file - 4924 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Driver Robot.job
C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\User_Feed_Synchronization-{F7909061-3F6C-4921-96F2-A082AEEDEDC6}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-07-24 312928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]
ShowBarObj Class - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll [2008-07-29 312880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-07-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-14 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-07-29 142896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-08-17 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-08-06 1847296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-14 644696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
C:\Program Files\Innovative Solutions\DriverMax\devices.exe [2009-08-25 7924056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax_RESTART]
C:\Program Files\Innovative Solutions\DriverMax\devices.exe [2009-08-25 7924056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [2008-07-29 526896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [2008-09-23 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\Windows\system32\hkcmd.exe [2008-12-23 178712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\Windows\system32\igfxtray.exe [2008-12-23 150040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2008-07-09 858632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2Start]
C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe [2008-10-10 2682880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\Windows\system32\igfxpers.exe [2008-12-23 154136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
C:\Windows\PLFSetI.exe [2007-10-23 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-05-26 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RtHDVCpl.exe [2008-04-28 6131712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
C:\Windows\Skytel.exe [2007-11-20 1847296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2009-04-01 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-14 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-06-05 1033512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-07-24 198160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Paul^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Windows Updater.lnk]
C:\Users\Paul\AppData\Local\Temp\JDstart.exe [2009-08-27 174147]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-12-23 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr"
"C:\Windows\system32\winlogon.exe"="C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\Windows\system32\wininit.exe"="C:\Windows\system32\wininit.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c0bb709-8caa-11de-9384-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c0bb721-8caa-11de-9384-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c0bb733-8caa-11de-9384-001e68ebdbd2}]
shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22b085e0-8cd2-11de-9577-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c47908-8a6f-11de-906e-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c47943-8a6f-11de-906e-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ac6ff02-8d80-11de-a8d9-001e68ebdbd2}]
shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f4777b2-8fd2-11de-ad22-001e68ebdbd2}]
shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b7bc0b0-8e39-11de-ab5c-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b7bc0b9-8e39-11de-ab5c-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baf79f96-8a6d-11de-aea3-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf44c39e-8c4a-11de-a378-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf44c3b8-8c4a-11de-a378-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5219a43-76b5-11de-a02b-806e6f6e6963}]
shell\AutoRun\command - D:\Setup.Now.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0aceb7-8d11-11de-93ba-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0aced7-8d11-11de-93ba-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0aced8-8d11-11de-93ba-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-08-31 13:47:24 ----D---- C:\rsit
2009-08-28 16:45:59 ----D---- C:\Program Files\Trend Micro
2009-08-28 00:30:09 ----D---- C:\Windows\pss
2009-08-27 17:10:15 ----D---- C:\Windows\system32\x64
2009-08-27 17:08:45 ----A---- C:\Windows\system32\oemdspif.dll
2009-08-27 17:08:44 ----A---- C:\Windows\system32\igfxtray.exe
2009-08-27 17:08:44 ----A---- C:\Windows\system32\igfxCoIn_v1624.dll
2009-08-27 17:08:43 ----A---- C:\Windows\system32\igfxsrvc.exe
2009-08-27 17:08:43 ----A---- C:\Windows\system32\igfxsrvc.dll
2009-08-27 17:08:40 ----A---- C:\Windows\system32\igfxress.dll
2009-08-27 17:08:39 ----A---- C:\Windows\system32\igfxpph.dll
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxpers.exe
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxext.exe
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxexps.dll
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxdo.dll
2009-08-27 17:08:37 ----A---- C:\Windows\system32\igfxcfg.exe
2009-08-27 17:08:36 ----A---- C:\Windows\system32\igd10umd32.dll
2009-08-27 17:08:34 ----A---- C:\Windows\system32\hkcmd.exe
2009-08-27 17:08:34 ----A---- C:\Windows\system32\hccutils.dll
2009-08-27 16:44:37 ----SHD---- C:\Windows\system32\%APPDATA%
2009-08-27 16:38:46 ----D---- C:\Program Files\Driver-Soft
2009-08-27 13:22:30 ----D---- C:\Program Files\Paint.NET
2009-08-26 14:44:16 ----D---- C:\Program Files\Innovative Solutions
2009-08-26 12:19:02 ----A---- C:\Windows\system32\tzres.dll
2009-08-26 12:17:58 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-08-26 12:17:58 ----A---- C:\Windows\system32\Apphlpdm.dll
2009-08-25 11:20:48 ----D---- C:\Program Files\ME Consultant Trial
2009-08-24 11:09:39 ----D---- C:\Windows\Minidump
2009-08-20 13:03:56 ----D---- C:\ProgramData\Novatel Wireless
2009-08-16 15:24:41 ----D---- C:\Users\Paul\AppData\Roaming\Tatara Systems
2009-08-16 15:19:16 ----D---- C:\ProgramData\O2CM-CE
2009-08-16 15:19:16 ----D---- C:\Program Files\O2CM-CE
2009-08-15 11:30:51 ----D---- C:\Program Files\EA GAMES
2009-08-12 18:08:39 ----A---- C:\Windows\system32\wdigest.dll
2009-08-12 18:08:39 ----A---- C:\Windows\system32\schannel.dll
2009-08-12 18:08:39 ----A---- C:\Windows\system32\msv1_0.dll
2009-08-12 18:08:39 ----A---- C:\Windows\system32\kerberos.dll
2009-08-12 18:08:38 ----A---- C:\Windows\system32\lsasrv.dll
2009-08-12 18:08:37 ----A---- C:\Windows\system32\secur32.dll
2009-08-12 18:08:37 ----A---- C:\Windows\system32\lsass.exe
2009-08-12 17:00:17 ----D---- C:\Program Files\softendo.com
2009-08-12 11:29:10 ----A---- C:\Windows\system32\atl.dll
2009-08-12 11:28:53 ----A---- C:\Windows\system32\wkssvc.dll
2009-08-12 11:28:51 ----A---- C:\Windows\system32\mstscax.dll
2009-08-12 11:28:49 ----A---- C:\Windows\system32\avifil32.dll
2009-08-12 11:28:43 ----A---- C:\Windows\system32\wmp.dll
2009-08-12 11:28:41 ----A---- C:\Windows\system32\wmpdxm.dll
2009-08-12 11:28:41 ----A---- C:\Windows\system32\dxmasf.dll
2009-08-12 11:28:40 ----A---- C:\Windows\system32\wmploc.DLL
2009-08-12 11:28:40 ----A---- C:\Windows\system32\spwmp.dll
2009-08-11 12:16:19 ----AD---- C:\ProgramData\TEMP
2009-08-11 11:48:04 ----D---- C:\Windows\BUVC_AP
2009-08-11 11:47:22 ----A---- C:\Windows\Image.dll
2009-08-11 11:47:22 ----A---- C:\Windows\Acer Crystal Eye webcam.EXE
2009-08-08 15:45:04 ----D---- C:\Users\Paul\AppData\Roaming\Autodesk
2009-08-08 15:45:04 ----D---- C:\ProgramData\Autodesk
2009-08-04 12:59:31 ----D---- C:\Users\Paul\AppData\Roaming\WinRAR
2009-08-04 12:59:06 ----D---- C:\Program Files\WinRAR

======List of files/folders modified in the last 1 months======

2009-08-31 13:47:26 ----D---- C:\Windows\Temp
2009-08-31 13:44:28 ----D---- C:\Windows\System32
2009-08-31 13:44:28 ----D---- C:\Windows\inf
2009-08-31 13:44:28 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-08-31 12:44:22 ----D---- C:\Windows\Tasks
2009-08-28 17:43:45 ----D---- C:\Windows
2009-08-28 17:34:47 ----SHD---- C:\System Volume Information
2009-08-28 17:25:45 ----D---- C:\Windows\Prefetch
2009-08-28 17:24:11 ----SHD---- C:\$Recycle.Bin
2009-08-28 17:23:47 ----RD---- C:\Users
2009-08-28 17:01:46 ----D---- C:\Windows\system32\drivers
2009-08-28 16:48:53 ----SD---- C:\Windows\Downloaded Program Files
2009-08-28 16:45:59 ----RD---- C:\Program Files
2009-08-28 16:40:58 ----D---- C:\Windows\rescache
2009-08-28 00:29:03 ----D---- C:\Windows\system32\WDI
2009-08-27 17:17:42 ----D---- C:\Windows\system32\Tasks
2009-08-27 17:09:44 ----D---- C:\Windows\system32\catroot
2009-08-27 13:23:24 ----RSD---- C:\Windows\assembly
2009-08-27 13:23:09 ----SHD---- C:\Windows\Installer
2009-08-27 13:23:03 ----D---- C:\Windows\winsxs
2009-08-26 15:09:37 ----D---- C:\Windows\system32\en-US
2009-08-26 15:09:37 ----D---- C:\Windows\AppPatch
2009-08-26 12:19:38 ----D---- C:\Windows\system32\catroot2
2009-08-26 12:18:37 ----D---- C:\Program Files\Internet Explorer
2009-08-24 10:56:47 ----D---- C:\Windows\ModemLogs
2009-08-20 23:33:36 ----HD---- C:\ProgramData
2009-08-20 12:27:20 ----D---- C:\Windows\Debug
2009-08-19 16:18:03 ----HD---- C:\Windows\system32\GroupPolicy
2009-08-17 18:12:05 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-17 17:10:20 ----A---- C:\Windows\system32\aswBoot.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\javaws.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\javaw.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\java.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\deploytk.dll
2009-08-12 18:01:38 ----D---- C:\Program Files\Windows Media Player
2009-08-12 14:07:50 ----D---- C:\Users\Paul\AppData\Roaming\Any Video Converter
2009-08-12 12:02:02 ----D---- C:\Program Files\Windows Mail
2009-08-11 11:48:04 ----D---- C:\Windows\twain_32
2009-08-11 11:31:04 ----D---- C:\Program Files\Common Files
2009-08-08 15:28:55 ----D---- C:\Program Files\Common Files\microsoft shared
2009-08-06 23:40:10 ----D---- C:\Program Files\SUPERAntiSpyware
2009-08-05 14:41:04 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-08-05 14:37:50 ----D---- C:\Windows\Logs
2009-08-04 12:31:11 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-04 12:30:15 ----D---- C:\Program Files\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-08-17 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-08-17 114768]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-08-17 51376]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-06 74480]
R2 Aspi32;Aspi32; C:\Windows\system32\drivers\Aspi32.sys [1999-09-10 25244]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-08-17 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-08-17 53328]
R2 int15;int15; \??\C:\Windows\system32\drivers\int15.sys [2008-08-19 15392]
R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2008-07-29 16944]
R2 psdvdisk;PSDVdisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2008-07-29 60464]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2008-07-22 1202560]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-02-23 244736]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2008-07-09 21264]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-12-23 2476032]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-04-28 2127512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI; C:\Windows\system32\drivers\IntcHdmi.sys [2008-07-22 113664]
R3 JMCR;JMCR; C:\Windows\system32\DRIVERS\jmcr.sys [2008-04-08 81296]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2009-05-28 4233728]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-06-05 196784]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
R3 winbondcir;Winbond IR Transceiver; C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2008-08-22 101504]
S3 mod7700;DiBcom based TV tuner device; C:\Windows\system32\DRIVERS\mod7700.sys [2009-03-12 779904]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 s116bus;Sony Ericsson Device 116 driver (WDM); C:\Windows\system32\DRIVERS\s116bus.sys [2007-04-03 83336]
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS); C:\Windows\system32\DRIVERS\s116nd5.sys [2007-04-03 23176]
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM); C:\Windows\system32\DRIVERS\s116unic.sys [2007-04-03 99080]
S3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM); C:\Windows\system32\DRIVERS\SE27bus.sys [2006-05-15 61600]
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\SE27mdfl.sys [2006-05-15 9360]
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\SE27mdm.sys [2006-05-15 97184]
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\SE27mgmt.sys [2006-05-15 88688]
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS); C:\Windows\system32\DRIVERS\se27nd5.sys [2006-05-15 18704]
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\SE27obex.sys [2006-05-15 86560]
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM); C:\Windows\system32\DRIVERS\se27unic.sys [2006-05-15 90800]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2008-07-22 13312]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-08-17 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-08-17 138680]
R2 eDataSecurity Service;eDataSecurity Service; C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [2008-07-29 500784]
R2 ETService;Empowering Technology Service; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [2008-08-19 24576]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2008-04-30 815104]
R2 IJPLMSVC;PIXMA Extended Survey Program; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2008-04-30 466944]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-08-17 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-08-17 352920]
S2 gupdate1ca0c7974fda502;Google Update Service (gupdate1ca0c7974fda502); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-24 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-24 190448]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2009-03-30 31048]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 90112]

-----------------EOF-----------------

GMER 1.0.15.15077 [9qolmjh1.exe] - http://www.gmer.net
Rootkit scan 2009-08-31 14:20:20
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8EBD10B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 621 820F8D64 4 Bytes [B0, 10, BD, 8E]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.reloc C:\Windows\Explorer.EXE[3692] C:\Windows\Explorer.EXE section is executable [0x012C7000, 0xAC00, 0xE0000040]
.reloc C:\Windows\Explorer.EXE[3692] C:\Windows\Explorer.EXE entry point in ".reloc" section [0x012D1B6A]
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\Explorer.EXE[3692] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C9 76B4B364 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL}
.text C:\Windows\Explorer.EXE[3692] SHELL32.dll!ShellExecuteExW + 18B7 76B7D9EC 4 Bytes [10, 1B, 00, 10] {ADC [EBX], BL; ADD [EAX], DL}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[636] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00400002
IAT C:\Windows\system32\services.exe[636] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00400000
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B57817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73BAA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B5BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B4F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B4E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73B88395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73B5DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B4FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B4FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73BDCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73B7C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B4D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B46853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B4687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B52AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs psdfilter.sys (Acer eDataSecurity Management PSD Filter Driver/Egis Incorporated)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat psdfilter.sys (Acer eDataSecurity Management PSD Filter Driver/Egis Incorporated)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kbiwkmbtywtxnq.sys (*** hidden *** ) [SYSTEM] kbiwkmoxrwcprr <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@imagepath \systemroot\system32\drivers\kbiwkmbtywtxnq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@imagepath \systemroot\system32\drivers\kbiwkmbtywtxnq.sys
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABD5D1B-A4F7-A202-7D5C-063FF59F5347}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABD5D1B-A4F7-A202-7D5C-063FF59F5347}@hakohnkmbcelelii 0x6A 0x61 0x61 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABD5D1B-A4F7-A202-7D5C-063FF59F5347}@iaekbpmhcfdbnncfpl 0x6A 0x61 0x61 0x6C ...

---- EOF - GMER 1.0.15 ----




Here is a coppy of the two scans that you asked for thank you.



info.txt logfile of random's system information tool 1.06 2009-08-31 13:47:28

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Acer Crystal Eye Webcam 2.0.8-->C:\Program Files\InstallShield Installation Information\{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer Crystal Eye webcam Ver:1.1.59.528-->C:\Program Files\InstallShield Installation Information\{D0ACE89D-EC7F-470F-80BE-4C98ED366B32}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer Crystal Eye Webcam-->C:\Program Files\InstallShield Installation Information\{DD1DED37-2486-4F56-8F89-56AA814003F5}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer eDataSecurity Management-->C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSnstHelper.exe -Operation UNINSTALL
Acer Empowering Technology-->"C:\Program Files\InstallShield Installation Information\{8F1B6239-FEA0-450A-A950-B05276CE177C}\setup.exe" -runfromtemp -l0x0009 -removeonly
Acer ePower Management-->"C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -runfromtemp -l0x0009 -removeonly
Acer eSettings Management-->"C:\Program Files\InstallShield Installation Information\{13D85C14-2B85-419F-AC41-C7F21E68B25D}\setup.exe" -runfromtemp -l0x0009 -removeonly
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe"
Agere Systems HDA Modem-->agrsmdel
Any Video Converter 2.7.6-->"C:\Program Files\Any Video Converter\unins000.exe"
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BobCAD-CAM V23-->"C:\Program Files\InstallShield Installation Information\{66A00BD2-21AE-4712-9D88-6B0F45BEAE76}\setup.exe" -runfromtemp -l0x0009 -removeonly
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MP220 series User Registration-->C:\Program Files\Canon\IJEREG\MP220 series\UNINST.EXE
Canon MP220 series-->"C:\Windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP220_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP220_series /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Driver Genius Professional Edition-->"C:\Program Files\Driver-Soft\DriverGenius\unins000.exe"
DriverMax 5-->"C:\Program Files\Innovative Solutions\DriverMax\unins000.exe"
FileHippo.com Update Checker-->"C:\Program Files\FileHippo.com\uninstall.exe"
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel PROSet Wireless-->Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel® Processor ID Utility-->MsiExec.exe /X{A92A4DB0-CD37-42D1-BE1D-603D53C24328}
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011F0}
Java™ 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
JMicron JMB38X Flash Media Controller-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{26604C7E-A313-4D12-867F-7C6E7820BE4C}\setup.exe" -l0x9 -removeonly
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
Launch Manager-->C:\Windows\UnInst32.exe QtZgAcer.UNI
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
ME Consultant Standard v1.41 Trial-->"C:\Program Files\ME Consultant Trial\unins000.exe"
Medal of Honor Pacific Assault™ Patch2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{824539D7-D27E-4CC3-B36F-6404B5EB726B}\setup.exe" -l0x9 -removeonly
Medal of Honor Pacific Assault™-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56CFA833-F44F-4199-8C58-7F8B38F2BC7B}\setup.exe" -l0x9 -removeonly
MediaMonkey 3.1-->"C:\Program Files\MediaMonkey\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB929729)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
O2 Connection Manager-->MsiExec.exe /X{CE562EB7-1EF6-428D-9092-13296236C2DF}
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
Paint.NET v3.36-->MsiExec.exe /X{43602F34-1AA3-44FB-AEB2-D08C2C73743F}
PIXMA Extended Survey Program-->C:\Program Files\Canon\IJPLM\SETUP.EXE -R
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
ScanSoft OmniPage SE 4-->MsiExec.exe /X{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shareaza 2.4.0.0-->"C:\Program Files\Shareaza\Uninstall\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Winbond CIR Device Drivers-->MsiExec.exe /I{10F498FF-5392-4DF3-8F73-FE172A9F3800}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Photo Gallery-->MsiExec.exe /X{3C52E7DA-C431-4239-B66B-1BF703D5B194}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}

=====HijackThis Backups=====

O1 - Hosts: 91.121.97.18 thepiratebay.org [2009-08-28]
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab [2009-08-28]
O1 - Hosts: 91.121.97.18 www.thepiratebay.org [2009-08-28]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab [2009-08-28]
O17 - HKLM\System\CCS\Services\Tcpip\..\{99B85B05-02D1-4AA3-AA31-15832076CFF2}: NameServer = 158.43.192.1 158.43.128.1 [2009-08-28]
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DABA23E-0262-44A2-943C-9DD34EB5133F}: NameServer = 82.132.136.102 82.132.136.103 [2009-08-28]
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab [2009-08-28]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-08-28]
O1 - Hosts: ::1 localhost [2009-08-28]

======Hosts File======

127.0.0.1 jL.chura.pl

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090723-0]
AS: Windows Defender (disabled)
AS: SUPERAntiSpyware
AS: avast! antivirus 4.8.1335 [VPS 090723-0]

======System event log======

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-13_neutral_PACKAGE from package KB959772(Update) into Install Requested(Install Requested) state
Record Number: 10162
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135904.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB959772(Update) into Install Requested(Install Requested) state
Record Number: 10161
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135904.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-8_neutral_GDR from package KB959772(Update) into Staging(Staging) state
Record Number: 10156
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135842.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-7_neutral_LDR from package KB959772(Update) into Staging(Staging) state
Record Number: 10155
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135842.000000-000
Event Type: Warning
User: Paul-PC\Paul

Computer Name: Paul-PC
Event Code: 4386
Message: Windows Servicing required reboot to complete the process of changing update 959772-9_neutral_PACKAGE from package KB959772(Update) into Staging(Staging) state
Record Number: 10154
Source Name: Microsoft-Windows-Servicing
Time Written: 20090723135842.000000-000
Event Type: Warning
User: Paul-PC\Paul

=====Application event log=====

Computer Name: Paul-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-916642685-2622426454-320001438-1000:
Process 472 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-916642685-2622426454-320001438-1000

Record Number: 75
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090722145043.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Paul-PC
Event Code: 1008
Message: Acquisition of Secure Processor Certificate failed. hr=0x80072EE7
Record Number: 67
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090722124013.000000-000
Event Type: Error
User:

Computer Name: Paul-PC
Event Code: 8200
Message: License acquisition failure details.
hr=0x80072EE7
Record Number: 66
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090722124013.000000-000
Event Type: Error
User:

Computer Name: Paul-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 26
Source Name: Microsoft-Windows-Search
Time Written: 20090722115755.000000-000
Event Type: Warning
User:

Computer Name: 26L2233B2-12
Event Code: 1036
Message: InitializePrintProvider failed for provider inetpp.dll. This can occur because of system instability or a lack of system resources.
Record Number: 13
Source Name: Microsoft-Windows-SpoolerSpoolss
Time Written: 20090722115235.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: 26L2233B2-12
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: 26L2233B2-12$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x208
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115131.910547-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4902
Message: The Per-user audit policy table was created.

Number of Elements: 0
Policy ID: 0x4ab46
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115128.930928-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x4
Process Name:

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115127.636120-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4608
Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090722115127.636120-000
Event Type: Audit Success
User:

Computer Name: 26L2233B2-12
Event Code: 4647
Message: User initiated logoff:

Subject:
Security ID: S-1-5-21-2365545147-1999384947-2466353664-500
Account Name: Administrator
Account Domain: 26L2233B2-12
Logon ID: 0x836ab

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20061102130829.896800-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Acer\Empowering Technology\eDataSecurity\;C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86;C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Paul at 2009-08-31 13:47:24
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 125 GB (82%) free of 153 GB
Total RAM: 2936 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47:27, on 31/08/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Users\Paul\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Paul.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca0c7974fda502) (gupdate1ca0c7974fda502) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

--
End of file - 4924 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Driver Robot.job
C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\User_Feed_Synchronization-{F7909061-3F6C-4921-96F2-A082AEEDEDC6}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-07-24 312928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]
ShowBarObj Class - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll [2008-07-29 312880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-07-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-14 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-07-29 142896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-08-17 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-08-06 1847296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-14 644696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
C:\Program Files\Innovative Solutions\DriverMax\devices.exe [2009-08-25 7924056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax_RESTART]
C:\Program Files\Innovative Solutions\DriverMax\devices.exe [2009-08-25 7924056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [2008-07-29 526896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [2008-09-23 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\Windows\system32\hkcmd.exe [2008-12-23 178712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\Windows\system32\igfxtray.exe [2008-12-23 150040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2008-07-09 858632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2Start]
C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe [2008-10-10 2682880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\Windows\system32\igfxpers.exe [2008-12-23 154136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
C:\Windows\PLFSetI.exe [2007-10-23 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-05-26 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RtHDVCpl.exe [2008-04-28 6131712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
C:\Windows\Skytel.exe [2007-11-20 1847296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2009-04-01 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-14 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-06-05 1033512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-07-24 198160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Paul^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Windows Updater.lnk]
C:\Users\Paul\AppData\Local\Temp\JDstart.exe [2009-08-27 174147]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-12-23 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr"
"C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe"="C:\Program Files\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr"
"C:\Windows\system32\winlogon.exe"="C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\Windows\system32\wininit.exe"="C:\Windows\system32\wininit.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c0bb709-8caa-11de-9384-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c0bb721-8caa-11de-9384-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c0bb733-8caa-11de-9384-001e68ebdbd2}]
shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22b085e0-8cd2-11de-9577-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c47908-8a6f-11de-906e-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c47943-8a6f-11de-906e-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ac6ff02-8d80-11de-a8d9-001e68ebdbd2}]
shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f4777b2-8fd2-11de-ad22-001e68ebdbd2}]
shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b7bc0b0-8e39-11de-ab5c-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b7bc0b9-8e39-11de-ab5c-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baf79f96-8a6d-11de-aea3-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf44c39e-8c4a-11de-a378-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf44c3b8-8c4a-11de-a378-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5219a43-76b5-11de-a02b-806e6f6e6963}]
shell\AutoRun\command - D:\Setup.Now.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0aceb7-8d11-11de-93ba-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0aced7-8d11-11de-93ba-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0aced8-8d11-11de-93ba-001e68ebdbd2}]
shell\AutoRun\command - E:\AUTORUN.EXE


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-08-31 13:47:24 ----D---- C:\rsit
2009-08-28 16:45:59 ----D---- C:\Program Files\Trend Micro
2009-08-28 00:30:09 ----D---- C:\Windows\pss
2009-08-27 17:10:15 ----D---- C:\Windows\system32\x64
2009-08-27 17:08:45 ----A---- C:\Windows\system32\oemdspif.dll
2009-08-27 17:08:44 ----A---- C:\Windows\system32\igfxtray.exe
2009-08-27 17:08:44 ----A---- C:\Windows\system32\igfxCoIn_v1624.dll
2009-08-27 17:08:43 ----A---- C:\Windows\system32\igfxsrvc.exe
2009-08-27 17:08:43 ----A---- C:\Windows\system32\igfxsrvc.dll
2009-08-27 17:08:40 ----A---- C:\Windows\system32\igfxress.dll
2009-08-27 17:08:39 ----A---- C:\Windows\system32\igfxpph.dll
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxpers.exe
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxext.exe
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxexps.dll
2009-08-27 17:08:38 ----A---- C:\Windows\system32\igfxdo.dll
2009-08-27 17:08:37 ----A---- C:\Windows\system32\igfxcfg.exe
2009-08-27 17:08:36 ----A---- C:\Windows\system32\igd10umd32.dll
2009-08-27 17:08:34 ----A---- C:\Windows\system32\hkcmd.exe
2009-08-27 17:08:34 ----A---- C:\Windows\system32\hccutils.dll
2009-08-27 16:44:37 ----SHD---- C:\Windows\system32\%APPDATA%
2009-08-27 16:38:46 ----D---- C:\Program Files\Driver-Soft
2009-08-27 13:22:30 ----D---- C:\Program Files\Paint.NET
2009-08-26 14:44:16 ----D---- C:\Program Files\Innovative Solutions
2009-08-26 12:19:02 ----A---- C:\Windows\system32\tzres.dll
2009-08-26 12:17:58 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-08-26 12:17:58 ----A---- C:\Windows\system32\Apphlpdm.dll
2009-08-25 11:20:48 ----D---- C:\Program Files\ME Consultant Trial
2009-08-24 11:09:39 ----D---- C:\Windows\Minidump
2009-08-20 13:03:56 ----D---- C:\ProgramData\Novatel Wireless
2009-08-16 15:24:41 ----D---- C:\Users\Paul\AppData\Roaming\Tatara Systems
2009-08-16 15:19:16 ----D---- C:\ProgramData\O2CM-CE
2009-08-16 15:19:16 ----D---- C:\Program Files\O2CM-CE
2009-08-15 11:30:51 ----D---- C:\Program Files\EA GAMES
2009-08-12 18:08:39 ----A---- C:\Windows\system32\wdigest.dll
2009-08-12 18:08:39 ----A---- C:\Windows\system32\schannel.dll
2009-08-12 18:08:39 ----A---- C:\Windows\system32\msv1_0.dll
2009-08-12 18:08:39 ----A---- C:\Windows\system32\kerberos.dll
2009-08-12 18:08:38 ----A---- C:\Windows\system32\lsasrv.dll
2009-08-12 18:08:37 ----A---- C:\Windows\system32\secur32.dll
2009-08-12 18:08:37 ----A---- C:\Windows\system32\lsass.exe
2009-08-12 17:00:17 ----D---- C:\Program Files\softendo.com
2009-08-12 11:29:10 ----A---- C:\Windows\system32\atl.dll
2009-08-12 11:28:53 ----A---- C:\Windows\system32\wkssvc.dll
2009-08-12 11:28:51 ----A---- C:\Windows\system32\mstscax.dll
2009-08-12 11:28:49 ----A---- C:\Windows\system32\avifil32.dll
2009-08-12 11:28:43 ----A---- C:\Windows\system32\wmp.dll
2009-08-12 11:28:41 ----A---- C:\Windows\system32\wmpdxm.dll
2009-08-12 11:28:41 ----A---- C:\Windows\system32\dxmasf.dll
2009-08-12 11:28:40 ----A---- C:\Windows\system32\wmploc.DLL
2009-08-12 11:28:40 ----A---- C:\Windows\system32\spwmp.dll
2009-08-11 12:16:19 ----AD---- C:\ProgramData\TEMP
2009-08-11 11:48:04 ----D---- C:\Windows\BUVC_AP
2009-08-11 11:47:22 ----A---- C:\Windows\Image.dll
2009-08-11 11:47:22 ----A---- C:\Windows\Acer Crystal Eye webcam.EXE
2009-08-08 15:45:04 ----D---- C:\Users\Paul\AppData\Roaming\Autodesk
2009-08-08 15:45:04 ----D---- C:\ProgramData\Autodesk
2009-08-04 12:59:31 ----D---- C:\Users\Paul\AppData\Roaming\WinRAR
2009-08-04 12:59:06 ----D---- C:\Program Files\WinRAR

======List of files/folders modified in the last 1 months======

2009-08-31 13:47:26 ----D---- C:\Windows\Temp
2009-08-31 13:44:28 ----D---- C:\Windows\System32
2009-08-31 13:44:28 ----D---- C:\Windows\inf
2009-08-31 13:44:28 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-08-31 12:44:22 ----D---- C:\Windows\Tasks
2009-08-28 17:43:45 ----D---- C:\Windows
2009-08-28 17:34:47 ----SHD---- C:\System Volume Information
2009-08-28 17:25:45 ----D---- C:\Windows\Prefetch
2009-08-28 17:24:11 ----SHD---- C:\$Recycle.Bin
2009-08-28 17:23:47 ----RD---- C:\Users
2009-08-28 17:01:46 ----D---- C:\Windows\system32\drivers
2009-08-28 16:48:53 ----SD---- C:\Windows\Downloaded Program Files
2009-08-28 16:45:59 ----RD---- C:\Program Files
2009-08-28 16:40:58 ----D---- C:\Windows\rescache
2009-08-28 00:29:03 ----D---- C:\Windows\system32\WDI
2009-08-27 17:17:42 ----D---- C:\Windows\system32\Tasks
2009-08-27 17:09:44 ----D---- C:\Windows\system32\catroot
2009-08-27 13:23:24 ----RSD---- C:\Windows\assembly
2009-08-27 13:23:09 ----SHD---- C:\Windows\Installer
2009-08-27 13:23:03 ----D---- C:\Windows\winsxs
2009-08-26 15:09:37 ----D---- C:\Windows\system32\en-US
2009-08-26 15:09:37 ----D---- C:\Windows\AppPatch
2009-08-26 12:19:38 ----D---- C:\Windows\system32\catroot2
2009-08-26 12:18:37 ----D---- C:\Program Files\Internet Explorer
2009-08-24 10:56:47 ----D---- C:\Windows\ModemLogs
2009-08-20 23:33:36 ----HD---- C:\ProgramData
2009-08-20 12:27:20 ----D---- C:\Windows\Debug
2009-08-19 16:18:03 ----HD---- C:\Windows\system32\GroupPolicy
2009-08-17 18:12:05 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-17 17:10:20 ----A---- C:\Windows\system32\aswBoot.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\javaws.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\javaw.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\java.exe
2009-08-14 11:53:58 ----A---- C:\Windows\system32\deploytk.dll
2009-08-12 18:01:38 ----D---- C:\Program Files\Windows Media Player
2009-08-12 14:07:50 ----D---- C:\Users\Paul\AppData\Roaming\Any Video Converter
2009-08-12 12:02:02 ----D---- C:\Program Files\Windows Mail
2009-08-11 11:48:04 ----D---- C:\Windows\twain_32
2009-08-11 11:31:04 ----D---- C:\Program Files\Common Files
2009-08-08 15:28:55 ----D---- C:\Program Files\Common Files\microsoft shared
2009-08-06 23:40:10 ----D---- C:\Program Files\SUPERAntiSpyware
2009-08-05 14:41:04 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-08-05 14:37:50 ----D---- C:\Windows\Logs
2009-08-04 12:31:11 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-04 12:30:15 ----D---- C:\Program Files\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-08-17 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-08-17 114768]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-08-17 51376]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-06 74480]
R2 Aspi32;Aspi32; C:\Windows\system32\drivers\Aspi32.sys [1999-09-10 25244]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-08-17 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-08-17 53328]
R2 int15;int15; \??\C:\Windows\system32\drivers\int15.sys [2008-08-19 15392]
R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2008-07-29 16944]
R2 psdvdisk;PSDVdisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2008-07-29 60464]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2008-07-22 1202560]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-02-23 244736]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2008-07-09 21264]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-12-23 2476032]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-04-28 2127512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI; C:\Windows\system32\drivers\IntcHdmi.sys [2008-07-22 113664]
R3 JMCR;JMCR; C:\Windows\system32\DRIVERS\jmcr.sys [2008-04-08 81296]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2009-05-28 4233728]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-06-05 196784]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
R3 winbondcir;Winbond IR Transceiver; C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2008-08-22 101504]
S3 mod7700;DiBcom based TV tuner device; C:\Windows\system32\DRIVERS\mod7700.sys [2009-03-12 779904]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 s116bus;Sony Ericsson Device 116 driver (WDM); C:\Windows\system32\DRIVERS\s116bus.sys [2007-04-03 83336]
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS); C:\Windows\system32\DRIVERS\s116nd5.sys [2007-04-03 23176]
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM); C:\Windows\system32\DRIVERS\s116unic.sys [2007-04-03 99080]
S3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM); C:\Windows\system32\DRIVERS\SE27bus.sys [2006-05-15 61600]
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\SE27mdfl.sys [2006-05-15 9360]
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\SE27mdm.sys [2006-05-15 97184]
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\SE27mgmt.sys [2006-05-15 88688]
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS); C:\Windows\system32\DRIVERS\se27nd5.sys [2006-05-15 18704]
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\SE27obex.sys [2006-05-15 86560]
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM); C:\Windows\system32\DRIVERS\se27unic.sys [2006-05-15 90800]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2008-07-22 13312]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-08-17 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-08-17 138680]
R2 eDataSecurity Service;eDataSecurity Service; C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [2008-07-29 500784]
R2 ETService;Empowering Technology Service; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [2008-08-19 24576]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2008-04-30 815104]
R2 IJPLMSVC;PIXMA Extended Survey Program; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2008-04-30 466944]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-08-17 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-08-17 352920]
S2 gupdate1ca0c7974fda502;Google Update Service (gupdate1ca0c7974fda502); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-24 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-24 190448]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2009-03-30 31048]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 90112]

-----------------EOF-----------------

GMER 1.0.15.15077 [9qolmjh1.exe] - http://www.gmer.net
Rootkit scan 2009-08-31 14:20:20
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8EBD10B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 621 820F8D64 4 Bytes [B0, 10, BD, 8E]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\agrsmsvc.exe[508] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe[588] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\wininit.exe[592] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\csrss.exe[604] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\services.exe[636] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\lsass.exe[648] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\lsm.exe[656] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\winlogon.exe[736] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Acer\Empowering Technology\Service\ETService.exe[776] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[844] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[956] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[1012] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\SLsvc.exe[1176] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1676] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\WLANExt.exe[1692] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1700] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1792] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\spoolsv.exe[1980] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[2004] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2024] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[2116] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[2208] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2244] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\svchost.exe[2292] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\System32\svchost.exe[2396] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\SearchIndexer.exe[2432] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\taskeng.exe[2472] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\wbem\wmiprvse.exe[3052] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Users\Paul\Desktop\9qolmjh1.exe[3456] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\Dwm.exe[3608] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\system32\taskeng.exe[3616] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.reloc C:\Windows\Explorer.EXE[3692] C:\Windows\Explorer.EXE section is executable [0x012C7000, 0xAC00, 0xE0000040]
.reloc C:\Windows\Explorer.EXE[3692] C:\Windows\Explorer.EXE entry point in ".reloc" section [0x012D1B6A]
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Windows\Explorer.EXE[3692] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Windows\Explorer.EXE[3692] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C9 76B4B364 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL}
.text C:\Windows\Explorer.EXE[3692] SHELL32.dll!ShellExecuteExW + 18B7 76B7D9EC 4 Bytes [10, 1B, 00, 10] {ADC [EBX], BL; ADD [EAX], DL}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3756] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateFile 779243D4 5 Bytes CALL 7FFA491A
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateProcess 77924494 5 Bytes CALL 7FFA49A9
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateProcessEx 779244A4 5 Bytes CALL 7FFA49B6
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtDeviceIoControlFile 77924804 5 Bytes CALL 7FFA4C3A
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtOpenFile 77924BB4 5 Bytes CALL 7FFA499F
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtQueryInformationProcess 77924E54 5 Bytes CALL 7FFA49F7
.text C:\Program Files\Alwil Software\Avast4\ashDisp.exe[3920] ntdll.dll!NtCreateUserProcess 77925804 5 Bytes CALL 7FFA49C3

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[636] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00400002
IAT C:\Windows\system32\services.exe[636] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00400000
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B57817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73BAA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B5BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B4F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B4E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73B88395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73B5DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B4FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B4FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73BDCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73B7C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B4D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B46853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B4687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B52AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
IAT C:\Windows\Explorer.EXE[3692] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs psdfilter.sys (Acer eDataSecurity Management PSD Filter Driver/Egis Incorporated)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat psdfilter.sys (Acer eDataSecurity Management PSD Filter Driver/Egis Incorporated)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kbiwkmbtywtxnq.sys (*** hidden *** ) [SYSTEM] kbiwkmoxrwcprr <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmoxrwcprr@imagepath \systemroot\system32\drivers\kbiwkmbtywtxnq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmoxrwcprr@imagepath \systemroot\system32\drivers\kbiwkmbtywtxnq.sys
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABD5D1B-A4F7-A202-7D5C-063FF59F5347}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABD5D1B-A4F7-A202-7D5C-063FF59F5347}@hakohnkmbcelelii 0x6A 0x61 0x61 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABD5D1B-A4F7-A202-7D5C-063FF59F5347}@iaekbpmhcfdbnncfpl 0x6A 0x61 0x61 0x6C ...

---- EOF - GMER 1.0.15 ----

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:18 PM

Posted 31 August 2009 - 01:02 PM

Hi,



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.





Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix






Please post back with:
  • Combofix-Logfile
  • Fresh Gmer-Logfile
  • Fresh RSIT-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 Bcfcmeerkat

Bcfcmeerkat
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 31 August 2009 - 01:14 PM

I have just got this error message come up when i run the combo fix . What shall i do next ?.

Attached Files



#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:18 PM

Posted 01 September 2009 - 11:15 AM

Hi,

Let's doublecheck something.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Windows\explorer.exe
C:\Windows\regedit.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 Bcfcmeerkat

Bcfcmeerkat
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 01 September 2009 - 12:25 PM

I can not connect to them links you gave me anything that is like a scan i just get an error on the browser page IE: when i try to go to the avast homepage and other progs like malwarebytes. And the folders were all ready unticked like u asked before. so i dont know what else to do. Also i have lost my desktop picture now just a blank screen i can preview then thou not set them now.

Thank you for your help so far.

Attached Files


Edited by Bcfcmeerkat, 01 September 2009 - 01:24 PM.


#9 Bcfcmeerkat

Bcfcmeerkat
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 01 September 2009 - 01:25 PM

Should or said can not connect to them links .

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:18 PM

Posted 01 September 2009 - 11:10 PM

Please do the following:

Please download the Suspicious File Packer from here: http://www.safer-networking.org/files/sfp.zip
  • Unzip it to the desktop and run it.
  • Paste the following bold part into the Suspicious File Packer window:

    C:\Windows\explorer.exe
    C:\Windows\regedit.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\winlogon.exe


  • Allow SFP to pack the file. This will generate a CAB archive on your desktop.
  • Now please upload this file here.

Edited by schrauber, 01 September 2009 - 11:11 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Bcfcmeerkat

Bcfcmeerkat
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 02 September 2009 - 04:55 AM

I have sent the file you have asked for and when i start up my computer the name of the virus that my av warns me about is Win32:MalOb-R [Cryp].

Thank You.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:18 PM

Posted 02 September 2009 - 12:55 PM

Hi,

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Virut is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 Bcfcmeerkat

Bcfcmeerkat
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 03 September 2009 - 08:08 AM

Thank you for your help seems like i will have to do a reinstall i do not have the disks as vista came pre-installed. Think i will waite for windows 7 to come out if i install that will it do a compleat install and over write vista and will the virut problem be wiped off ?.

Thank you for all your help.

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:18 PM

Posted 03 September 2009 - 01:19 PM

Hi,

Think i will waite for windows 7


No way :(

You have to reinstall it immediately. You cannot stay with this system online. All your files will get infected. And your system will be a danger for every system in the internet!

You can order the disks from the computer maker or visit their website from a non infected system to order them.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 Bcfcmeerkat

Bcfcmeerkat
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 03 September 2009 - 06:08 PM

I have 2 laptops on the one now that is not infected. If i install windows 7 on the infected one will it over write it and then wil it be clean then.

Thank you for all your help .

Edited by Bcfcmeerkat, 03 September 2009 - 06:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users